https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2796
Summary: [PATCH] Ensure that get_dns_name does not cross packet
sub boundry
Product: Wireshark
Version: 1.0.2
Platform: PC
OS/Version: NetBSD
Status: NEW
Severity: Major
Priority: Low
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: roy@xxxxxxxxxxxx
Depends on: 2781
Created an attachment (id=2150)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=2150)
Add max_len to get_dns_name
Build Information:
# wireshark -v
wireshark 1.0.2
Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GTK+ 2.12.10, with GLib 2.16.3, with libpcap 0.9.4, with libz
1.2.3, without POSIX capabilities, with libpcre 7.7, with SMI 0.4.5, without
ADNS, without Lua, with GnuTLS 2.2.5, with Gcrypt 1.4.1, with Heimdal Kerberos,
without PortAudio, without AirPcap.
Running on NetBSD 4.99.70, with libpcap version 0.9.4.
Built using gcc 4.1.3 20080202 prerelease (NetBSD nb1 20080202).
--
get_dns_name in packet-dns.c currently decodes a packet from a given offset
until it's terminated or reaches the end of the packet.
This is not good enough for reading DHCP messages as we should only operate
from the offset until a given point (end of the DHCP option). We cannot use
data after this point as it would be invalid.
Implementation note:
The first bounds check just breaks out - treats max len reached the same as end
of packet reached. This is important as some DHCP messages do not terminate the
encoded DNS name.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.