https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3271
Summary: Crash in ASN.1 dissector when using 'type table'
Product: Wireshark
Version: 1.0.6
Platform: PC
OS/Version: Fedora
Status: NEW
Severity: Major
Priority: Medium
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: rwgroenenberg@xxxxxxxxx
Robert Groenenberg <rwgroenenberg@xxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2766| |review_for_checkin?
Flag| |
Created an attachment (id=2766)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=2766)
Patch to correct out-of-bound strncpy()
Build Information:
wireshark 1.0.6
Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GTK+ 2.12.12, with GLib 2.16.6, with libpcap 0.9.8, with libz
1.2.3, with POSIX capabilities (Linux), without libpcre, without SMI, without
ADNS, without Lua, without GnuTLS, without Gcrypt, with MIT Kerberos, without
PortAudio, without AirPcap.
NOTE: this build doesn't support the "matches" operator for Wireshark filter
syntax.
Running on Linux 2.6.27.12-78.2.8.fc9.i686, with libpcap version 0.9.8.
Built using gcc 4.3.0 20080428 (Red Hat 4.3.0-8).
--
As of version 0.99.8, there has been an annoying problem in the ASN.1
dissector: when using a 'type table' which discribes the ASN.1 syntax of the
traced packets, wireshark would crash on the very first packet.
The cause for the crash is an out-of-boundry write, detected by g_free().
*** glibc detected ***
/home/robert/src/wireshark/wireshark-1.0.6/.libs/lt-wireshark: free(): invalid
next size (fast): 0x097f1a50 ***
Part of the stack in gdb:
#18 0x005e7028 in abort () from /lib/libc.so.6
#19 0x0062264d in __libc_message () from /lib/libc.so.6
#20 0x00628874 in malloc_printerr () from /lib/libc.so.6
#21 0x0062a8d6 in free () from /lib/libc.so.6
#22 0x056890f6 in g_free () from /lib/libglib-2.0.so.0
#23 0x008b8bfb in decode_asn1_sequence (tvb=0x95f1e90, offset=<value optimized
out>, tlen=4, pt=0x0, level=2) at packet-asn1.c:1186
#24 0x008b8301 in decode_asn1_sequence (tvb=0x95f1e90, offset=16, tlen=75,
pt=0x0, level=1) at packet-asn1.c:1670
#25 0x008ba96b in dissect_asn1 (tvb=0x95f1e90, pinfo=0x9624bf0, tree=0x0) at
packet-asn1.c:892
The problem is in showoctets() in
plugins/asn1/packet-asn1.c :
if (dohex) {
str = p = g_malloc(len*2 + 5);
for (i=0; i<len; i++) {
p += sprintf(p, "%2.2X", octets[i]);
}
--> strncpy(p, endstr, len*2 + 5);
} else {
the max length given to strncpy() does not take into account the space already
used by sprint(), causing the strncpy to exceed the allocted buffer.
After correcting this (see patch), it works fine again.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.