Wireshark-bugs: [Wireshark-bugs] [Bug 3271] New: Crash in ASN.1 dissector when using 'type table

Date: Sat, 21 Feb 2009 09:32:40 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3271

           Summary: Crash in ASN.1 dissector when using 'type table'
           Product: Wireshark
           Version: 1.0.6
          Platform: PC
        OS/Version: Fedora
            Status: NEW
          Severity: Major
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: rwgroenenberg@xxxxxxxxx



Robert Groenenberg <rwgroenenberg@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2766|                            |review_for_checkin?
               Flag|                            |


Created an attachment (id=2766)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=2766)
Patch to correct out-of-bound strncpy()

Build Information:
wireshark 1.0.6

Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.12.12, with GLib 2.16.6, with libpcap 0.9.8, with libz
1.2.3, with POSIX capabilities (Linux), without libpcre, without SMI, without
ADNS, without Lua, without GnuTLS, without Gcrypt, with MIT Kerberos, without
PortAudio, without AirPcap.
NOTE: this build doesn't support the "matches" operator for Wireshark filter
syntax.

Running on Linux 2.6.27.12-78.2.8.fc9.i686, with libpcap version 0.9.8.

Built using gcc 4.3.0 20080428 (Red Hat 4.3.0-8).

--
As of version 0.99.8, there has been an annoying problem in the ASN.1
dissector: when using a 'type table' which discribes the ASN.1 syntax of the
traced packets, wireshark would crash on the very first packet.
The cause for the crash is an out-of-boundry write, detected by g_free().

*** glibc detected ***
/home/robert/src/wireshark/wireshark-1.0.6/.libs/lt-wireshark: free(): invalid
next size (fast): 0x097f1a50 ***

Part of the stack in gdb:
#18 0x005e7028 in abort () from /lib/libc.so.6
#19 0x0062264d in __libc_message () from /lib/libc.so.6
#20 0x00628874 in malloc_printerr () from /lib/libc.so.6
#21 0x0062a8d6 in free () from /lib/libc.so.6
#22 0x056890f6 in g_free () from /lib/libglib-2.0.so.0
#23 0x008b8bfb in decode_asn1_sequence (tvb=0x95f1e90, offset=<value optimized
out>, tlen=4, pt=0x0, level=2) at packet-asn1.c:1186
#24 0x008b8301 in decode_asn1_sequence (tvb=0x95f1e90, offset=16, tlen=75,
pt=0x0, level=1) at packet-asn1.c:1670
#25 0x008ba96b in dissect_asn1 (tvb=0x95f1e90, pinfo=0x9624bf0, tree=0x0) at
packet-asn1.c:892

The problem is in showoctets() in 
plugins/asn1/packet-asn1.c :

                if (dohex) {
                        str = p = g_malloc(len*2 + 5);
                        for (i=0; i<len; i++) {
                                p += sprintf(p, "%2.2X", octets[i]);
                        }
-->                     strncpy(p, endstr, len*2 + 5);
                } else {

the max length given to strncpy() does not take into account the space already
used by sprint(), causing the strncpy to exceed the allocted buffer.

After correcting this (see patch), it works fine again.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.