https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7729
Alexander Koeppe <format_c@xxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #9160|0 |1
is obsolete| |
--- Comment #11 from Alexander Koeppe <format_c@xxxxxxxxx> 2012-09-22 04:05:16 PDT ---
Created attachment 9201
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9201
Secured patch implementing RFC2428 support
Hi,
thanks for point me to the weaknesses.
I included now a number of additional checks which prevents the code now from
crashing.
> I suppose it's related to
>
> for (e = p + linelen;e != NULL && e > p && *e != '\n' && *e != '\r';e--)
Obviously this code wasn't responsible for the crashes.
> Or could you assume that the parameter you parse in parse_eprt_request() always
> starts with the delimiter so you don't have to search for the last character of
> the line?
I reread carefully the RFC and you're right. Conforming EPRT commands start
with the delimiter as the first character following the command (followed by a
<space>). So the above code went off anyway.
The reason for the crash was that the IPv6 address had 8 words filled but a ::
also. The code to fill the gap when :: was detected wasn't properly secured.
I inserted now quite a number of security checks that the code should now be
stable.
I checked then code by intentionnally malform the IP address.
The following malformed IPv6 addresses have been tested:
* 2001:abd:asdfgh:2 results in 2001:abd:adf:2::
* 2001::12234b::3 results in 2001:234b::3
* 2001:asdc::bcdeee:1234::asbe:1234:8766:acdedev:cder results in
2001:adc:deee:1234:abe:1234:8766:dede
* abnb.asdflkh/adujbghas:8hnvbgt:fhgasd-asdk7654 results in adba:8b:7654::
* abnsdggtf-asdjhgasd.asdztzgbbjg686asdfadf544f results in 544f::
* zzzzzzzzzzzzzzzzzzzzzzzzz results in ::
I aborted fuzztesting with a error propability of 30% after the 300'th run
without a crash.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.