Wireshark-bugs: [Wireshark-bugs] [Bug 7729] Full support of RFC2428 in FTP dissector

Date: Sat, 22 Sep 2012 04:05:20 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7729

Alexander Koeppe <format_c@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #9160|0                           |1
        is obsolete|                            |

--- Comment #11 from Alexander Koeppe <format_c@xxxxxxxxx> 2012-09-22 04:05:16 PDT ---
Created attachment 9201
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9201
Secured patch implementing RFC2428 support

Hi,

thanks for point me to the weaknesses.
I included now a number of additional checks which prevents the code now from
crashing.

> I suppose it's related to
> 
> for (e = p + linelen;e != NULL && e > p && *e != '\n' && *e != '\r';e--)         

Obviously this code wasn't responsible for the crashes.

> Or could you assume that the parameter you parse in parse_eprt_request() always
> starts with the delimiter so you don't have to search for the last character of
> the line?

I reread carefully the RFC and you're right. Conforming EPRT commands start
with the delimiter as the first character following the command (followed by a
<space>). So the above code went off anyway.

The reason for the crash was that the IPv6 address had 8 words filled but a ::
also. The code to fill the gap when :: was detected wasn't properly secured. 

I inserted now quite a number of security checks that the code should now be
stable. 

I checked then code by intentionnally malform the IP address.
The following malformed IPv6 addresses have been tested:

* 2001:abd:asdfgh:2 results in 2001:abd:adf:2::
* 2001::12234b::3 results in 2001:234b::3
* 2001:asdc::bcdeee:1234::asbe:1234:8766:acdedev:cder results in
2001:adc:deee:1234:abe:1234:8766:dede
* abnb.asdflkh/adujbghas:8hnvbgt:fhgasd-asdk7654 results in adba:8b:7654::
* abnsdggtf-asdjhgasd.asdztzgbbjg686asdfadf544f results in 544f::
* zzzzzzzzzzzzzzzzzzzzzzzzz results in ::

I aborted fuzztesting with a error propability of 30% after the 300'th run
without a crash.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.