Wireshark-bugs: [Wireshark-bugs] [Bug 8175] New: wslua TvbRange:le_ustring/ustring buffer overfl

Date: Tue, 08 Jan 2013 19:26:40 +0000
Bug ID 8175
Summary wslua TvbRange:le_ustring/ustring buffer overflow's
Classification Unclassified
Product Wireshark
Version SVN
Hardware All
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component Wireshark
Assignee [email protected]
Reporter [email protected]

Created attachment 9782 [details]
Patch against SVN r46996

Build Information:
Version 1.8.4 (SVN Rev 46250 from /trunk-1.8)

Copyright 1998-2012 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.24.10, with Cairo 1.10.2, with Pango 1.30.0, with
GLib 2.32.2, with WinPcap (4_1_2), with libz 1.2.5, without POSIX capabilities,
with SMI 0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS
2.12.18, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio
V19-devel (built Nov 28 2012), with AirPcap.

Running on 32-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.12.18, Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 10.0 build 40219
--
The length that is passed to lua_pushlstring in TvbRange_ustring_any() is the
length of the TvbRange that is passed in, that's wrong as the call to
tvb_get_ephemeral_unicode_string will convert the UTF-16 string to UTF-8 which
means it's actual length is shorter than the length of the TvbRange.

Included is a patch that should fix this.

Test case:
wslua:
local p_proto = Proto("test", "Test")

function p_proto.dissector(buf, pkt, root)
    local str = buf():le_ustring()
    print(#str, str, ';')
end

local tcp_table = DissectorTable.get("tcp.port")
tcp_table:add(12345, p_proto)

Python:
import socket
s = socket.socket()
s.connect(('127.0.0.1', 12345))
s.sendall("Test".encode("utf-16-le"))


You are receiving this mail because:
  • You are watching all bug changes.