| Bug ID |
8449
|
| Summary |
(Untriggerable) memory corruption in packet-sqloracle.c
|
| Classification |
Unclassified
|
| Product |
Wireshark
|
| Version |
SVN
|
| Hardware |
x86
|
| OS |
All
|
| Status |
UNCONFIRMED
|
| Severity |
Minor
|
| Priority |
Low
|
| Component |
Capture file support (libwiretap)
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Build Information:
--
File: packet-sqloracle.c
Untriggerable memory corruption.
This dissector is not currently enabled. That turns this into a relatively
harmless bug. It would otherwise be a memory corruption bug.
I am reporting this in the event that this code becomes enabled in the future.
The vulnerability is caused by a tvb_memcpy of all data in a tvbuffer into a
fixed-size buffer stored on the stack. Packets larger than 1024 bytes will
trigger the buffer oveflow.
dissect_sqloracle
...
header_operation = tvb_get_guint8(tvb, offset);
dataLen = tvb_reported_length_remaining(tvb, offset);
if (header_operation != NET8_TYPE_FUNCCOMPLETE)
func_type = tvb_get_guint8(tvb, offset+1);
...
switch (header_operation){
{
case NET8_TYPE_USERTOSERVER: /* 0x3 */
...
switch (func_type)
{
case NET8_USER_FUNC_PARSE:
ParseCommand(sqloracle_tree,tvb,offset+0x0B,pinfo,dataLen-0x0B);
}
static gboolean ParseCommand(..., UI16_T dataLen){
UI8_T pAddress[1024];
UI16_T SQLDataLen = dataLen;
int i;
for (i=0; i<1024;i++)
{
pAddress[i] = '\0';
}
tvb_memcpy (tvb, pAddress,offset, dataLen);
....
}
You are receiving this mail because:
- You are watching all bug changes.