Ethereal-dev: Re: [ethereal-dev] packet-netbios bug

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Jeff Jahr <jjahr@xxxxxxxxxxxxxx>
Date: Tue, 24 Aug 1999 15:29:37 -0700 (PDT)
yeah, it crashes.  The problem is that get_netbios_name( pd, nb_offset,
name_str) in line 210 of packet-netbios.c is setting name_type to 35,
which appears to be outside of the bounds of name_type_str[] referenced in
the proto_tree_add_text call on line 215.  

i.e. get_netbios_name walked off the end of name_type_str[], returning 35
instead of its max value of 34.

Both tree and label resolve in my gdb sesision:
(gdb) print name_type
$8 = 35
(gdb) print nb_name_type_max
$9 = 35
(gdb) print name_type_str[name_type]
$10 = 0x23 <Address 0x23 out of bounds>
(gdb) print name_type_str[34]
$11 = 0x809a8c3 "Unknown"
(gdb) print tree
$12 = (proto_tree *) 0x81195ac
(gdb) print label
$13 = 0x809ab0e "Sender's Name"
(gdb) 


-jsj


On Tue, 24 Aug 1999, Gilbert Ramirez wrote:

> I get a segfault when trying to decode this file. I get this stack
> trace, but I'm having a very strange debug session. When I go to stack
> frame 4, I try to print the values for tree and label and I get 0x0 for both.
> But both have non-zero values... look at the function call in the trace below.
> 
> Perhaps the function's arguments are getting corrupt in the stack.
> 
> Anyway, I wanted to know if others get segfaults with this trace file.
> I'm using gcc-2.95 on Linux 2.2.12-pre7, so it could possibly be a bug
> with gcc. But I have high hopes that it's an Ethereal problem and not a
> compiler bug.
> 
> --gilbert
> 
> #0  0x402adfea in _IO_vfprintf (s=0xbfffe8e8, format=0x80a8132 "%s: %s (%s)", ap=0xbfffea6c) at vfprintf.c:1248
> #1  0x402bad16 in _IO_vsnprintf (string=0x8158140 "Sender's Name:  ( 01", maxlen=240, format=0x80a8132 "%s: %s (%s)", 
>     args=0xbfffea60) at vsnprintf.c:129
> #2  0x808af97 in proto_tree_add_item_value (tree=0x8146bcc, hfindex=137, start=45, length=16, include_format=1, 
>     visible=1, ap=0xbfffea5c) at proto.c:425
> #3  0x808ae2d in proto_tree_add_text (tree=0x8146bcc, start=45, length=16) at proto.c:327
> #4  0x8074538 in netbios_add_name (label=0x80a82f4 "Sender's Name", pd=0x8147491 ",", offset=17, nb_offset=28, 
>     tree=0x8146bcc) at packet-netbios.c:215
> #5  0x8074c78 in dissect_netb_datagram (data_ptr=0x8147491 ",", offset=17, fd=0x81544b0, tree=0x8146bcc)
>     at packet-netbios.c:511
> #6  0x8074f5b in dissect_netbios (pd=0x8147480 "\003", offset=17, fd=0x81544b0, tree=0x8146938)
>     at packet-netbios.c:666
> #7  0x8071849 in dissect_llc (pd=0x8147480 "\003", offset=14, fd=0x81544b0, tree=0x8146938) at packet-llc.c:301
> #8  0x8069172 in dissect_eth (pd=0x8147480 "\003", offset=0, fd=0x81544b0, tree=0x8146938) at packet-eth.c:194
> #9  0x8088612 in dissect_packet (pd=0x8147480 "\003", fd=0x81544b0, tree=0x8146938) at packet.c:658
> #10 0x8061fbd in add_packet_to_packet_list (fdata=0x81544b0, cf=0x80c9e60, buf=0x8147480 "\003") at file.c:479
> #11 0x80623d4 in wtap_dispatch_cb (user=0x80c9e60 "?s\024\b`\177\024\b\fo\004", phdr=0x8147170, offset=12064, 
>     buf=0x8147480 "\003") at file.c:635
> #12 0x809222f in wtap_loop (wth=0x8147160, count=0, callback=0x80622dc <wtap_dispatch_cb>, 
>     user=0x80c9e60 "?s\024\b`\177\024\b\fo\004", err=0xbfffed04) at wtap.c:172
> #13 0x8061787 in read_cap_file (cf=0x80c9e60) at file.c:217
> #14 0x8061085 in main (argc=4, argv=0xbffffa04) at ethereal.c:1462
> #15 0x4027fcb3 in __libc_start_main (main=0x805fd88 <main>, argc=4, argv=0xbffffa04, init=0x80526e0 <_init>, 
>     fini=0x8099b04 <_fini>, rtld_fini=0x4000a350 <_dl_fini>, stack_end=0xbffff9fc)
>     at ../sysdeps/generic/libc-start.c:78
> 
> 
>