Ethereal-dev: Re: [Ethereal-dev] ethereal crash on particular packet

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Peter Hawkins" <peter@xxxxxxxxxxxxxxxxx>
Date: Fri, 14 Jun 2002 17:41:11 +1000
Hi...

The attached patch fixes this problem (some unbounds checked
sprintfs).

=)
Peter

On Thu, Jun 13, 2002 at 04:28:42PM +0200, Andreas Ferber wrote:
> Hi,
> 
> (please Cc me on replies, as I'm not subscribed to the list)
> 
> ethereal crashes (SIGSEGV) consistently when trying to decode the
> single IP packet contained in the attached tracefile.
> 
> The crash occurs with both ethereal 0.8.20 and 0.9.4, and affects both
> the GUI and the commandline version. editcap doesn't crash on the
> packet, so the problem seems to be somewhere in the packet decoding
> code. The trace was captured originally with tcpdump, so I can't tell
> if it would crash ethereal while only capturing into a file without
> showing decoded data.
> 
> The backtrace of the crash is as follows (some linebreaks added by me):
> 
> #0  check_offset_length_no_exception (tvb=0x2e777777, offset=43, length=2,
>     offset_ptr=0xbfffc8f4, length_ptr=0xbfffc8f8, exception=0xbfffc8a8)
>     at tvbuff.c:426
> #1  0x82020bb in check_offset_length (tvb=0x2e777777, offset=43, length=2,
>     offset_ptr=0xbfffc8f4, length_ptr=0xbfffc8f8) at tvbuff.c:484
> #2  0x8202a09 in ensure_contiguous (tvb=0x2e777777, offset=43, length=2)
>     at tvbuff.c:851
> #3  0x8202e4e in tvb_get_ntohs (tvb=0x2e777777, offset=43) at tvbuff.c:1045
> #4  0x80b485b in get_dns_name_type_class (tvb=0x2e777777, offset=1700885092,
>     dns_data_offset=1836213607, name_ret=0x732d6e61 <Address 0x732d6e61 out
>     of bounds>, name_len_ret=0x2e706f68, type_ret=0x5c462e00,
>     class_ret=0x3631785b) at packet-dns.c:623
> #5  0x2e5d302f in ?? ()
> Cannot access memory at address 0x3631785b
> 
> It looks like something is trashing data on the stack (corrupted stack
> frame at the end of the trace, and the tvb value in the function calls
> is also invalid (checked with gdb, it points to an inaccessible linear
> address)).
> 
> System is a RedHat Linux 6.2 (glibc-2.1.3-23) with a 2.2.21 kernel on
> x86, Gtk and GLib version is 1.2.10-ximian.25. The attached tracefile
> contains the exact packet that causes the crash.
> 
> Andreas
> -- 
>        Andreas Ferber - dev/consulting GmbH - Bielefeld, FRG
>      ---------------------------------------------------------
>          +49 521 1365800 - af@xxxxxxxxxx - www.devcon.net



Index: packet-dns.c
===================================================================
RCS file: /cvsroot/ethereal/packet-dns.c,v
retrieving revision 1.87
diff -u -r1.87 packet-dns.c
--- packet-dns.c	2002/05/15 07:24:20	1.87
+++ packet-dns.c	2002/06/14 07:39:09
@@ -536,17 +536,32 @@
 	{
 	  int bit_count;
 	  int label_len;
+	  int len;
 
 	  bit_count = tvb_get_guint8(tvb, offset);
 	  offset++;
 	  label_len = (bit_count - 1) / 8 + 1;
 	
-	  np += sprintf(np, "\\[x");
+	  if (maxname > 0) {
+		  len = snprintf(np, maxname, "\\[x");
+		  np += len;
+		  maxname -= len;
+	  }
+
 	  while(label_len--) {
-	    np += sprintf(np, "%02x", tvb_get_guint8(tvb, offset));
+	    if (maxname > 0) {
+		    len = snprintf(np, maxname, "%02x", tvb_get_guint8(tvb, offset));
+		    np += len;
+		    maxname -= len;
+	    }
 	    offset++;
 	  }
-	  np += sprintf(np, "/%d]", bit_count);
+	  if (maxname > 0) {
+		  len = snprintf(np, maxname, "/%d]", bit_count);
+		  np += len;
+		  maxname -= len;
+	  }
+
 	}
 	break;