Wireshark · Ethereal-dev: [Ethereal-dev] Buffer overflows in packet-wtls.c

Ethereal-dev: [Ethereal-dev] Buffer overflows in packet-wtls.c

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Peter Hawkins" <peter@xxxxxxxxxxxxxxxxx>

Date: Fri, 14 Jun 2002 18:00:11 +1000

Hi...

More overflows. These are quite possibly exploitable (they look like
the best candidates I've seen without actually looking very hard) but I
just can't be bothered to check any more.

=)
Peter

Index: packet-wtls.c
===================================================================
RCS file: /cvsroot/ethereal/packet-wtls.c,v
retrieving revision 1.18
diff -u -r1.18 packet-wtls.c
--- packet-wtls.c	2002/01/24 09:20:52	1.18
+++ packet-wtls.c	2002/06/14 07:59:02
@@ -598,7 +598,7 @@
 								hf_wtls_hands_cli_hello_key_identifier_size,
 								tvb,offset,1,bo_big_endian);
 						offset++;
-						strncpy(valStr,tvb_get_ptr (tvb, offset, size),size);
+						strncpy(valStr,tvb_get_ptr (tvb, offset, size),MIN(size, sizeof(valStr) - 1));
 						valStr[size]=0;
 						ti = proto_tree_add_string(
 								wtls_msg_type_item_sub_sub_tree, 
@@ -736,7 +736,7 @@
 								hf_wtls_hands_cli_hello_key_identifier_size,
 								tvb,offset,1,bo_big_endian);
 						offset++;
-						strncpy(valStr,tvb_get_ptr (tvb, offset, size),size);
+						strncpy(valStr,tvb_get_ptr (tvb, offset, size),MIN(size, sizeof(valStr) - 1));
 						valStr[size]=0;
 						ti = proto_tree_add_string(
 								wtls_msg_type_item_sub_sub_tree, 
@@ -990,7 +990,7 @@
 								offset+=2;
 								client_size+=2;
 								value =  tvb_get_guint8 (tvb, offset);
-								strncpy(valStr,tvb_get_ptr (tvb, offset+1, value),value);
+								strncpy(valStr,tvb_get_ptr (tvb, offset+1, value),MIN(value, sizeof(valStr) - 1));
 								valStr[value]=0;
 								ti = proto_tree_add_string(
 										wtls_msg_type_item_sub_tree, 
@@ -1040,7 +1040,7 @@
 								offset+=2;
 								client_size+=2;
 								value =  tvb_get_guint8 (tvb, offset);
-								strncpy(valStr,tvb_get_ptr (tvb, offset+1, value),value);
+								strncpy(valStr,tvb_get_ptr (tvb, offset+1, value),MIN(value, sizeof(valStr) -1));
 								valStr[value]=0;
 								ti = proto_tree_add_string(
 										wtls_msg_type_item_sub_tree,

Follow-Ups:
- Re: [Ethereal-dev] Buffer overflows in packet-wtls.c
  - From: Guy Harris

Prev by Date: Re: [Ethereal-dev] ethereal crash on particular packet
Next by Date: Re: [Ethereal-dev] ethereal crash on particular packet
Previous by thread: Re: [Ethereal-dev] Bounds check problem in packet-smb-common.c
Next by thread: Re: [Ethereal-dev] Buffer overflows in packet-wtls.c
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$