Ethereal-dev: RE: [Ethereal-dev] Problem with MAPI decodes

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Nathan Way" <nathan@xxxxxxxxxxxx>
Date: Mon, 30 Jun 2003 15:50:42 -0700
This capture will cause Ethereal 0.9.13 to segment fault yet displays correctly in 0.9.11 on RedHat.  It seems to have a problem around frame 26 which is a DCERPC conversation between client & server.  Windows Ethereal 0.9.13a will also crash on this capture with an Application Error:

The instruction at "0x006c7463" referenced memory at "0xffffffff".  The memory could not be "read".

_______________________________
Nathan Way
CCIE #2188
Datanode, LLC
(425) 823-6661 / (800) 876-4275


-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxxxx] 
Sent: Monday, June 30, 2003 3:21 PM
To: Nathan Way
Cc: ethereal-dev@xxxxxxxxxxxx
Subject: Re: [Ethereal-dev] Problem with MAPI decodes


On Monday, June 30, 2003, at 12:48PM, Nathan Way wrote:

> what seems to be happening is Ethereal is interpreting the /CN field 
> as a length value, tries to allocate gigabytes worth of memory then 
> faults because it can't allocate that much RAM.

At least in recent versions of Ethereal, that shouldn't be happening - 
the DCE RPC routines to extract counted strings and the like should 
first check whether the entire string, with the purported length 
specified, is available in the packet data, before doing any 
allocation, so it should throw an exception and show a "Malformed 
Packet" indication.

Also, the fault you should get when it can't allocate memory shouldn't 
be a segmentation fault, as it uses "g_malloc()" and should thus call 
"abort()" and get a SIGABRT signal, not a SIGSEGV.

> Hex dump of packet:

Unfortunately, even after modifying that hex dump so that text2pcap can 
turn it into a capture file, it's only one packet in the middle of a 
MAPI sequence, so the DCE RPC dissector can't recognize it as a MAPI 
packet (no binding is in the capture) and, even if we were able to 
force that, it couldn't recognize it as a login reply (as the request 
isn't in the capture).

If you could send us a raw binary capture file (not a printed dump) 
with enough packets for Ethereal to try to see it as a MAPI login reply 
(it'd need the bind and bind ack, as well as the matching request, at a 
minimum), that'd help.

> Other than disabling the MAPI decoder, is there a patch or anything to 
> fix this problem? 

As we don't know what's causing it, no, we don't have a patch to fix 
it.  Getting the capture referred to above might make the difference 
between being able to fix it in a timely fashion and not being able to 
fix it in a timely fashion.

Attachment: smb.zip
Description: smb.zip