Hello list,
While testing out my new code analyer, I found some problems in the
functions rdconvertbufftostr,rdconvertbufftobinstr and
rddecryptpass in the RADIUS dissector and in the function
iaconvertbufftostr in the IAPP dissector.
Consider the following lines:
packet-radius.c:3397:
(1) static void rdconvertbufftostr(gchar *dest, tvbuff_t *tvb, int
offset, int length) {
guint32 i;
..
(2) for (i=0; i < (guint32)length; i++) {
if( isprint((int)pd[i])) {
(3) dest[totlen]=(gchar)pd[i];
totlen++;
} else {
(4) sprintf(&(dest[totlen]), "\\%03o", pd[i]);
totlen=totlen+strlen(&(dest[totlen]));
}
}
..
..
If the fourth argument of this function (1) is set to a negative value
then the for-loop (2) is going to loop forever. That's because
the length is defined as int, but 'i' and the 'length' are (casted to)
an unsigned int.
This will lead, depending on the content of 'pd', to either an array out
of bound access at (3) or (4).
The same applies to functions rdconvertbufftobinstr and rddecryptpass in
packet-radius.c and
iaconvertbufftostr in packet-iapp.c.
It's easy to generate packets which let ethereal crash due to these
problems.
A simple fix would be to bail out when 'length' is negative.
thanks,
jonathan heusser
--
Key fingerprint = 2A55 EB7C B7EA 6336 7767 4A47 910A 307B 1333 BD6C
