Ethereal-dev: [Ethereal-dev] Re: ethereal 0.10.8 radius/iapp dissector vuln

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Jonathan Heusser <jonny@xxxxxxxxxxxx>
Date: Wed, 22 Dec 2004 19:55:04 +0100
If the fourth argument to "rdconvertbufftostr()" is negative, there's a bug in whatever code is calling it. 

Depends where you're normally fixing bugs..


In many cases, it's not ever going to be negative; [...]
There is at least one case (tagged strings) where it doesn't check that the length is >= 3 - and, in fact, there are other non-string parameters that also need length checks; "rd_value_to_str()" should be doing those checks. 

The attached file is an example packet which let ethereal crash, (ab)using the
tagged string case.



A simple fix would be to bail out when 'length' is negative.

"Bailing out" should be done with [..]


As I said, a simple fix.

jonathan heusser

--
Key fingerprint = 2A55 EB7C B7EA 6336 7767  4A47 910A 307B 1333 BD6C

Attachment: rdconverttrigger.dump
Description: Binary data