Ethereal-dev: Re: [Ethereal-dev] [Coverity] Possible Format String Vulnerabilites

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: metatech <metatech@xxxxxxxxxxxxx>
Date: Thu, 17 Mar 2005 07:47:24 +0100


metatech wrote:
> Beware that at line 1595 there is a enumeration of all possible values
> for the StructId,
> so the the StructId is only pulled off the packet and taken into account
> if found in a known list.

I think the problem comes from the use of sStructId (and not StructID)


Basically sStructId and structId have the same content...

Sorry if my explanation was a bit too fast, here is a more detailed one :
- at line 1576, the dissector reads 4 bytes from the packet as a long in the variable "structId" - at line 1595, the dissector checks whether "structId" is in a known enumeration. - at line 1609, the dissector reads the same 4 bytes from the packet (the offset is not incremented), but this time as a string, and stores it in the variable "sStructId". - at line 1610, the dissector passes the variable "sStructId" as a string format.
I agree that a syntactical security checker might not spot the full reasoning... 

CU,

metatech