Ethereal-dev: Re: [Ethereal-dev] [Coverity] Possible Format String Vulnerabilites

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Gerald Combs <gerald@xxxxxxxxxxxx>
Date: Thu, 17 Mar 2005 12:37:37 -0600
Bryan Fulton wrote:

> Bug 2:
> /ethereal-0.10.10/epan/dissectors/packet-ansi_a.c:elem_cld_party_ascii_num
> - poctets pulled of of tcv via tvb_get_string() and passed to 
> proto_tree_add_string_function() as format argument.
> - This one is fairly subtle to notice as first glance. It looks like the
> value argument is missing, as the string "Digits: %s" is used as value
> in the call to proto_tree_add_string_format(). The user-controlled
> poctets is then unsafely passed as the FS argument.
> 
> Function "tvb_get_string" returns TAINTED string content
> Variable "poctets" TAINTED from assignment to tainted return value of 
> "tvb_get_string"
> 
> 5307 	    poctets = tvb_get_string(tvb, curr_offset, len - (curr_offset
> - offset));
> 
> TAINTED string "poctets" was passed to a format string sink. 
> 5309 	 proto_tree_add_string_format(tree,                             
> hf_ansi_a_cld_party_ascii_num,
> 5310 		tvb, curr_offset, len - (curr_offset - offset),
> 5311 		"Digits: %s",
> 5312 		poctets);

Fixed (along with the same problem at line 2770).  Thanks.