Ethereal-dev: [Ethereal-dev] Ethereal patch for ieee80211

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Neil Kettle" <njk4@xxxxxxxxxx>
Date: Fri, 8 Apr 2005 13:30:22 +0100
Hi,

Find enclosed another patch, this time for the ieee80211 dissector. This will fix an
off-by-one
overflow in the out_buff buffer. When tag_len = 255 it was possible to write a single NULL
to out_buff[tag_len+1] which would be out_buff[256] when out_buff is SHORT_STR = 256
bytes long. We don't believe this to be exploitable, since your saved by the stack layout
(but you never know).

______________________________________________________________________

Neil K
(njk4@xxxxxxxxxx)
(mu-b@xxxxxxxxxxxxxx)

--- packet-ieee80211.orig       2005-03-10 15:53:42.000000000 +0000
+++ packet-ieee80211.c  2005-04-08 13:18:35.860059000 +0100
@@ -1220,10 +1220,10 @@
     {

     case TAG_SSID:
-      memset (out_buff, 0, SHORT_STR);
-
+      /*memset (out_buff, 0, SHORT_STR);*/ /* why do this? */
       memcpy (out_buff, tag_data_ptr, (size_t) tag_len);
-      out_buff[tag_len + 1] = 0;
+      out_buff[tag_len] = 0; /* 0 <= tag_len <= 255 and SHORT_STR = 256 */
+
       for (i = 0; i < tag_len; i++) {
          if (!isprint( (int) out_buff[i])) {
              print_buff[i]='.';