Ethereal-users: Re: [Ethereal-users] Ethereal 0.9.7 Crashes with One GPRS R98 Packet Injection

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Fri, 25 Oct 2002 23:23:22 -0700
On Mon, Oct 21, 2002 at 05:53:55PM -0500, Kevin Poole wrote:
> I saved the file you sent me "gprs.pcap" and opened it into Ethereal
> 0.9.7 and it still crashes.

Good.  That means I managed to generate a packet file that causes the
problem.

> I am running on Win 2000 instead of Unix.  I don't know of any more
> recent version of Ethereal than 0.9.7.  If you know of one could you
> send me the link?

I don't know of one, because there isn't one.

> Could you try opening that file in the Windows Version of Ethereal.

I did, and it crashed.

It turns out the problem was a buffer overflow due to somebody having
written code that copied 16 bytes into an 8-byte buffer.  (The symptoms
of buffer overflows can differ between compilers and platforms; the
symptoms on the UNIX systems on which I tried it, compiling with GCC,
were bogus "Malformed packet" errors rather than crashes.)

I changed both places where authentication triplets were displayed to
use, for all three elements in the triplet, a routine that displays byte
strings (as that's what they appear to be, at least from my reading of
GSM specification 03.20 version 3.3.2), which also fixes problems
displaying those strings.  One place had the buffer-overflow bug (which
the change fixes, as there is no longer any copying being done).

(I fixed the display of authentication quintuplets as well - it now
displays all five items, rather than punting on some of them.)

The fixes will be in the next release, whenever that comes out; I don't
know when that will be.

Note to people working on packet-gtp.c: "tvb_bytes_to_str()" is your
friend....