Wireshark-bugs: [Wireshark-bugs] [Bug 4450] Intermittant crash in http dissector if reassemble h
Date: Tue, 2 Feb 2010 20:01:51 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4450

--- Comment #2 from Jim Young <jyoung@xxxxxxx> 2010-02-02 20:01:45 PST ---
g_strlcpy() has an unwanted side effect.  Regardless of the supplied len
g_strlcpy() returns the strlen() of the src buffer.  Even if we only want to
copy one character from src, the entire src buffer will be walked to determine
its strlen().

http://library.gnome.org/devel/glib/unstable/glib-String-Utility-Functions.html#g-strlcpy 

The glib implementation appears to be based on:

http://mail.gnome.org/archives/gtk-devel-list/2000-May/msg00029.html 

g_strlcpy() assumes that src *IS* ASCII NUL terminated.  If the src buffer is
not NUL terminated, g_strlcpy() *WILL* read past the end of the buffer.  

In the use case for parsing the http header, ep_strndup() is called repeatedly
to pull individual chunks from a bigger buffer.  I'm not certain that the
supplied buffer is actually NUL terminated.  And even if the buffer is NUL
terminated, the return value of g_strlcpy() is ignored within ep_strndup() and
se_strndup().

Suggest reversion of SVN 30488 and perhaps undertake audit of other uses of
g_strlcpy().

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.