Wireshark · Wireshark-dev: Re: [Wireshark-dev] tvb_get

Wireshark-dev: Re: [Wireshark-dev] tvb_get_nstringz0

From: Dario Lombardo <lomato@xxxxxxxxx>

Date: Sat, 27 Mar 2021 19:56:14 +0100

Hi John,

thanks, your explanation helped a lot. However I still don't get why the code crashes. Please let me use the actual buffer sizes since the ones I told before were examples. The packet is 49, the local buffer is 15.

When you call tvb_get_nstringz0() you pass in bufsize = 15.
tvb_get_nstringz0() calls _tvb_get_nstringz()
check_offset_len() runs to the end of the packet, setting len to 49.
Since len >= bufsize, it sets limit = bufsize.
stringlen = tvb_strnlen(tvb, abs_offset, limit - 1) looks at the first 9 bytes, doesn't find a NUL, returns -1

That's a point I don't get. This piece of code (stringlen = tvb_strnlen(tvb, 0, 14)) actually returns 49. Despite the fact that NULL is present or not, shouldn't this function fulfill the (limit - 1)? Shouldn't that return 14 at most?

stringlen is -1, tvb_memcpy copies over limit (10) bytes into buffer from tvb, bytes_copies is set to 10, _tvb_get_nstringz() returns -1.

That's where things start to get hairy: stringlen is 49, then the actual copy starts against buffer, that is only 15 bytes long. Crash.

Follow-Ups:
- Re: [Wireshark-dev] tvb_get_nstringz0
  - From: John Thacker

References:
- [Wireshark-dev] tvb_get_nstringz0
  - From: Dario Lombardo
- Re: [Wireshark-dev] tvb_get_nstringz0
  - From: John Thacker

Prev by Date: [Wireshark-dev] Automated builds failing for macOS since MR 2136 was applied
Next by Date: Re: [Wireshark-dev] Input plugin for PEAK Systems CAN interfaces
Previous by thread: Re: [Wireshark-dev] tvb_get_nstringz0
Next by thread: Re: [Wireshark-dev] tvb_get_nstringz0
Index(es):
- Date
- Thread