Wireshark · Wireshark-users: Re: [Wireshark-users] bug on packet-gsm

Wireshark-users: Re: [Wireshark-users] bug on packet-gsm_sms.c short buffer

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Tue, 10 Jun 2008 14:38:44 -0700


On Jun 10, 2008, at 1:00 PM, Jaap Keuter wrote:

It's probably the call to gsm_sms_char_7bit_unpack() that does that.


Or the

	messagebuf[out_len] = '\0';

after it. If out_len is the length of the message, then a maximum-length message will cause an array bounds violation (messagebuf[160]is past the end of messagebuf).

If you do have a sample capture you could share then please open abug report
with this text and the capture on https://bugs.wireshark.org

...so that we can test a fix. (As per my comment, the right fix wouldprobably be to do:


	#define SMS_MAX_MESSAGE_SIZE	160

		...

	char messagebuf[SMS_MAX_MESSAGE_SIZE + 1];

		...

		out_len =
		    gsm_sms_char_7bit_unpack(fill_bits, length, SMS_MAX_MESSAGE_SIZE,
			tvb_get_ptr(tvb, offset, length), messagebuf);
		messagebuf[out_len] = '\0';

so that the array is 161 bytes long but we only pass 160 togsm_sms_char_7bit_unpack(). gsm_sms_char_7bit_unpack() appears to dobounds checking, so a message *longer* than 160 bytes won't cause anymore of a problem than a 160-byte message does.)

References:
- [Wireshark-users] bug on packet-gsm_sms.c short buffer
  - From: david ceccanti
- Re: [Wireshark-users] bug on packet-gsm_sms.c short buffer
  - From: Jaap Keuter

Prev by Date: Re: [Wireshark-users] [Bulk] [Wireshark-announce] What is a good average for malformed packets
Next by Date: Re: [Wireshark-users] Wireshark and Windows Vista
Previous by thread: Re: [Wireshark-users] bug on packet-gsm_sms.c short buffer
Next by thread: Re: [Wireshark-users] What is a good average for malformed packets
Index(es):
- Date
- Thread