Wireshark · Ethereal-dev: Re: [Ethereal-dev] Re: [Coverity] Possible Format String Vulnerabilites

Ethereal-dev: Re: [Ethereal-dev] Re: [Coverity] Possible Format String Vulnerabilites

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Wed, 16 Mar 2005 18:54:59 -0800

Bryan Fulton wrote:

Bug 3:
/ethereal-0.10.10/epan/dissectors/packet-manolito.c:dissect_manolito
- length pulled off a tvb via tvb_get_guint8(), and length+1 is
passed to malloc without proper bounds checking. Possible integer
overflow on the allocation

How so? At least from my reading of the C89 standard, "length" isconverted to "int" when 1 is added to it, so you won't overflow the"unsigned char" that "length" probably is. I.e., as "length" is in therange 0 to 255, "length + 1" is in the range 1 to 256.

References:
- [Ethereal-dev] [Coverity] Possible Format String Vulnerabilites
  - From: Bryan Fulton
- [Ethereal-dev] Re: [Coverity] Possible Format String Vulnerabilites
  - From: Bryan Fulton

Prev by Date: Re: [Ethereal-dev] [Coverity] Possible Format String Vulnerabilites
Next by Date: [Ethereal-dev] DNP Dissector Development
Previous by thread: Re: [Ethereal-dev] Re: [Coverity] Possible Format String Vulnerabilites
Next by thread: [Ethereal-dev] Re: [Coverity] Possible Format String Vulnerabilites
Index(es):
- Date
- Thread