Wireshark · Ethereal-dev: Re: [Ethereal-dev] [Coverity] Possible Format String Vulnerabilites

Ethereal-dev: Re: [Ethereal-dev] [Coverity] Possible Format String Vulnerabilites

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Gerald Combs <gerald@xxxxxxxxxxxx>

Date: Thu, 17 Mar 2005 12:37:37 -0600

Bryan Fulton wrote:

> Bug 2:
> /ethereal-0.10.10/epan/dissectors/packet-ansi_a.c:elem_cld_party_ascii_num
> - poctets pulled of of tcv via tvb_get_string() and passed to 
> proto_tree_add_string_function() as format argument.
> - This one is fairly subtle to notice as first glance. It looks like the
> value argument is missing, as the string "Digits: %s" is used as value
> in the call to proto_tree_add_string_format(). The user-controlled
> poctets is then unsafely passed as the FS argument.
> 
> Function "tvb_get_string" returns TAINTED string content
> Variable "poctets" TAINTED from assignment to tainted return value of 
> "tvb_get_string"
> 
> 5307 	    poctets = tvb_get_string(tvb, curr_offset, len - (curr_offset
> - offset));
> 
> TAINTED string "poctets" was passed to a format string sink. 
> 5309 	 proto_tree_add_string_format(tree,                             
> hf_ansi_a_cld_party_ascii_num,
> 5310 		tvb, curr_offset, len - (curr_offset - offset),
> 5311 		"Digits: %s",
> 5312 		poctets);

Fixed (along with the same problem at line 2770).  Thanks.

References:
- [Ethereal-dev] [Coverity] Possible Format String Vulnerabilites
  - From: Bryan Fulton

Prev by Date: Re: [Ethereal-dev] Proposing a generic tool for protocol decoder development process
Next by Date: Re: [Ethereal-dev] Proposing a generic tool for protocol decoder development process
Previous by thread: [Ethereal-dev] Re: [Coverity] Possible Format String Vulnerabilites
Next by thread: Re: [Ethereal-dev] [Coverity] Possible Format String Vulnerabilites
Index(es):
- Date
- Thread