Wireshark-bugs: [Wireshark-bugs] [Bug 2899] crash when loading malformed dns packets
Date: Fri, 26 Sep 2008 08:23:16 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2899


Jeff Morriss <[email protected]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[email protected]




--- Comment #11 from Jeff Morriss <[email protected]>  2008-09-26 08:23:15 PDT ---
(In reply to comment #9)
> Created an attachment (id=2264)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=2264) [details]
> valgrind trace
> 
> command used: libtool --mode=execute valgrind --leak-check=full tshark -Vnxr
> /home/koma/softs/pcapfuzz/pcaps/224.pcap > /dev/null 2> valgrind.out 

Thanks.  That says:

==20655== Invalid write of size 1
==20655==    at 0x62BDFD7: _IO_default_xsputn (in
/lib/tls/i686/cmov/libc-2.7.so)
==20655==    by 0x6297AE2: vfprintf (in /lib/tls/i686/cmov/libc-2.7.so)
==20655==    by 0x62B8C03: vsnprintf (in /lib/tls/i686/cmov/libc-2.7.so)
==20655==    by 0x6008DD2: g_vsnprintf (in /usr/lib/libglib-2.0.so.0.1600.4)
==20655==    by 0x6008F78: g_snprintf (in /usr/lib/libglib-2.0.so.0.1600.4)
==20655==    by 0x449C2F2: time_secs_to_str_buf (to_str.c:408)
==20655==    by 0x449C903: time_secs_to_str (to_str.c:424)
==20655==    by 0x464E288: dissect_answer_records (packet-dns.c:876)
==20655==    by 0x4653402: dissect_dns_common (packet-dns.c:2686)
==20655==    by 0x4653EA9: dissect_dns_udp (packet-dns.c:2716)
==20655==    by 0x4474263: call_dissector_through_handle (packet.c:396)
==20655==    by 0x44749E6: call_dissector_work (packet.c:485)
==20655==  Address 0x8dbf878 is 5 bytes after a block of size 51 alloc'd
==20655==    at 0x4022AB8: malloc (vg_replace_malloc.c:207)
==20655==    by 0x5FDCDCC: g_malloc (in /usr/lib/libglib-2.0.so.0.1600.4)
==20655==    by 0x4469C0D: ep_alloc (emem.c:414)
==20655==    by 0x449C8AE: time_secs_to_str (to_str.c:417)
==20655==    by 0x464E288: dissect_answer_records (packet-dns.c:876)
==20655==    by 0x4653402: dissect_dns_common (packet-dns.c:2686)
==20655==    by 0x4653EA9: dissect_dns_udp (packet-dns.c:2716)
==20655==    by 0x4474263: call_dissector_through_handle (packet.c:396)
==20655==    by 0x44749E6: call_dissector_work (packet.c:485)
==20655==    by 0x4475CB8: dissector_try_port (packet.c:870)
==20655==    by 0x49CADC7: decode_udp_ports (packet-udp.c:159)
==20655==    by 0x49CB508: dissect (packet-udp.c:427)


time_secs_to_str_buf() tries to protect against writing past the end of the
buffer BUT, it could pass a negative buffer length to g_snprintf() which
expects the buffer length to be unsigned.  On my system that doesn't cause a
problem but I imagine it could on others.

As the comment at the top of time_secs_to_str_buf() says:

  /* This would probably be cleaner if we used GStrings instead. */

Or we could just make sure not to pass a negative value.

(I don't have time to do that now, maybe next week.)


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.