Ethereal-dev: [Ethereal-dev] More bounds check problems

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Peter Hawkins <peter@xxxxxxxxxxxxxxxxx>
Date: Mon, 10 Jun 2002 12:59:20 +1000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi..

A not too dangerous one:
packet-beep.c line 473:
- -tvb_memcpy(tvb, int_buff, offset, MIN(sizeof(int_buff), i));
+tvb_memcpy(tvb, int_buff, offset, MIN(sizeof(int_buff) - 1, i));

It's possible to completely fill the buffer with text and to overwrite all of 
the \0 characters, which would mean that sscanf would run off the edge of the 
string. (Yes, the one with 'FIXME: Dangerous' on it =)


An probably exploitable buffer overflow:
packet-scsi.c line 1346:
- -tvb_get_nstringz0 (tvb, offset, plen, str);
+tvb_get_nstringz0(tvb, offset, MIN(plen, sizeof(str)), str);

plen is a guint8 read from the packet itself, and str is defined as char 
str[32] in the stack.

I haven't constructed a test case for this one because it look exceedingly 
not fun to implement several layers of protocol wrapper first (one of iscsi 
or ndmp) but by inspection there aren't any difficulties with sticking 
shellcode in that string (the buffer is big enough, the variables above it in 
the stack can be safely overwritten, (so long as evpd_tree is overwritten 
with care to something that won't crash the process), and hence the return 
address can be modified).
This one _might_ merit a security advisory.

=)
Peter


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9BBYPXjDfzL4R9DcRAgNnAJ40aaRRkE7Udb8SACfsLF1hj3mdVQCeKC5d
B1cXJxWzWaGCeiISWuiW1CI=
=WOFa
-----END PGP SIGNATURE-----