-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi..
A not too dangerous one:
packet-beep.c line 473:
- -tvb_memcpy(tvb, int_buff, offset, MIN(sizeof(int_buff), i));
+tvb_memcpy(tvb, int_buff, offset, MIN(sizeof(int_buff) - 1, i));
It's possible to completely fill the buffer with text and to overwrite all of
the \0 characters, which would mean that sscanf would run off the edge of the
string. (Yes, the one with 'FIXME: Dangerous' on it =)
An probably exploitable buffer overflow:
packet-scsi.c line 1346:
- -tvb_get_nstringz0 (tvb, offset, plen, str);
+tvb_get_nstringz0(tvb, offset, MIN(plen, sizeof(str)), str);
plen is a guint8 read from the packet itself, and str is defined as char
str[32] in the stack.
I haven't constructed a test case for this one because it look exceedingly
not fun to implement several layers of protocol wrapper first (one of iscsi
or ndmp) but by inspection there aren't any difficulties with sticking
shellcode in that string (the buffer is big enough, the variables above it in
the stack can be safely overwritten, (so long as evpd_tree is overwritten
with care to something that won't crash the process), and hence the return
address can be modified).
This one _might_ merit a security advisory.
=)
Peter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9BBYPXjDfzL4R9DcRAgNnAJ40aaRRkE7Udb8SACfsLF1hj3mdVQCeKC5d
B1cXJxWzWaGCeiISWuiW1CI=
=WOFa
-----END PGP SIGNATURE-----