Ethereal-dev: Re: [Ethereal-dev] Crash in ethereal on AFS packets.

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxx>
Date: Thu, 10 Oct 2002 13:31:13 -0700
On Thu, Oct 10, 2002 at 10:13:16AM -0700, Jaime Fournier wrote:
>  I have found that the dissector for AFS is causing
> tethereal/ethereal to die on certain packets.
> I have provided a backtrace of the crash that I can
> reproduce with a large capture file I have.

It's crashing because it's being asked to allocate a huge amount of
memory; the "OUT_RXString()" does

		i = tvb_get_ntohl(tvb, offset); \
		offset += 4; \
		len = ((i+4-1)/4)*4; \
		tmp = g_malloc(i+1); \
		memcpy(tmp, tvb_get_ptr(tvb,offset,i), i); \
		tmp[i] = '\0'; \

which will, if the length value is bogus (for whatever reason) and
overly large, fail in "g_malloc()" rather than failing by throwing a
"mangled packet" exception, the latter being what it *should* do.

Doing it as

		i = tvb_get_ntohl(tvb, offset); \
		offset += 4; \
		p = tvb_get_ptr(tvb,offset,i); \
		len = ((i+4-1)/4)*4; \
		tmp = g_malloc(i+1); \
		memcpy(tmp, p, i); \
		tmp[i] = '\0'; \

(with an additional temporary variable "p" - or whatever name makes it
work) - should fix that.

I'll test that and check it in.