Ethereal-dev: Re: [Ethereal-dev] Crash in ethereal on AFS packets.

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Jaime Fournier <jafour1@xxxxxxxxx>
Date: Thu, 10 Oct 2002 14:10:59 -0700 (PDT)
Thanks for the prompt reply.
Looking forward to this fix. :D
--- Guy Harris <gharris@xxxxxxxxx> wrote:
> On Thu, Oct 10, 2002 at 10:13:16AM -0700, Jaime
> Fournier wrote:
> >  I have found that the dissector for AFS is
> causing
> > tethereal/ethereal to die on certain packets.
> > I have provided a backtrace of the crash that I
> can
> > reproduce with a large capture file I have.
> 
> It's crashing because it's being asked to allocate a
> huge amount of
> memory; the "OUT_RXString()" does
> 
> 		i = tvb_get_ntohl(tvb, offset); \
> 		offset += 4; \
> 		len = ((i+4-1)/4)*4; \
> 		tmp = g_malloc(i+1); \
> 		memcpy(tmp, tvb_get_ptr(tvb,offset,i), i); \
> 		tmp[i] = '\0'; \
> 
> which will, if the length value is bogus (for
> whatever reason) and
> overly large, fail in "g_malloc()" rather than
> failing by throwing a
> "mangled packet" exception, the latter being what it
> *should* do.
> 
> Doing it as
> 
> 		i = tvb_get_ntohl(tvb, offset); \
> 		offset += 4; \
> 		p = tvb_get_ptr(tvb,offset,i); \
> 		len = ((i+4-1)/4)*4; \
> 		tmp = g_malloc(i+1); \
> 		memcpy(tmp, p, i); \
> 		tmp[i] = '\0'; \
> 
> (with an additional temporary variable "p" - or
> whatever name makes it
> work) - should fix that.
> 
> I'll test that and check it in.
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
>
http://www.ethereal.com/mailman/listinfo/ethereal-dev


=====
Jaime Fournier

__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com