I found a bug in packet-mdshdr.c that may cause a crash by overrunning
the array boundary. I simply replaced two arrays (sof_strings[] and
eof_strings[]) with val_to_str() and deleted them because they are now
no longer used. Please find attached a patch.
BTW, this dissector registers itself for the frame with
ETHERTYPE_UNK. Is this really necessary? One network equipment in my
lab trasmitted a bogus frame with Ethernet Type 0x0000 and this frame
was dissected by packet-mdshdr.c. Because this frame didn't have a
leagal MDS structure, Ethereal crashed due to the bug I described
above.
Regards,
Index: packet-mdshdr.c
===================================================================
RCS file: /cvsroot/ethereal/packet-mdshdr.c,v
retrieving revision 1.4
diff -u -r1.4 packet-mdshdr.c
--- packet-mdshdr.c 5 Mar 2003 07:41:23 -0000 1.4
+++ packet-mdshdr.c 4 Jun 2003 21:55:07 -0000
@@ -150,16 +150,6 @@
{0, NULL},
};
-static const gchar * sof_strings[] = {
- "Null", "SOFc1", "SOFi1", "SOFn1", "SOFi2", "SOFn2", "SOFi3", "SOFn3",
- "SOFf", "SOFc4", "SOFi4", "SOFn4",
-};
-
-static const gchar *eof_strings[] = {
- "Null", "EOFt", "EOFdt", "EOFn", "EOFa", "", "EOFdti", "EOFni",
- "", "", "EOFrt", "", "", "", "EOFrti",
-};
-
/* Code to actually dissect the packets */
static void
dissect_mdshdr(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
@@ -212,7 +202,8 @@
ti_main = proto_tree_add_protocol_format (tree, proto_mdshdr, tvb, 0,
MDSHDR_HEADER_SIZE+pktlen,
"MDS Header(%s/%s)",
- sof_strings[sof], eof_strings[eof]);
+ val_to_str(sof, sof_vals, "Unknown(%u)"),
+ val_to_str(eof, eof_vals, "Unknown(%u)"));
mdshdr_tree_main = proto_item_add_subtree (ti_main, ett_mdshdr);
