Wireshark-bugs: [Wireshark-bugs] [Bug 8449] New: (Untriggerable) memory corruption in packet-sql
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Fri, 08 Mar 2013 05:24:39 +0000
Bug ID 8449
Summary (Untriggerable) memory corruption in packet-sqloracle.c
Classification Unclassified
Product Wireshark
Version SVN
Hardware x86
OS All
Status UNCONFIRMED
Severity Minor
Priority Low
Component Capture file support (libwiretap)
Assignee bugzilla-admin@wireshark.org
Reporter me@moshekaplan.com 

Build Information:

--
File: packet-sqloracle.c

Untriggerable memory corruption.

This dissector is not currently enabled. That turns this into a relatively
harmless bug. It would otherwise be a memory corruption bug.

I am reporting this in the event that this code becomes enabled in the future.

The vulnerability is caused by a tvb_memcpy of all data in a tvbuffer into a
fixed-size buffer stored on the stack. Packets larger than 1024 bytes will
trigger the buffer oveflow.

dissect_sqloracle
    ...
    header_operation = tvb_get_guint8(tvb, offset);
    dataLen = tvb_reported_length_remaining(tvb, offset);
    if (header_operation != NET8_TYPE_FUNCCOMPLETE)
        func_type = tvb_get_guint8(tvb, offset+1);
    ...
    switch (header_operation){
    {
        case NET8_TYPE_USERTOSERVER: /* 0x3 */
            ...
            switch (func_type)
            {
                case NET8_USER_FUNC_PARSE:
                   
ParseCommand(sqloracle_tree,tvb,offset+0x0B,pinfo,dataLen-0x0B);

    }

    static gboolean ParseCommand(..., UI16_T dataLen){
        UI8_T pAddress[1024];
        UI16_T SQLDataLen = dataLen;
        int i;

        for (i=0; i<1024;i++)
        {
            pAddress[i] = '\0';
        }

        tvb_memcpy (tvb, pAddress,offset, dataLen);
        ....
    }

You are receiving this mail because:
  • You are watching all bug changes.