Wireshark-bugs: [Wireshark-bugs] [Bug 10214] ASAN: global-buffer-overflow in _ws_mempbrk_sse42
Date: Sat, 21 Jun 2014 15:40:33 +0000

Comment # 2 on bug 10214 from
Well this is fishy:

#8  _ws_mempbrk_sse42 (s=0x61b00001eac2 "220 lekensteyn.nl ESMTP Exim 4.80 Sat,
21 Jun 2014 12:20:19 +0200\r\n", '\276' <repeats 133 times>..., slen=67,
a=0x7fffefeaf680 <crlf> "\r\n")
    at wsutil/ws_mempbrk_sse42.c:133
133           mask = _mm_load_si128 ((__m128i *) (void *) a);
(gdb) up
#9  0x00007fffe8f6823a in ws_mempbrk (haystack=0x61b00001eac2 "220
lekensteyn.nl ESMTP Exim 4.80 Sat, 21 Jun 2014 12:20:19 +0200\r\n", '\276'
<repeats 133 times>..., haystacklen=67, needles=0x7fffefeaf680 <crlf> "\r\n")
    at wsutil/ws_mempbrk.c:64
64                      return _ws_mempbrk_sse42(haystack, haystacklen,
needles);
(gdb) 
#10 0x00007fffee342c47 in guint8_pbrk (haystack=0x61b00001eac2 "220
lekensteyn.nl ESMTP Exim 4.80 Sat, 21 Jun 2014 12:20:19 +0200\r\n", '\276'
<repeats 133 times>..., haystacklen=67, needles=0x7fffefeaf680 <crlf> "\r\n", 
    found_needle=0x7fffffffb180 "") at epan/tvbuff.c:746
746             const guint8 *result = ws_mempbrk(haystack, haystacklen,
needles);



The statically allocated CRLF is only 3 bytes (24 bits). _mm_load_si128
requires an argument of at least 128 bit (16 bytes). This is a legitimate
issue, you can't just cast 24 bit data to 128 bit, it will very likely result
in a garbage needle.

needles must be between 1 and 16 bytes (inclusive), so I propose a copy of the
needle?


You are receiving this mail because:
  • You are watching all bug changes.