Wireshark-bugs: [Wireshark-bugs] [Bug 10214] ASAN: global-buffer-overflow in _ws_mempbrk_sse42
Comment # 2
on bug 10214
from Peter Wu
Well this is fishy:
#8 _ws_mempbrk_sse42 (s=0x61b00001eac2 "220 lekensteyn.nl ESMTP Exim 4.80 Sat,
21 Jun 2014 12:20:19 +0200\r\n", '\276' <repeats 133 times>..., slen=67,
a=0x7fffefeaf680 <crlf> "\r\n")
at wsutil/ws_mempbrk_sse42.c:133
133 mask = _mm_load_si128 ((__m128i *) (void *) a);
(gdb) up
#9 0x00007fffe8f6823a in ws_mempbrk (haystack=0x61b00001eac2 "220
lekensteyn.nl ESMTP Exim 4.80 Sat, 21 Jun 2014 12:20:19 +0200\r\n", '\276'
<repeats 133 times>..., haystacklen=67, needles=0x7fffefeaf680 <crlf> "\r\n")
at wsutil/ws_mempbrk.c:64
64 return _ws_mempbrk_sse42(haystack, haystacklen,
needles);
(gdb)
#10 0x00007fffee342c47 in guint8_pbrk (haystack=0x61b00001eac2 "220
lekensteyn.nl ESMTP Exim 4.80 Sat, 21 Jun 2014 12:20:19 +0200\r\n", '\276'
<repeats 133 times>..., haystacklen=67, needles=0x7fffefeaf680 <crlf> "\r\n",
found_needle=0x7fffffffb180 "") at epan/tvbuff.c:746
746 const guint8 *result = ws_mempbrk(haystack, haystacklen,
needles);
The statically allocated CRLF is only 3 bytes (24 bits). _mm_load_si128
requires an argument of at least 128 bit (16 bytes). This is a legitimate
issue, you can't just cast 24 bit data to 128 bit, it will very likely result
in a garbage needle.
needles must be between 1 and 16 bytes (inclusive), so I propose a copy of the
needle?
You are receiving this mail because:
- You are watching all bug changes.