RE: Ethereal remote buffer overflow - addon

From: LSS Security (exposed_at_lss.hr)
Date: 03/09/05

  • Next message: Gerald Combs: "Re: Ethereal remote buffer overflow"
    Date: Wed, 9 Mar 2005 02:33:58 +0100
    To: bugtraq@securityfocus.com
    
    

    Just a little trick to overflow more stack memory in Ethereal.
    It is possible to overflow stack with more than 255 - 2 bytes. If radius_len
    is set to 1, in strncpy() line it is subtracted by two and it will be -1
    (0xffffffff -> 4294967295 (unsigned long)).

    packet-3g-a11.c:
    ----------------
    #define MAX_STRVAL 16
    ...
    dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
    {
    ...
      size_t radius_len;
      ...
      guchar str_val[MAX_STRVAL];
      ...
      radius_len = tvb_get_guint8(tvb, offset + 1);
      ...
      strncpy(str_val, tvb_get_ptr(tvb,offset+2,radius_len-2), radius_len-2);
    ...
    }
    ----------------

    ------------------------------------------
    Leon Juranic, LSS Security
    http://security.lss.hr

    "Born under the lucky star magical,
    but on this world generally tragical".
                                    - Djole


  • Next message: Gerald Combs: "Re: Ethereal remote buffer overflow"