Wireshark mailing list archives
Re: tvb_get_nstringz0
From: Dario Lombardo <lomato () gmail com>
Date: Sat, 27 Mar 2021 19:56:14 +0100
Hi John, thanks, your explanation helped a lot. However I still don't get why the code crashes. Please let me use the actual buffer sizes since the ones I told before were examples. The packet is 49, the local buffer is 15. When you call tvb_get_nstringz0() you pass in bufsize = 15.
tvb_get_nstringz0() calls _tvb_get_nstringz() check_offset_len() runs to the end of the packet, setting len to 49. Since len >= bufsize, it sets limit = bufsize. stringlen = tvb_strnlen(tvb, abs_offset, limit - 1) looks at the first 9 bytes, doesn't find a NUL, returns -1
That's a point I don't get. This piece of code (stringlen = tvb_strnlen(tvb, 0, 14)) actually returns 49. Despite the fact that NULL is present or not, shouldn't this function fulfill the (limit - 1)? Shouldn't that return 14 at most?
stringlen is -1, tvb_memcpy copies over limit (10) bytes into buffer from tvb, bytes_copies is set to 10, _tvb_get_nstringz() returns -1.
That's where things start to get hairy: stringlen is 49, then the actual copy starts against buffer, that is only 15 bytes long. Crash.
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- tvb_get_nstringz0 Dario Lombardo (Mar 26)
- Re: tvb_get_nstringz0 John Thacker (Mar 26)
- Re: tvb_get_nstringz0 Dario Lombardo (Mar 27)
- Re: tvb_get_nstringz0 John Thacker (Mar 27)
- Re: tvb_get_nstringz0 Dario Lombardo (Mar 29)
- Re: tvb_get_nstringz0 Dario Lombardo (Mar 27)
- Re: tvb_get_nstringz0 John Thacker (Mar 26)