Date: Thu, 9 Dec 1999 23:24:57 +0100 (CET) From: Juergen Lock <nox@jelal.kn-bremen.de> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/15387: ethereal's packet-smb.c calls str*() functions with NULL pointers Message-ID: <199912092224.XAA06334@saturn.kn-bremen.de>
next in thread | raw e-mail | index | archive | help
>Number: 15387
>Category: ports
>Synopsis: ethereal's packet-smb.c calls str*() functions with NULL pointers
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Dec 9 15:20:01 PST 1999
>Closed-Date:
>Last-Modified:
>Originator: Juergen Lock
>Release: FreeBSD 3.3-STABLE i386
>Organization:
me? origanized?
>Environment:
3.3-STABLE i386, gettext-0.10.35, glib-1.2.6, gtk-1.2.6
>Description:
ports/net/ethereal's packet-smb.c calls str*() functions with
NULL pointers, causing coredumps.
>How-To-Repeat:
just try to watch some smb packets, you'll sooner or later
stumble accross ones that make it die...
>Fix:
--- /dev/null Thu Dec 9 23:18:45 1999
+++ patches/patch-aa Thu Dec 9 23:13:17 1999
@@ -0,0 +1,49 @@
+Index: packet-smb.c
+@@ -9020,14 +9020,14 @@
+ guint8 Pad2;
+ const gchar *Data;
+
+- TransactNameCopy = g_malloc(strlen(TransactName) + 1);
++ TransactNameCopy = g_malloc(TransactName ? strlen(TransactName) + 1 : 1);
+
+ /* Should check for error here ... */
+
+- strcpy(TransactNameCopy, TransactName);
++ strcpy(TransactNameCopy, TransactName ? TransactName : "");
+ if (TransactNameCopy[0] == '\\')
+ trans_type = TransactNameCopy + 1; /* Skip the slash */
+- loc_of_slash = strchr(trans_type, '\\');
++ loc_of_slash = trans_type ? strchr(trans_type, '\\') : NULL;
+ if (loc_of_slash) {
+ index = loc_of_slash - trans_type; /* Make it a real index */
+ trans_cmd = trans_type + index + 1;
+@@ -9036,9 +9036,9 @@
+ else
+ trans_cmd = NULL;
+
+- if (((strcmp(trans_type, "MAILSLOT") != 0) ||
++ if ((!trans_type || (strcmp(trans_type, "MAILSLOT") != 0) ||
+ !dissect_mailslot_smb(pd, offset, fd, parent, tree, si, max_data, SMB_offset, errcode, dirn, trans_cmd, SMB_offset + DataOffset, DataCount)) &&
+- ((strcmp(trans_type, "PIPE") != 0) ||
++ (!trans_type || (strcmp(trans_type, "PIPE") != 0) ||
+ !dissect_pipe_smb(pd, offset, fd, parent, tree, si, max_data, SMB_offset, errcode, dirn, trans_cmd, DataOffset, DataCount, ParameterOffset, ParameterCount))) {
+
+ if (ParameterCount > 0) {
+@@ -9993,7 +9993,7 @@
+ dissect_pipe_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *parent, proto_tree *tree, struct smb_info si, int max_data, int SMB_offset, int errcode, int dirn, const u_char *command, int DataOffset, int DataCount, int ParameterOffset, int ParameterCount)
+ {
+
+- if (strcmp(command, "LANMAN") == 0) { /* Try to decode a LANMAN */
++ if (command && strcmp(command, "LANMAN") == 0) { /* Try to decode a LANMAN */
+
+ return dissect_pipe_lanman(pd, offset, fd, parent, tree, si, max_data, SMB_offset, errcode, dirn, command, DataOffset, DataCount, ParameterOffset, ParameterCount);
+
+@@ -10520,7 +10520,7 @@
+ dissect_mailslot_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *parent, proto_tree *tree, struct smb_info si, int max_data, int SMB_offset, int errcode, int dirn, const u_char *command, int DataOffset, int DataCount)
+ {
+
+- if (strcmp(command, "BROWSE") == 0) { /* Decode a browse */
++ if (command && strcmp(command, "BROWSE") == 0) { /* Decode a browse */
+
+ return dissect_mailslot_browse(pd, offset, fd, parent, tree, si, max_data, SMB_offset, errcode, dirn, command, DataOffset, DataCount);
+
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912092224.XAA06334>