Date: Thu, 9 Dec 1999 23:24:57 +0100 (CET) From: Juergen Lock <nox@jelal.kn-bremen.de> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/15387: ethereal's packet-smb.c calls str*() functions with NULL pointers Message-ID: <199912092224.XAA06334@saturn.kn-bremen.de>
next in thread | raw e-mail | index | archive | help
>Number: 15387 >Category: ports >Synopsis: ethereal's packet-smb.c calls str*() functions with NULL pointers >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Dec 9 15:20:01 PST 1999 >Closed-Date: >Last-Modified: >Originator: Juergen Lock >Release: FreeBSD 3.3-STABLE i386 >Organization: me? origanized? >Environment: 3.3-STABLE i386, gettext-0.10.35, glib-1.2.6, gtk-1.2.6 >Description: ports/net/ethereal's packet-smb.c calls str*() functions with NULL pointers, causing coredumps. >How-To-Repeat: just try to watch some smb packets, you'll sooner or later stumble accross ones that make it die... >Fix: --- /dev/null Thu Dec 9 23:18:45 1999 +++ patches/patch-aa Thu Dec 9 23:13:17 1999 @@ -0,0 +1,49 @@ +Index: packet-smb.c +@@ -9020,14 +9020,14 @@ + guint8 Pad2; + const gchar *Data; + +- TransactNameCopy = g_malloc(strlen(TransactName) + 1); ++ TransactNameCopy = g_malloc(TransactName ? strlen(TransactName) + 1 : 1); + + /* Should check for error here ... */ + +- strcpy(TransactNameCopy, TransactName); ++ strcpy(TransactNameCopy, TransactName ? TransactName : ""); + if (TransactNameCopy[0] == '\\') + trans_type = TransactNameCopy + 1; /* Skip the slash */ +- loc_of_slash = strchr(trans_type, '\\'); ++ loc_of_slash = trans_type ? strchr(trans_type, '\\') : NULL; + if (loc_of_slash) { + index = loc_of_slash - trans_type; /* Make it a real index */ + trans_cmd = trans_type + index + 1; +@@ -9036,9 +9036,9 @@ + else + trans_cmd = NULL; + +- if (((strcmp(trans_type, "MAILSLOT") != 0) || ++ if ((!trans_type || (strcmp(trans_type, "MAILSLOT") != 0) || + !dissect_mailslot_smb(pd, offset, fd, parent, tree, si, max_data, SMB_offset, errcode, dirn, trans_cmd, SMB_offset + DataOffset, DataCount)) && +- ((strcmp(trans_type, "PIPE") != 0) || ++ (!trans_type || (strcmp(trans_type, "PIPE") != 0) || + !dissect_pipe_smb(pd, offset, fd, parent, tree, si, max_data, SMB_offset, errcode, dirn, trans_cmd, DataOffset, DataCount, ParameterOffset, ParameterCount))) { + + if (ParameterCount > 0) { +@@ -9993,7 +9993,7 @@ + dissect_pipe_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *parent, proto_tree *tree, struct smb_info si, int max_data, int SMB_offset, int errcode, int dirn, const u_char *command, int DataOffset, int DataCount, int ParameterOffset, int ParameterCount) + { + +- if (strcmp(command, "LANMAN") == 0) { /* Try to decode a LANMAN */ ++ if (command && strcmp(command, "LANMAN") == 0) { /* Try to decode a LANMAN */ + + return dissect_pipe_lanman(pd, offset, fd, parent, tree, si, max_data, SMB_offset, errcode, dirn, command, DataOffset, DataCount, ParameterOffset, ParameterCount); + +@@ -10520,7 +10520,7 @@ + dissect_mailslot_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *parent, proto_tree *tree, struct smb_info si, int max_data, int SMB_offset, int errcode, int dirn, const u_char *command, int DataOffset, int DataCount) + { + +- if (strcmp(command, "BROWSE") == 0) { /* Decode a browse */ ++ if (command && strcmp(command, "BROWSE") == 0) { /* Decode a browse */ + + return dissect_mailslot_browse(pd, offset, fd, parent, tree, si, max_data, SMB_offset, errcode, dirn, command, DataOffset, DataCount); + >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912092224.XAA06334>