From owner-freebsd-ports  Thu Dec  9 15:20: 7 1999
Delivered-To: freebsd-ports@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id F090815351
	for <freebsd-ports@FreeBSD.org>; Thu,  9 Dec 1999 15:20:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id PAA73494;
	Thu, 9 Dec 1999 15:20:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from blaubaer.kn-bremen.de (blaubaer.kn-bremen.de [195.37.179.254])
	by hub.freebsd.org (Postfix) with ESMTP id EFF4614F35
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  9 Dec 1999 15:10:35 -0800 (PST)
	(envelope-from nox@saturn.kn-bremen.de)
Received: from saturn.kn-bremen.de (uucp@localhost)
	by blaubaer.kn-bremen.de (8.9.1/8.9.1) with UUCP id AAA04179
	for FreeBSD-gnats-submit@freebsd.org; Fri, 10 Dec 1999 00:08:02 +0100
Received: (from nox@localhost)
	by saturn.kn-bremen.de (8.9.3/8.8.5) id XAA06334;
	Thu, 9 Dec 1999 23:24:57 +0100 (CET)
Message-Id: <199912092224.XAA06334@saturn.kn-bremen.de>
Date: Thu, 9 Dec 1999 23:24:57 +0100 (CET)
From: Juergen Lock <nox@jelal.kn-bremen.de>
Reply-To: nox@jelal.kn-bremen.de
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: ports/15387: ethereal's packet-smb.c calls str*() functions with NULL pointers
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         15387
>Category:       ports
>Synopsis:       ethereal's packet-smb.c calls str*() functions with NULL pointers
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec  9 15:20:01 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     Juergen Lock
>Release:        FreeBSD 3.3-STABLE i386
>Organization:
me?  origanized?
>Environment:

	3.3-STABLE i386, gettext-0.10.35, glib-1.2.6, gtk-1.2.6

>Description:

	ports/net/ethereal's packet-smb.c calls str*() functions with
	NULL pointers, causing coredumps.

>How-To-Repeat:

	just try to watch some smb packets, you'll sooner or later
	stumble accross ones that make it die...

>Fix:

--- /dev/null	Thu Dec  9 23:18:45 1999
+++ patches/patch-aa	Thu Dec  9 23:13:17 1999
@@ -0,0 +1,49 @@
+Index: packet-smb.c
+@@ -9020,14 +9020,14 @@
+   guint8           Pad2;
+   const gchar      *Data;
+ 
+-  TransactNameCopy = g_malloc(strlen(TransactName) + 1);
++  TransactNameCopy = g_malloc(TransactName ? strlen(TransactName) + 1 : 1);
+ 
+   /* Should check for error here ... */
+ 
+-  strcpy(TransactNameCopy, TransactName);
++  strcpy(TransactNameCopy, TransactName ? TransactName : "");
+   if (TransactNameCopy[0] == '\\')
+     trans_type = TransactNameCopy + 1;  /* Skip the slash */
+-  loc_of_slash = strchr(trans_type, '\\');
++  loc_of_slash = trans_type ? strchr(trans_type, '\\') : NULL;
+   if (loc_of_slash) {
+     index = loc_of_slash - trans_type;  /* Make it a real index */
+     trans_cmd = trans_type + index + 1;
+@@ -9036,9 +9036,9 @@
+   else
+     trans_cmd = NULL;
+ 
+-  if (((strcmp(trans_type, "MAILSLOT") != 0) ||
++  if ((!trans_type || (strcmp(trans_type, "MAILSLOT") != 0) ||
+        !dissect_mailslot_smb(pd, offset, fd, parent, tree, si, max_data, SMB_offset, errcode, dirn, trans_cmd, SMB_offset + DataOffset, DataCount)) &&
+-      ((strcmp(trans_type, "PIPE") != 0) ||
++      (!trans_type || (strcmp(trans_type, "PIPE") != 0) ||
+        !dissect_pipe_smb(pd, offset, fd, parent, tree, si, max_data, SMB_offset, errcode, dirn, trans_cmd, DataOffset, DataCount, ParameterOffset, ParameterCount))) {
+     
+     if (ParameterCount > 0) {
+@@ -9993,7 +9993,7 @@
+ dissect_pipe_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *parent, proto_tree *tree, struct smb_info si, int max_data, int SMB_offset, int errcode, int dirn, const u_char *command, int DataOffset, int DataCount, int ParameterOffset, int ParameterCount)
+ {
+ 
+-  if (strcmp(command, "LANMAN") == 0) { /* Try to decode a LANMAN */
++  if (command && strcmp(command, "LANMAN") == 0) { /* Try to decode a LANMAN */
+ 
+     return dissect_pipe_lanman(pd, offset, fd, parent, tree, si, max_data, SMB_offset, errcode, dirn, command, DataOffset, DataCount, ParameterOffset, ParameterCount);
+ 
+@@ -10520,7 +10520,7 @@
+ dissect_mailslot_smb(const u_char *pd, int offset, frame_data *fd, proto_tree *parent, proto_tree *tree, struct smb_info si, int max_data, int SMB_offset, int errcode, int dirn, const u_char *command, int DataOffset, int DataCount)
+ {
+ 
+-  if (strcmp(command, "BROWSE") == 0) { /* Decode a browse */
++  if (command && strcmp(command, "BROWSE") == 0) { /* Decode a browse */
+ 
+     return dissect_mailslot_browse(pd, offset, fd, parent, tree, si, max_data, SMB_offset, errcode, dirn, command, DataOffset, DataCount);
+ 


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message