Name: Off-by-one and integer overflows in Ethereal 0.9.11
Docid: enpa-sa-00009
Date: May 1, 2003
Versions affected: 0.8.13 to 0.9.11
Severity: High
Description:
It has been discovered that several dissectors were using tvb_get_nstringz() and tvb_get_nstringz0() in an unsafe manner.
In versions 0.9.11 and earlier it is possible to overflow memory buffers by one byte in the AIM, GIOP Gryphon, OSPF, PPTP, Quake, Quake2, Quake3, Rsync, SMB, SMPP, and TSP dissectors. The Mount and PPP dissectors are susceptible to integer overflows. These problems were discovered by Timo Sirainen.
All users of Ethereal 0.9.11 and earlier are encouraged to upgrade.
In order to determine which version of Ethereal you have installed, do one of the following:
ethereal -vor
tethereal -v(the "v" is lowercase").
Impact:
It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file.
Resolution:
Upgrade to 0.9.12.