Ethereal: [Ethereal-dev] 802.11 dissector: rates information element with zero bytes leads to uninitialised me

Ethereal-dev: January 2006

Subject: [Ethereal-dev] 802.11 dissector: rates information element with zero bytes leads to uninitialised memory access [PATCH]
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Thu, 5 Jan 2006 08:38:18 +0100 (CET)

Bump
---------- Forwarded message ----------
Date: Sun, 25 Dec 2005 17:18:00 +0100 (CET)

Hello list,

>From the Debian bug database this bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342588

The rates information element with zero tag length leads to uninitialised
memory access, presenting bogus data for the element. The attached patch
takes care of that.

Thanx,
Jaap

Index: packet-ieee80211.c
===================================================================
--- packet-ieee80211.c	(revision 16893)
+++ packet-ieee80211.c	(working copy)
@@ -1380,6 +1380,12 @@
 
     case TAG_SUPP_RATES:
     case TAG_EXT_SUPP_RATES:
+      if (tag_len < 1)
+      {
+        proto_tree_add_text (tree, tvb, offset + 2, tag_len, "Tag length %u too short, must be > 0",
+                             tag_len);
+        break;
+      }
       tag_data_ptr = tvb_get_ptr (tvb, offset + 2, tag_len);
       for (i = 0, n = 0; i < tag_len && n < SHORT_STR; i++) {
         ret = snprintf (print_buff + n, SHORT_STR - n, "%2.1f%s ",

Follow-Ups:
- Re: [Ethereal-dev] 802.11 dissector: rates information element with zero bytes leads to uninitialised memory access [PATCH]
  - From: Joerg Mayer

Prev by Date: Re: [Ethereal-dev] How can I get offset of some field from tcp data
Next by Date: [Ethereal-dev] PPP fake ethernet addresses [PATCH]
Previous by thread: Re: [Ethereal-dev] While writing to a pipe, getting some errorneous extra bytes between packets ?!?
Next by thread: Re: [Ethereal-dev] 802.11 dissector: rates information element with zero bytes leads to uninitialised memory access [PATCH]
Index(es):
- Date
- Thread