Bug#599746: tcpxtract segfaults due to uninitialized variables

Sun, 10 Oct 2010 12:33:21 -0700 

Package: tcpxtract
Version: 1.0.1-5
Severity: important
Tags: patch

When operating on certain pcap files, tcpxtract segfaults after dumping out the
first file. Running it through valgrind shows that there are some uninitialized
values of a struct in add_session(), which the patch zeroes out, thereby fixing
the segfaults.

-- System Information:
Debian Release: squeeze/sid
  APT prefers lucid-updates
  APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 
'lucid-backports'), (500, 'lucid'), (400, 'lucid-proposed')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.36-rc7-hyper1 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_SG.utf8, LC_CTYPE=en_SG.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages tcpxtract depends on:
ii  libc6                  2.11.1-0ubuntu7.2 Embedded GNU C Library: Shared lib
ii  libpcap0.8             1.0.0-6           system interface for user-level pa

tcpxtract recommends no packages.

tcpxtract suggests no packages.

-- no debconf information

--- tcpxtract-1.0.1/sessionlist.c	2005-10-04 22:50:03.000000000 +0800
+++ tcpxtract-1.0.1-new/sessionlist.c	2010-10-11 03:14:18.071445668 +0800
@@ -62,6 +62,10 @@
     (*last_slist)->prev = slist_ptr;
     (*last_slist)->next = NULL;
     (*last_slist)->srchptr_list = NULL;
+    (*last_slist)->extract_list = NULL;
+    (*last_slist)->recording = 0;
+    (*last_slist)->last_recvd = 0;
+    (*last_slist)->last_seqnum = 0;
     return *last_slist;
 }
 
--- tcpxtract-1.0.1/tcpxtract.c	2005-10-06 09:44:39.000000000 +0800
+++ tcpxtract-1.0.1-new/tcpxtract.c	2010-10-11 03:03:52.741420701 +0800
@@ -237,7 +237,7 @@
 {
     int c;
     char *capfname = NULL;          /* Capture file for input */
-    char *dev;                      /* Sniffing devise */
+    char *dev = NULL;                      /* Sniffing devise */
     char errbuf[PCAP_ERRBUF_SIZE];  /* Error buffer */
     
     struct bpf_program filter;          /* hold compiled program */
@@ -283,7 +283,7 @@
             break;
         case 'o':
             if (optarg[strlen(optarg) - 1] != '/') {
-                output_prefix = emalloc(strlen(optarg) + 1);
+                output_prefix = emalloc(strlen(optarg) + 2);
                 strcpy(output_prefix, optarg);
                 output_prefix[strlen(optarg)] = '/';
                 output_prefix[strlen(optarg) + 1] = '\0';

Reply via email to