Bug#712648: dsniff: tds decoder uses uninitialized pointer, crashes

Tue, 18 Jun 2013 02:21:37 -0700 

Package: dsniff
Version: 2.4b1+debian-22
Severity: grave
Tags: security

The fix for #609988 was not implemented correctly:

,----[ decode_tds.c ]
| int
| decode_tds(u_char *buf, int len, u_char *obuf, int olen)
| {
|         struct tds_hdr *th;
|         struct tds_login *tl;
|         struct tds7_login *t7l, *myt7l;
|         u_char *user, *pass, *serv;
|         u_short userlen, passlen, servlen;
|         
|         obuf[0] = '\0';
| 
|     if (th->size != 8) {
|            /* wrong header length */
|            return (strlen(obuf));
|     }
| 
|         for (th = (struct tds_hdr *)buf;
|              len > sizeof(*th) && len >= ntohs(th->size);
|              buf += ntohs(th->size), len -= ntohs(th->size)) {
|                 
|                 if (th->type == 2) {
|                         /* Version 4.x, 5.0 */
`----

th is not initialized outside the "for" loop, so uninitialized or
unmapped memory is accessed. This leads to segmentation faults which
makes the program unusable.

This is in part my fault: I only provided a description where put the
four lines, instead of a real patch. Since I was already using a locally
patched dsniff package, I never verified if the problem has been
properly fixed.

This time, I have attached a real patch.

Cheers,
-Hilko

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages dsniff depends on:
ii  libc6        2.13-38
ii  libdb5.1     5.1.29-5
ii  libice6      2:1.0.8-2
ii  libnet1      1.1.4-2.1
ii  libnids1.21  1.23-2
ii  libpcap0.8   1.3.0-1
ii  libsm6       2:1.2.1-2
ii  libssl1.0.0  1.0.1e-2
ii  libx11-6     2:1.5.0-1
ii  libxmu6      2:1.1.1-1
ii  openssl      1.0.1e-2

dsniff recommends no packages.

dsniff suggests no packages.

-- no debconf information

--- decode_tds.c.orig	2013-06-18 10:35:34.000000000 +0200
+++ decode_tds.c	2013-06-18 10:37:41.000000000 +0200
@@ -140,15 +140,15 @@
 	
 	obuf[0] = '\0';
 
-    if (th->size != 8) {
-           /* wrong header length */
-           return (strlen(obuf));
-    }
-
 	for (th = (struct tds_hdr *)buf;
 	     len > sizeof(*th) && len >= ntohs(th->size);
 	     buf += ntohs(th->size), len -= ntohs(th->size)) {
 		
+		if (th->size != 8) {
+			/* wrong header length */
+			break;
+		}
+
 		if (th->type == 2) {
 			/* Version 4.x, 5.0 */
 			if (len < sizeof(*th) + sizeof(*tl))

Reply via email to