Package: tcpslice
Version: 1.2a3-2
Severity: important
Tags: patch
extract_slice() may make use of a freed "states" element if trying to
slice against several tcpdump files where the first tcpdump file is not
included by the timespec the user specified (and then closed and freed).
The call to pcap_dump_open then incorrectly references the first element
of states, ala "dumper = pcap_dump_open(states->p, ...."
Program may exit normally, and work, or not work, or give a pcap error
about linktype -1 being invalid.
electric-fence with the EF_WIPE_FREE option shows this up.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages tcpslice depends on:
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii libpcap0.7 0.7.2-7 System interface for user-level pa
tcpslice recommends no packages.
-- no debconf information
diff -ur tcpslice-1.2a3/tcpslice.c ../tcpslice-1.2a3/tcpslice.c
--- tcpslice-1.2a3/tcpslice.c 2005-10-24 15:06:26.000000000 -0700
+++ ../tcpslice-1.2a3/tcpslice.c 2007-11-06 13:50:54.000000000 -0800
@@ -598,6 +598,7 @@
pcap_dumper_t *dumper;
struct timeval temp1, temp2, relative_start, relative_stop;
int i;
+ struct state *statetemplate = NULL;
struct state *last_state; /* remember the last packet */
struct pcap_pkthdr last_hdr; /* in order to remove duplicates */
@@ -639,6 +640,10 @@
continue;
}
+ if (statetemplate == NULL) {
+ statetemplate = s;
+ }
+
/*
* sf_find_packet() requires that the time it's passed as
* its last argument be in the range [min_time, max_time],
@@ -657,7 +662,7 @@
get_next_packet(s);
}
- dumper = pcap_dump_open(states->p, write_file_name);
+ dumper = pcap_dump_open(statetemplate->p, write_file_name);
if (! dumper) {
error( "error creating output file %s: ",
write_file_name, pcap_geterr( states->p ) );