Package: tcptrace
Version: 6.6.7-3
Severity: normal
The http analysis module (in mod_http.c) has several misuses of string
functions; these were producing a corrupt http.times output file with a
particular capture file of mine.
A patch fixing these misuses (which I tracked down using valgrind; with this
patch my output files are no longer corrupt) is attached if I drive reportbug
correctly.
Christophe
-- System Information:
Debian Release: 6.0.1
APT prefers stable
APT policy: (900, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.37+ (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages tcptrace depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libpcap0.8 1.1.1-2 system interface for user-level pa
Versions of packages tcptrace recommends:
ii tcpdump 4.1.1-2csr1 command-line network traffic analy
ii xplot-xplot.org 0.90.7.1-2 fast tool to graph and visualize l
tcptrace suggests no packages.
-- no debconf information
diff -uwr tcptrace-6.6.7/mod_http.c tcptrace-6.6.7-mine//mod_http.c
--- tcptrace-6.6.7/mod_http.c 2003-11-19 14:38:02.000000000 +0000
+++ tcptrace-6.6.7-mine//mod_http.c 2011-04-26 20:57:50.000000000 +0100
@@ -752,12 +752,12 @@
/* this state is now misnamed since we pull out other */
/* headers than just content-length now. */
case (ContentStateFindContentLength): {
- if (strncasecmp(pch, "\r\nContent-Length:", 17) == 0) {
+ if (plast - pch > 17 && strncasecmp(pch, "\r\nContent-Length:", 17) == 0) {
/* Got content-length field, ignore rest of header */
pget->content_length = atoi(&(pch[17]));
- pch += 18;
+ pch += 17;
}
- else if (strncasecmp(pch, "\r\nContent-Type:", 15) == 0) {
+ else if (plast - pch > 15 && strncasecmp(pch, "\r\nContent-Type:", 15) == 0) {
/* Get content-type field, skipping leading spaces */
pch += 15;
while (*pch == ' ') {
@@ -785,7 +785,7 @@
pget->content_type = strdup(getbuf);
}
- else if (strncmp(pch, "\r\n\r\n", 4) == 0) {
+ else if (plast - pch < 4 || strncmp(pch, "\r\n\r\n", 4) == 0) {
/* No content-length header detected */
/* No increment for pch here, effectively fall through */
/* pget->content_length = 0; */
@@ -913,12 +913,13 @@
int len = strlen(s);
int i = 0;
int j = 0;
- char *buf = (char *)malloc(len);
- char ascii[2];
+ char *buf = (char *)malloc(len+1);
+ char ascii[3];
while (i < len) {
if (s[i] == '%') {
ascii[0] = s[i+1];
ascii[1] = s[i+2];
+ ascii[2] = 0;
buf[j++] = atoi(ascii);
i = i+3;
} else {
@@ -1061,12 +1062,12 @@
/* Locate content-length field, if any */
case (GetStateFindContentLength): {
- if (strncasecmp(pch, "\r\nContent-Length:", 17) == 0) {
+ if (plast - pch > 17 && strncasecmp(pch, "\r\nContent-Length:", 17) == 0) {
/* Get content-length field */
contentLength = atoi(&pch[17]);
pch += 17;
}
- else if (strncmp(pch, "\r\n\r\n", 4) == 0) {
+ else if (plast - pch > 4 && strncmp(pch, "\r\n\r\n", 4) == 0) {
/* No content-length header detected, assume */
/* zero. Fall through (effective). */
/* contentLength = 0; */
