From Abhik Sarkar via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2647 :

The syslog dissector could crash if the "packlog" MSU is truncated such that the hex string ends in with a nibble. From me: Check if that will happen and chop off the nibble before giving it to convert_string_to_hex() so we'll dissect as much of the MSU as possible. svn path=/trunk/; revision=25612
2008-06-26 20:40:30 +00:00 · 2008-06-26 20:40:30 +00:00 · 9bc8f579a1
parent 72965329b0
commit 9bc8f579a1
1 changed files with 15 additions and 4 deletions
--- a/epan/dissectors/packet-syslog.c
+++ b/epan/dissectors/packet-syslog.c
@ -180,7 +180,7 @@ static dissector_handle_t mtp_handle;
 static tvbuff_t *
 mtp3_msu_present(gint fac, gint level, const char *msg_str)
 {
-  size_t nbytes;
+  size_t nbytes, len;
  gchar **split_string, *msu_hex_dump;
  tvbuff_t *mtp3_tvb = NULL;
  guint8 *byte_array;
@ -198,11 +198,22 @@ mtp3_msu_present(gint fac, gint level, const char *msg_str)
  split_string = g_strsplit(msg_str, "msu=", 2);
  msu_hex_dump = split_string[1];

-  if (msu_hex_dump && strlen(msu_hex_dump)) {
+  if (msu_hex_dump && (len = strlen(msu_hex_dump))) {
+
+    /*  convert_string_to_hex() will return NULL if it gets an incomplete
+     *  byte.  If we have an odd string length then chop off the remaining
+     *  nibble so we can get at least a partial MSU (chances are the
+     *  subdissector will assert out, of course).
+     */
+    if (len % 2)
+	msu_hex_dump[len - 1] = '\0';
+
    byte_array = convert_string_to_hex(msu_hex_dump, &nbytes);

-    mtp3_tvb = tvb_new_real_data(byte_array, nbytes, nbytes);
-    tvb_set_free_cb(mtp3_tvb, g_free);
+    if (byte_array) {
+	mtp3_tvb = tvb_new_real_data(byte_array, nbytes, nbytes);
+	tvb_set_free_cb(mtp3_tvb, g_free);
+    }
  }

  g_strfreev(split_string);