Wireshark-bugs: [Wireshark-bugs] [Bug 4984] Buildbot crash output: fuzz-2010-07-06-23547.pcap
Date: Wed, 7 Jul 2010 08:53:36 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4984 Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |jeff.morriss.ws@xxxxxxxxx Resolution| |FIXED --- Comment #1 from Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> 2010-07-07 08:53:32 PDT --- Interesting recursion in packet-ber.c: Program terminated with signal 11, Segmentation fault. [New process 14844] #0 0x00007f98592f618c in ensure_contiguous_no_exception (tvb=0x2f582a0, offset=-117, length=<value optimized out>, exception=<value optimized out>) at tvbuff.c:885 885 if (!check_offset_length_no_exception(tvb->length, tvb->reported_length, offset, length, #0 0x00007f98592f618c in ensure_contiguous_no_exception (tvb=0x2f582a0, offset=-117, length=<value optimized out>, exception=<value optimized out>) at tvbuff.c:885 #1 0x00007f98592f63be in ensure_contiguous (tvb=0xaa, offset=170, length=-117) at tvbuff.c:920 #2 0x00007f98592f6b4e in tvb_get_guint8 (tvb=0xaa, offset=170) at tvbuff.c:1152 #3 0x00007f98593aa609 in get_ber_identifier (tvb=0xaa, offset=170, class=0xffffff8b <Address 0xffffff8b out of bounds>, pc=0x1, tag=0x7fff5d23e01c) at packet-ber.c:855 #4 0x00007f98593aa7eb in try_get_ber_length (tvb=0x2f582a0, bl_offset=0x7fff5d23e1a0, pc=<value optimized out>, length=0x7fff5d23e1b0, ind=0x7fff5d23e1a4) at packet-ber.c:990 #5 0x00007f98593aa804 in try_get_ber_length (tvb=0x2f582a0, bl_offset=0x7fff5d23e230, pc=<value optimized out>, length=0x7fff5d23e240, ind=0x7fff5d23e234) at packet-ber.c:991 #6 0x00007f98593aa804 in try_get_ber_length (tvb=0x2f582a0, bl_offset=0x7fff5d23e2c0, pc=<value optimized out>, length=0x7fff5d23e2d0, ind=0x7fff5d23e2c4) at packet-ber.c:991 [...] #87304 0x00007f98593aa804 in try_get_ber_length (tvb=0x2f582a0, bl_offset=0x7fff5de3b3e0, pc=<value optimized out>, length=0x7fff5de3b3f0, ind=0x7fff5de3b3e4) at packet-ber.c:991 #87305 0x00007f98593aa804 in try_get_ber_length (tvb=0x2f582a0, bl_offset=0x7fff5de3b43c, pc=<value optimized out>, length=0x7fff5de3b438, ind=0x7fff5de3b494) at packet-ber.c:991 #87306 0x00007f98593aa8ea in get_ber_length (tvb=0xaa, offset=1, length=0x7fff5de3b498, ind=0xffffff8b) at packet-ber.c:1031 #87307 0x00007f9859afa204 in dissect_snmp (tvb=0x2f582a0, pinfo=0x7fff5de3c070, tree=0x2f57f00) at packet-snmp-template.c:1676 The offset passed to this function cycles thus: tvb=0x0x161b2a0, offset=1 tvb_length_remaining=170, tvb_reported_length_remaining=170 tvb=0x0x161b2a0, offset=3 tvb_length_remaining=170, tvb_reported_length_remaining=170 tvb=0x0x161b2a0, offset=7 tvb_length_remaining=170, tvb_reported_length_remaining=170 tvb=0x0x161b2a0, offset=-35 tvb_length_remaining=170, tvb_reported_length_remaining=170 tvb=0x0x161b2a0, offset=-27 tvb_length_remaining=170, tvb_reported_length_remaining=170 tvb=0x0x161b2a0, offset=1 tvb_length_remaining=170, tvb_reported_length_remaining=170 tvb=0x0x161b2a0, offset=3 tvb_length_remaining=170, tvb_reported_length_remaining=170 tvb=0x0x161b2a0, offset=7 tvb_length_remaining=170, tvb_reported_length_remaining=170 tvb=0x0x161b2a0, offset=-35 tvb_length_remaining=170, tvb_reported_length_remaining=170 tvb=0x0x161b2a0, offset=-27 tvb_length_remaining=170, tvb_reported_length_remaining=170 tvb=0x0x161b2a0, offset=1 tvb_length_remaining=170, tvb_reported_length_remaining=170 tvb=0x0x161b2a0, offset=3 tvb_length_remaining=170, tvb_reported_length_remaining=170 (Apparently negative offsets *are* OK: they mean an offset from the end of the tvb.) Fixed in 33464 by making sure the offset is positive before recursing. -- Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
- References:
- [Wireshark-bugs] [Bug 4984] New: Buildbot crash output: fuzz-2010-07-06-23547.pcap
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 4984] New: Buildbot crash output: fuzz-2010-07-06-23547.pcap
- Prev by Date: [Wireshark-bugs] [Bug 4986] ldap disector shows wrongly Packet size limited during capture
- Next by Date: [Wireshark-bugs] [Bug 4972] VoIP Calls Graph Analysis window divider can only be moved to the left
- Previous by thread: [Wireshark-bugs] [Bug 4984] New: Buildbot crash output: fuzz-2010-07-06-23547.pcap
- Next by thread: [Wireshark-bugs] [Bug 4984] Buildbot crash output: fuzz-2010-07-06-23547.pcap
- Index(es):
- Get Wireshark
- Download
- Code of Conduct