https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4984
Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |jeff.morriss.ws@xxxxxxxxx
Resolution| |FIXED
--- Comment #1 from Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> 2010-07-07 08:53:32 PDT ---
Interesting recursion in packet-ber.c:
Program terminated with signal 11, Segmentation fault.
[New process 14844]
#0 0x00007f98592f618c in ensure_contiguous_no_exception (tvb=0x2f582a0,
offset=-117, length=<value optimized out>, exception=<value optimized out>) at
tvbuff.c:885
885 if (!check_offset_length_no_exception(tvb->length,
tvb->reported_length, offset, length,
#0 0x00007f98592f618c in ensure_contiguous_no_exception (tvb=0x2f582a0,
offset=-117, length=<value optimized out>, exception=<value optimized out>) at
tvbuff.c:885
#1 0x00007f98592f63be in ensure_contiguous (tvb=0xaa, offset=170, length=-117)
at tvbuff.c:920
#2 0x00007f98592f6b4e in tvb_get_guint8 (tvb=0xaa, offset=170) at
tvbuff.c:1152
#3 0x00007f98593aa609 in get_ber_identifier (tvb=0xaa, offset=170,
class=0xffffff8b <Address 0xffffff8b out of bounds>, pc=0x1,
tag=0x7fff5d23e01c) at packet-ber.c:855
#4 0x00007f98593aa7eb in try_get_ber_length (tvb=0x2f582a0,
bl_offset=0x7fff5d23e1a0, pc=<value optimized out>, length=0x7fff5d23e1b0,
ind=0x7fff5d23e1a4) at packet-ber.c:990
#5 0x00007f98593aa804 in try_get_ber_length (tvb=0x2f582a0,
bl_offset=0x7fff5d23e230, pc=<value optimized out>, length=0x7fff5d23e240,
ind=0x7fff5d23e234) at packet-ber.c:991
#6 0x00007f98593aa804 in try_get_ber_length (tvb=0x2f582a0,
bl_offset=0x7fff5d23e2c0, pc=<value optimized out>, length=0x7fff5d23e2d0,
ind=0x7fff5d23e2c4) at packet-ber.c:991
[...]
#87304 0x00007f98593aa804 in try_get_ber_length (tvb=0x2f582a0,
bl_offset=0x7fff5de3b3e0, pc=<value optimized out>, length=0x7fff5de3b3f0,
ind=0x7fff5de3b3e4) at packet-ber.c:991
#87305 0x00007f98593aa804 in try_get_ber_length (tvb=0x2f582a0,
bl_offset=0x7fff5de3b43c, pc=<value optimized out>, length=0x7fff5de3b438,
ind=0x7fff5de3b494) at packet-ber.c:991
#87306 0x00007f98593aa8ea in get_ber_length (tvb=0xaa, offset=1,
length=0x7fff5de3b498, ind=0xffffff8b) at packet-ber.c:1031
#87307 0x00007f9859afa204 in dissect_snmp (tvb=0x2f582a0, pinfo=0x7fff5de3c070,
tree=0x2f57f00) at packet-snmp-template.c:1676
The offset passed to this function cycles thus:
tvb=0x0x161b2a0, offset=1 tvb_length_remaining=170,
tvb_reported_length_remaining=170
tvb=0x0x161b2a0, offset=3 tvb_length_remaining=170,
tvb_reported_length_remaining=170
tvb=0x0x161b2a0, offset=7 tvb_length_remaining=170,
tvb_reported_length_remaining=170
tvb=0x0x161b2a0, offset=-35 tvb_length_remaining=170,
tvb_reported_length_remaining=170
tvb=0x0x161b2a0, offset=-27 tvb_length_remaining=170,
tvb_reported_length_remaining=170
tvb=0x0x161b2a0, offset=1 tvb_length_remaining=170,
tvb_reported_length_remaining=170
tvb=0x0x161b2a0, offset=3 tvb_length_remaining=170,
tvb_reported_length_remaining=170
tvb=0x0x161b2a0, offset=7 tvb_length_remaining=170,
tvb_reported_length_remaining=170
tvb=0x0x161b2a0, offset=-35 tvb_length_remaining=170,
tvb_reported_length_remaining=170
tvb=0x0x161b2a0, offset=-27 tvb_length_remaining=170,
tvb_reported_length_remaining=170
tvb=0x0x161b2a0, offset=1 tvb_length_remaining=170,
tvb_reported_length_remaining=170
tvb=0x0x161b2a0, offset=3 tvb_length_remaining=170,
tvb_reported_length_remaining=170
(Apparently negative offsets *are* OK: they mean an offset from the end of the
tvb.)
Fixed in 33464 by making sure the offset is positive before recursing.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
