https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3378
Bill Meier <wmeier@xxxxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #4390|review_for_checkin+ |review_for_checkin-
Flag| |
--- Comment #22 from Bill Meier <wmeier@xxxxxxxxxxx> 2010-03-17 14:24:06 PDT ---
(From update of attachment 4390)
Altho I committed the patch I've now reverted it.
There is a compile error (on one of the *nix compilers) to the effect that
"ti_loc" is used when possibly unitialized in the case PARAM_LOCATOR: code in
dissect_hip_tlv.
Looking at the code a bit I see that even if ti_loc is initialized to NULL
under the 'while (tlv_len > 0)', it appears to me that the code will loop if
there's an unexpected/invalid value in the locator_type field.
Did you fuzz-test this patch with a capture which contains a LOCATOR type TLV ?
I suggest looping thru the (sub)tlv's in the LOCATOR parameter advancing by (8
+ the length given in the sub-tlv) so even if there's an unexpected/garbage
locator type/length, you'll always at least advance the pointers so that
eventually there'll be an exception if something is garbage.
--------
On a separate note:
case PARAM_HOST_ID: has
if (type != PARAM_ENCRYPTED)
This seems not useful since (presumably) we can only get to this case if
type==PARAM_HOST_ID.
Please review and submit an updated patch.
Thanks
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
