Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 6491] Buildbot crash output: fuzz-2011-10-26-3561.pcap

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Wed, 26 Oct 2011 18:29:24 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6491

--- Comment #8 from Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> 2011-10-26 18:29:23 PDT ---
It looks like it's reading past the end of the mr_mult_req_info_t structure:

#2  0x00007f506dc0387e in dissect_cip_multiple_service_packet_rsp
(tvb=0x2e9cd80, pinfo=0x7fff1344fa60, tree=0x7f5070624cc0, item=0x7f5070624cc0,
offset=4)
    at packet-cip.c:3573
3573             dissect_cip_data( mult_serv_tree, next_tvb, 0, pinfo,
mr_single_req_info );
(gdb) print mr_single_req_info
$20 = (cip_req_info_t *) 0x7f5066d1f9f0
(gdb) print *mr_single_req_info
$21 = {dissector = 0x0, bService = 0 '\000', IOILen = 0, pIOI = 0x0, pData =
0x0, ciaData = 0xbaddcafebaddcafe}
(gdb) print i
$22 = 5
(gdb) print mr_mult_req_info->requests
$23 = (cip_req_info_t *) 0x7f5066d1f928
(gdb) print mr_mult_req_info->requests[0]
$24 = {dissector = 0x0, bService = 3 '\003', IOILen = 2, pIOI = 0x7f5066d1fae0,
pData = 0x0, ciaData = 0x7f5066d1fe20}
(gdb) print mr_mult_req_info->requests[1]
$25 = {dissector = 0x0, bService = 3 '\003', IOILen = 2, pIOI = 0x7f5066d1fb58,
pData = 0x0, ciaData = 0x7f5066d1fe80}
(gdb) print mr_mult_req_info->requests[2]
$26 = {dissector = 0x0, bService = 3 '\003', IOILen = 2, pIOI = 0x7f5066d1fbd0,
pData = 0x0, ciaData = 0x7f5066d1fee0}
(gdb) print mr_mult_req_info->requests[3]
$27 = {dissector = 0x0, bService = 3 '\003', IOILen = 3, pIOI = 0x7f5066d1fc48,
pData = 0x0, ciaData = 0x7f5066d1ff40}
(gdb) print mr_mult_req_info->requests[4]
$28 = {dissector = 0x0, bService = 3 '\003', IOILen = 2, pIOI = 0x7f5066d1fcc0,
pData = 0x0, ciaData = 0x7f5066d1ffa0}
(gdb) print mr_mult_req_info->requests[5] <<< only the first 5 entries appear
to be valid, but i==5 so it's using the 6th entry.
$29 = {dissector = 0x0, bService = 0 '\000', IOILen = 0, pIOI = 0x0, pData =
0x0, ciaData = 0xbaddcafebaddcafe}
(gdb) print num_services
$30 = 9  <<< the packet says there are 9 entries in there...

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube