Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 7210] Buildbot crash output: fuzz-2012-04-27-376.pcap

Date Prev · Date Next · Thread Prev · Thread Next
Date: Tue, 1 May 2012 08:13:40 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7210

--- Comment #7 from Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> 2012-05-01 08:13:39 PDT ---
(In reply to comment #5)
> (In reply to comment #4)
> > (In reply to comment #3)
> > > "Exception Occurred" means the dissector did crash
> > 
> > No, it means that the dissector called a tvbuff routine to fetch some data and
> > the data wasn't actually present in the tvbuff; this either means
> > 
> >     1) the dissector is attempting to fetch data that is legitimately not
> > there, which is a dissector bug;
> 
> Yes.
> 
> >     2) the dissector is attempting to fetch data that is supposed to be there,
> > but that isn't there in the packet, which is *not* a dissector bug, it's a
> > malformed packet;
> 
> Most of the time (in my experience) this is due to the dissector not validating
> a length field, in which case it is more correct for the dissector to validate
> the field against tvb_reported_length() or tvb_reported_length_remaining(), add
> an expert info to the actual malformed field, and continue on to dissect as
> much of the rest of the packet as it can.

FWIW, I tend to dislike dissectors that do that.  In my mind, simple is better
when it comes to dissectors: just dissect your stuff and if you go off the end
of a TVB, throw an exception and be done with it.  It does mean that exceptions
mean dissection stops, but, well...  Such is the price for (dramatically?)
simpler dissectors.  (Obviously there are some cases where doing your own
length checking can be beneficial.)

But that's just my opinion (though come to think of it I think I may have
rejected--or at least refused to check in--a new dissector that was doing "too
much" length checking).

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.