Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 8111] DTLS dissector crash

Wireshark-bugs: [Wireshark-bugs] [Bug 8111] DTLS dissector crash

Date: Fri, 21 Dec 2012 20:39:08 +0000

What	Removed	Added
Status	UNCONFIRMED	CONFIRMED
CC		[email protected]
Ever confirmed		1

Comment # 4 on bug 8111 from Jeff Morriss

It crashes regularly for me using the test-fuzzed-cap.sh script.

It would appear that the problem is that the DTLS dissector calls
fragment_set_tot_len() to set the length of the reassembled packet and the
reassembly routines a) trust that and b) don't verify it when they set
FD_DEFRAGMENTED (i.e., when the reassembly is done).  The crash happens when
another frame arrives which is part of the reassembled message and its offset
is a) within bounds of the length specified in fragment_set_tot_len() but b)
outside of the bounds of what was actually reassembled.

Actually I think the problem is not specific to dissectors which call
fragment_set_tot_len() but I could be wrong.

Not sure if/when I'll have time to look deeper into this.

You are receiving this mail because:

You are watching all bug changes.

References:
- [Wireshark-bugs] [Bug 8111] New: DTLS dissector crash
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 8115] [PATCH] HomeplugAV dissector: decode device id 0x04
Next by Date: [Wireshark-bugs] [Bug 8106] Enhancement of PW ACH dissector to support MPLS Fault Management Operations, Administration, and Maintenance (OAM)
Previous by thread: [Wireshark-bugs] [Bug 8111] DTLS dissector crash
Next by thread: [Wireshark-bugs] [Bug 8111] DTLS dissector crash
Index(es):
- Date
- Thread