On Tuesday, August 26, 2003, at 7:21 AM, Yaniv Kaul wrote:
While trying to load a large capture (~90MB), Ethereal 0.9.13 and
0.9.14, on Linux, crashed consistently.
Running from GDB, attached is the stack. I hope someone will find it
helpful.
Due to large size of the file, I can't send it over...
#5 0x0835e1a3 in ensure_contiguous (tvb=0x9adf0f0, offset=180,
length=-773173232) at tvbuff.c:898
#6 0x0835efb1 in tvb_bytes_to_str (tvb=0x9adf0f0, offset=5072308,
len=0)
at tvbuff.c:2139
#7 0x081ea4fe in dissect_fhandle_data_unknown (tvb=0x9adf0f0,
offset=180,
tree=0x0, fhlen=-773173232) at packet-nfs.c:1368
#8 0x081ea621 in dissect_fhandle_data (tvb=0x9adf0f0, offset=180,
pinfo=0xa729148, tree=0x0, fhlen= 3521794064, hidden=0) at
packet-nfs.c:1538
"dissect_fhandle_data_unknown()" treats "fhlen" as signed, rather than
unsigned, which means that a value > 2^31-1 could confuse it very
badly, causing it to pass that length through to "tvb_bytes_to_str()",
which would pass it through to "ensure_contiguous()", at which point
chaos ensues due to the length being negative.
There might be some *other* problem, as a file handle length of
3521794064 seems a bit extreme, but the attached patch, which I've
checked in, should at least clear up that particular crash.
Index: packet-nfs.c
===================================================================
RCS file: /cvsroot/ethereal/packet-nfs.c,v
retrieving revision 1.91
diff -c -r1.91 packet-nfs.c
*** packet-nfs.c 17 Aug 2003 21:34:22 -0000 1.91
--- packet-nfs.c 27 Aug 2003 23:47:39 -0000
***************
*** 1353,1362 ****
static void
dissect_fhandle_data_unknown(tvbuff_t *tvb, int offset, proto_tree *tree,
! int fhlen)
{
! int sublen;
! int bytes_left;
gboolean first_line;
bytes_left = fhlen;
--- 1353,1362 ----
static void
dissect_fhandle_data_unknown(tvbuff_t *tvb, int offset, proto_tree *tree,
! guint fhlen)
{
! guint sublen;
! guint bytes_left;
gboolean first_line;
bytes_left = fhlen;
