Gerald Combs wrote:
The capture referenced by bug 72
(http://bugs.ethereal.com/bugzilla/show_bug.cgi?id=72) triggers a
segmentation fault in the reassembly code, apparently due to packet-fc.c
passing a too-large offset value to fragment_add(). Should this be
fixed in packet-fc.c or reassemble.c?
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev
Please consider my already applied patch for reassemble.c which can be
seen in http://www.ethereal.com/lists/ethereal-dev/200504/msg00300.html
This fixes a segv problem and informs the user of the incorrectly
decoded frame number.
Index: I:/ethereal-win32-libs/epan/reassemble.c
===================================================================
--- I:/ethereal-win32-libs/epan/reassemble.c (revision 14082)
+++ I:/ethereal-win32-libs/epan/reassemble.c (working copy)
@@ -726,12 +726,20 @@
/* dfpos is always >= than fd_i->offset */
/* No gaps can exist here, max_loop(above) does this */
if( fd_i->offset+fd_i->len > dfpos )
- memcpy(fd_head->data+dfpos, fd_i->data+(dfpos-fd_i->offset),
- fd_i->len-(dfpos-fd_i->offset));
- if( fd_i->flags & FD_NOT_MALLOCED )
- fd_i->flags ^= FD_NOT_MALLOCED;
- else
- g_free(fd_i->data);
+ {
+ if( !(fd_i->flags & FD_NOT_MALLOCED) )
+ {
+ memcpy(fd_head->data+dfpos, fd_i->data+(dfpos-fd_i->offset),
+ fd_i->len-(dfpos-fd_i->offset));
+ g_free(fd_i->data);
+ }
+ else
+ {
+ g_warning("Reassemble error in frame %d", pinfo->fd->num);
+ fd_i->flags ^= FD_NOT_MALLOCED;
+ }
+ }
+
fd_i->data=NULL;
dfpos=MAX(dfpos,(fd_i->offset+fd_i->len));
/ Peter
