Wireshark-bugs: [Wireshark-bugs] [Bug 1737] New: emem_tree_lookup32_array can alter the key
Date: Sun, 12 Aug 2007 14:33:06 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1737

           Summary: emem_tree_lookup32_array can alter the key
           Product: Wireshark
           Version: SVN
          Platform: Macintosh
        OS/Version: Mac OS X 10.0
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: TShark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: luis.ontanon@xxxxxxxxx


Build Information:
wireshark 0.99.7

Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.10.7, with GLib 2.12.7, with libpcap 0.9.4, with libz
1.2.3, with libpcre 7.0, with Net-SNMP 5.4, with ADNS, with Lua 5.1, with
GnuTLS
1.4.1, with Gcrypt 1.2.2, without Kerberos, with PortAudio PortAudio V19-devel,
without AirPcap.

Running on Darwin 8.10.0, with libpcap version 0.9.4.

Built using gcc 4.0.0 20041026 (Apple Computer, Inc. build 4061).

found in revision 22486


--
/* after few "odd" lookups and insertions emem_tree_lookup32_array ends up
"corrupting" the key */

/* the following snipplet reproduces the bug */

static emem_tree_t* tree;

void lookup_n_insert( guint32 len, guint32 ints[] ) {
        guint32 x = len;
        emem_tree_key_t key[] = {
                {1,&x},
                {x,(ints)},
                {0,NULL}
        };

        printf("\nbefore lookup key[0].length=%u, key[0].key[0]=%u, 
key[1].length=%u, key[1].key=%u %u %u
%u\n",key[0].length,key[0].key[0],key[1].length,key[1].key[0],key[1].key[1],key[1].key[2],key[1].key[3]);

        emem_tree_lookup32_array(tree,key);

        printf("after lookup key[0].length=%u, key[0].key[0]=%u, 
key[1].length=%u, key[1].key=%u %u %u
%u\n",key[0].length,key[0].key[0],key[1].length,key[1].key[0],key[1].key[1],key[1].key[2],key[1].key[3]);

        emem_tree_insert32_array(tree,key,key);

        printf("after insert key[0].length=%u, key[0].key[0]=%u, 
key[1].length=%u, key[1].key=%u %u %u
%u\n",key[0].length,key[0].key[0],key[1].length,key[1].key[0],key[1].key[1],key[1].key[2],key[1].key[3]);
}                       

void watch_bug(void) {
        guint32 k1[] = {1,2,1,1};
        guint32 k2[] = {1,2,1,2};
        guint32 k3[] = {1,2,1,3};

        tree = pe_tree_create(EMEM_TREE_TYPE_RED_BLACK, "foo-bar");
        lookup_n_insert(4,k1);
        lookup_n_insert(4,k2);
        lookup_n_insert(4,k3);
}


/*

this is the output I get:




before lookup key[0].length=1, key[0].key[0]=4,  key[1].length=4, key[1].key=1
2 1 1
after lookup key[0].length=1, key[0].key[0]=4,  key[1].length=4, key[1].key=1 2
1 1
after insert key[0].length=1, key[0].key[0]=4,  key[1].length=1, key[1].key=1 1
2 1

before lookup key[0].length=1, key[0].key[0]=4,  key[1].length=4, key[1].key=1
2 1 2
after lookup key[0].length=1, key[0].key[0]=4,  key[1].length=1, key[1].key=2 1
2 1
after insert key[0].length=1, key[0].key[0]=4,  key[1].length=1, key[1].key=2 1
2 1

before lookup key[0].length=1, key[0].key[0]=4,  key[1].length=4, key[1].key=1
2 1 3
after lookup key[0].length=1, key[0].key[0]=4,  key[1].length=1, key[1].key=3 0
17091736 3221223216
after insert key[0].length=1, key[0].key[0]=4,  key[1].length=1, key[1].key=3 0
17091736 3221223216
*/


IMHO we should constify the key in tree calls.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.