Wireshark-bugs: [Wireshark-bugs] [Bug 1737] New: emem_tree_lookup32_array can alter the key
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1737
Summary: emem_tree_lookup32_array can alter the key
Product: Wireshark
Version: SVN
Platform: Macintosh
OS/Version: Mac OS X 10.0
Status: NEW
Severity: Normal
Priority: Low
Component: TShark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: luis.ontanon@xxxxxxxxx
Build Information:
wireshark 0.99.7
Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GTK+ 2.10.7, with GLib 2.12.7, with libpcap 0.9.4, with libz
1.2.3, with libpcre 7.0, with Net-SNMP 5.4, with ADNS, with Lua 5.1, with
GnuTLS
1.4.1, with Gcrypt 1.2.2, without Kerberos, with PortAudio PortAudio V19-devel,
without AirPcap.
Running on Darwin 8.10.0, with libpcap version 0.9.4.
Built using gcc 4.0.0 20041026 (Apple Computer, Inc. build 4061).
found in revision 22486
--
/* after few "odd" lookups and insertions emem_tree_lookup32_array ends up
"corrupting" the key */
/* the following snipplet reproduces the bug */
static emem_tree_t* tree;
void lookup_n_insert( guint32 len, guint32 ints[] ) {
guint32 x = len;
emem_tree_key_t key[] = {
{1,&x},
{x,(ints)},
{0,NULL}
};
printf("\nbefore lookup key[0].length=%u, key[0].key[0]=%u,
key[1].length=%u, key[1].key=%u %u %u
%u\n",key[0].length,key[0].key[0],key[1].length,key[1].key[0],key[1].key[1],key[1].key[2],key[1].key[3]);
emem_tree_lookup32_array(tree,key);
printf("after lookup key[0].length=%u, key[0].key[0]=%u,
key[1].length=%u, key[1].key=%u %u %u
%u\n",key[0].length,key[0].key[0],key[1].length,key[1].key[0],key[1].key[1],key[1].key[2],key[1].key[3]);
emem_tree_insert32_array(tree,key,key);
printf("after insert key[0].length=%u, key[0].key[0]=%u,
key[1].length=%u, key[1].key=%u %u %u
%u\n",key[0].length,key[0].key[0],key[1].length,key[1].key[0],key[1].key[1],key[1].key[2],key[1].key[3]);
}
void watch_bug(void) {
guint32 k1[] = {1,2,1,1};
guint32 k2[] = {1,2,1,2};
guint32 k3[] = {1,2,1,3};
tree = pe_tree_create(EMEM_TREE_TYPE_RED_BLACK, "foo-bar");
lookup_n_insert(4,k1);
lookup_n_insert(4,k2);
lookup_n_insert(4,k3);
}
/*
this is the output I get:
before lookup key[0].length=1, key[0].key[0]=4, key[1].length=4, key[1].key=1
2 1 1
after lookup key[0].length=1, key[0].key[0]=4, key[1].length=4, key[1].key=1 2
1 1
after insert key[0].length=1, key[0].key[0]=4, key[1].length=1, key[1].key=1 1
2 1
before lookup key[0].length=1, key[0].key[0]=4, key[1].length=4, key[1].key=1
2 1 2
after lookup key[0].length=1, key[0].key[0]=4, key[1].length=1, key[1].key=2 1
2 1
after insert key[0].length=1, key[0].key[0]=4, key[1].length=1, key[1].key=2 1
2 1
before lookup key[0].length=1, key[0].key[0]=4, key[1].length=4, key[1].key=1
2 1 3
after lookup key[0].length=1, key[0].key[0]=4, key[1].length=1, key[1].key=3 0
17091736 3221223216
after insert key[0].length=1, key[0].key[0]=4, key[1].length=1, key[1].key=3 0
17091736 3221223216
*/
IMHO we should constify the key in tree calls.
--
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.