Wireshark-bugs: [Wireshark-bugs] [Bug 4992] Support to decode the Gearman protocol
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4992
--- Comment #10 from Flier Lu <flier.lu@xxxxxxxxx> 2010-07-13 08:55:44 PDT ---
Created an attachment (id=4914)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=4914)
use tvb_format_text instead of tvb_get_ptr
I have fixed the tvb_get_ptr issues base on Gerald's suggestion, but there are
an another strange crash when I run the fuzz-test.sh
[flierlu@web wireshark]$ ./tools/fuzz-test.sh plugins/gearman/gearman.pcap
Running ./tshark with args: -nVxr (forever)
Starting pass 1:
plugins/gearman/gearman.pcap: ./tools/fuzz-test.sh: line 138: 26218 Aborted
(core dumped) "$TSHARK" $TSHARK_ARGS $TMP_DIR/$TMP_FILE >
/dev/null 2> $TMP_DIR/$ERR_FILE
ERROR
Processing failed. Capture info follows:
Output file: /tmp/fuzz-2010-07-13-26169.pcap
[flierlu@web wireshark]$ gdb /opt/disk2/home/flierlu/wireshark/.libs/lt-tshark
core.
core.26218 core.9453
[flierlu@web wireshark]$ gdb /opt/disk2/home/flierlu/wireshark/.libs/lt-tshark
core.26218
...
#11 0xb5cda5ae in g_malloc () from /usr/lib/libglib-2.0.so.0
#12 0xb62e921e in tvb_get_string (tvb=0xa051878, offset=1, length=3) at
tvbuff.c:2222
#13 0xb656e5b4 in dissect_binary_packet (tvb=0xa051878, pinfo=0xbf88f134,
gearman_tree=0xa1665a8) at packet-gearman.c:213
The code crash when it call g_malloc
void
dissect_binary_packet(tvbuff_t *tvb, packet_info *pinfo, proto_tree
*gearman_tree)
{
gint offset = 0;
char *magic_code = NULL;
guint32 type, size;
while (tvb_length_remaining(tvb, offset) >= GEARMAN_COMMAND_HEADER_SIZE)
{
magic_code = tvb_get_string(tvb, offset+1, 3); // crash here
but the tvb_get_string only try to allocate 2 bytes buffer
guint8 *
tvb_get_string(tvbuff_t *tvb, const gint offset, const gint length)
{
const guint8 *ptr;
guint8 *strbuf = NULL;
tvb_ensure_bytes_exist(tvb, offset, length);
ptr = ensure_contiguous(tvb, offset, length);
strbuf = g_malloc(length + 1); // crash here
if (length != 0) {
memcpy(strbuf, ptr, length);
}
strbuf[length] = '\0';
return strbuf;
}
I have no idea why and how to fix it, could you give me some advices?
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.