Wireshark-bugs: [Wireshark-bugs] [Bug 5825] Buildbot crash output: randpkt-2011-04-13-1899.pcap
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Wed, 13 Apr 2011 14:37:27 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5825

--- Comment #1 from Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx> 2011-04-13 15:37:27 MDT ---
This problem is occuring because the function fDevice_Instance() in
packet-bacapp.c calls:

    tag_len = fTagHeader (tvb, offset, &tag_no, &tag_info, &lvt);
    ti = proto_tree_add_item(tree, hf, tvb, offset+tag_len, lvt, TRUE);

When using hf (passed as the final argument to the fDevice_Instance function)
of one of two types: hf_Device_Instance_Range_Low_Limit or
hf_Instance_Range_High_Limit.  Both of these are type FT_UINT32.  So the code
that is throwing the assert is in get_uint_value() in epan/proto.c, where it
checks the length for type *UINT* and it can only be 1, 2, 3 or 4 bytes long. 
The fuzzed capture is causing the length (lvt variable above) to be 6, thus the
default case is taken in the switch(length) which is
DISSECTOR_ASSERT_NOT_REACHED.

Since fDevice_Instance is only called from two places in fWhoisRequest(), and
only with the two hf_ types above (both FT_UINT32), my best guess for a fix
would be to change it to not fetch the length as shown at the top of this
comment, but instead use 4 bytes each type (or lookup the right value based on
the hf_ type that is passed to the function).

Comments?

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.