Martin Kaiser
changed
bug 8111
| What |
Removed |
Added |
| CC |
|
wireshark@kaiser.cx
|
Comment # 12
on bug 8111
from Martin Kaiser
(In reply to comment #4)
> FD_DEFRAGMENTED (i.e., when the reassembly is done). The crash happens when
> another frame arrives which is part of the reassembled message and its
> offset is a) within bounds of the length specified in fragment_set_tot_len()
> but b) outside of the bounds of what was actually reassembled.
To me, it looks like the fragment that causes the crash has a starting offset
that's larger than the length set by fragment_set_tot_len().
I tried a simple fix as attached: In the DTLS dissector, set the total len
_before_ adding the fragment. If the fragment's starting offset is out of
bounds in fragment_add_common(), return NULL (==reassembly not complete) and
don't add the fragment.
This "works for me" but I'm not sure if it's a proper fix. Should the check be
in fragment_add_common() or in fragment_add_work()? Do we need something
similar in fragment_add_check()?
You are receiving this mail because:
- You are watching all bug changes.
