Wireshark-bugs: [Wireshark-bugs] [Bug 8717] Buildbot crash output: fuzz-2013-05-25-10691.pcap
Date: Wed, 05 Jun 2013 18:40:43 +0000

Comment # 6 on bug 8717 from
I think I'm going to need some help. It is 7 years since I wrote this code. The
relevant part of the code is:

  if (fcount > 1) {             /* fragmented*/
    gboolean save_fragmented = pinfo->fragmented;
    guint16 real_len = tvb_length(tvb)-offset;
    proto_tree_add_item (pft_tree, hf_edcp_pft_payload, tvb, offset, real_len,
ENC_NA);
    if(real_len != payload_len || real_len == 0) {
      if(li)
        proto_item_append_text(li, " (length error (%d))", real_len);
    }
    if (real_len)
      next_tvb = dissect_pft_fragmented(tvb, pinfo, pft_tree, findex, fcount,
                                        seq, offset, real_len, fec, rsk, rsz);
    pinfo->fragmented = save_fragmented;
  } else {
    next_tvb = tvb_new_subset_remaining (tvb, offset);
  }
  if(next_tvb) {
    dissect_af(next_tvb, pinfo, tree);
  }

payload_len is the declared length of the fragment in the protocol.
real_len is the calculated length of the payload from the bytes consumed and
the tvb length.

The code checks for a discrepancy (phew) and puts this in the decode, but then
tries to carry on decoding. I guess this is where it should give up.

I can't remember enough about the api to know how to gracefully abort and leave
this for other protocols to get a chance, or to skip to the end if that is a
better tactic.

Suggestions please.


You are receiving this mail because:
  • You are watching all bug changes.