Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 9579] Clang ASAN : global-buffer-overflow SNMP : dissect_ber

Wireshark-bugs: [Wireshark-bugs] [Bug 9579] Clang ASAN : global-buffer-overflow SNMP : dissect_b

Date: Tue, 06 May 2014 14:02:52 +0000

Comment # 7 on bug 9579 from Peter Wu

The above was a simplification of the issue, but (skipping disabled code) there
are still parts I don't fully understand (first_pass, branch_taken).

Replacing the goto by a continue has as side-effect that *branch_taken gets
incremented and possibly reset to -1 if !ch->func.

This BER thing seems very complex, can't branch_taken just be a boolean?
(looking at epan/dissectors/packet-mms.c:7032 for example).

Replacing goto by continue (and then the choice_try_again label can be removed
too) fixes the overflow issue and assuming that branch_taken is a boolean (-1
false, others true), then I think it is safe to make the change.

I have not tested it since it will "obviously" fix the ASAN bug, but will
possibly modify the output and I cannot tell whether the new output will be
correct or not.

Remember to compile with -DCMAKE_C_FLAGS='-fsanitize=address'
-DCMAKE_CXX_FLAGS='-fsanitize=address' (or similar CFLAGS, CXXFLAGS and
possibly LDFLAGS for autotools) to enable ASAN.

You are receiving this mail because:

You are watching all bug changes.

Prev by Date: [Wireshark-bugs] [Bug 4867] Buildbot crash output: fuzz-2010-06-11-3030.pcap
Next by Date: [Wireshark-bugs] [Bug 9579] Clang ASAN : global-buffer-overflow SNMP : dissect_ber_choice
Previous by thread: [Wireshark-bugs] [Bug 9579] Clang ASAN : global-buffer-overflow SNMP : dissect_ber_choice
Next by thread: [Wireshark-bugs] [Bug 9579] Clang ASAN : global-buffer-overflow SNMP : dissect_ber_choice
Index(es):
- Date
- Thread