Wireshark-bugs: [Wireshark-bugs] [Bug 10729] Buildbot crash output: fuzz-2014-11-26-21704.pcap
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Wed, 26 Nov 2014 21:26:52 +0000

changed bug 10729


What Removed Added
CC   mmann78@netscape.net, pascal.quantin@gmail.com

Comment # 1 on bug 10729 from 
This crash is a side effect of ge3a04bb (Ensure dissector data parameter is
used instead of pinfo->private_data when passing data between dissectors using
the "media_type" subdissector).

HTTP dissector is passing the media_str as "data" parameter:
            if (headers.content_type_parameters)
                media_str = wmem_strdup(wmem_packet_scope(),
headers.content_type_parameters);
[...]
            dissected = call_dissector_only(handle, next_tvb, pinfo, tree,
media_str);

while the xml dissector assumes that if data parameter is not NULL, it means
that it can store a pointer in it:
    xml_frame_t      **ret_frame = (xml_frame_t**)data;
[...]
    if (ret_frame != NULL)
        *ret_frame = current_frame;  /* pass XML structure to the dissector
calling XML */

It leads to the storage of 8 bytes (on a Linux x64 machine) in a 4 bytes long
dynamic memory block, which corrupts the memory.

You are receiving this mail because:
  • You are watching all bug changes.