Wireshark-bugs: [Wireshark-bugs] [Bug 12119] Buildbot crash output: fuzz-2016-02-11-28355.pcap
Date: Fri, 01 Apr 2016 12:33:06 +0000

Comment # 5 on bug 12119 from
(In reply to Michael Mann from comment #4)
> I think the best solution would be to try to get the "tap data" (si
> variable) as close to the top of a function as possible.  Then you could put
> a if (ptvcursor_tree(cursor) == NULL) right after all of the uses. 
> Hopefully that can eliminate all of the loops.
> Barring that, you need to have sanity checks after grabbing any loop value
> from the packet and checking if its loop size is too big for the packet.
> Using this capture as an example, in handle_UpdateCapabilitiesV3Message,
> there should be a check if (audioCapCount * "size of audio capability
> structure") is greater than reported length of tvb, then return from
> function.

Would adding this do the trick (3rd line)?

    guint32 counter_1 = 0;
    ptvcursor_add_text_with_subtree(cursor, SUBTREE_UNDEFINED_LENGTH,
ett_skinny_tree, "caps [ref: capCount = %d, max:18]", capCount);
    if (hdr_data_length - ptvcursor_current_offset(cursor) >= (capCount * 16)
&& capCount <= 18) { /* tvb size guard */
      for (counter_1 = 0; counter_1 < 18; counter_1++) {
         ...
      }
    }

Where would you like me to add the ptvcursor_tree(cursor) != NULL check, after
adding the subtree cursor ?


You are receiving this mail because:
  • You are watching all bug changes.