Wireshark-bugs: [Wireshark-bugs] [Bug 12119] Buildbot crash output: fuzz-2016-02-11-28355.pcap
Date: Sat, 14 May 2016 11:35:34 +0000

Comment # 9 on bug 12119 from
(In reply to Michael Mann from comment #4)
> I think the best solution would be to try to get the "tap data" (si
> variable) as close to the top of a function as possible.  Then you could put
> a if (ptvcursor_tree(cursor) == NULL) right after all of the uses. 
> Hopefully that can eliminate all of the loops.
> Barring that, you need to have sanity checks after grabbing any loop value
> from the packet and checking if its loop size is too big for the packet.
> Using this capture as an example, in handle_UpdateCapabilitiesV3Message,
> there should be a check if (audioCapCount * "size of audio capability
> structure") is greater than reported length of tvb, then return from
> function.

Hi Michael,

Moving the use of tap data (si variable) to the top of each function, would be
hard with the current generator. It calculates the offset step by step.

Adding extra checks when setting each of the tap_data entries (si variable)
should not be a problem. I am however not 100% sure when / how to check the
cursor pointer.

Taking the current 'handle_KeypadButtonMessage' code as an example, is this
what you are looking for:

    si->lineId = tvb_get_letohl(ptvcursor_tvbuff(cursor),
ptvcursor_current_offset(cursor));
    if (ptvcursor_tree(cursor) == NULL) {/* g_error message */; return;};
    ptvcursor_add(cursor, hf_skinny_lineInstance, 4, ENC_LITTLE_ENDIAN);

or:
    si->lineId = tvb_get_letohl(ptvcursor_tvbuff(cursor),
ptvcursor_current_offset(cursor));
    ptvcursor_add(cursor, hf_skinny_lineInstance, 4, ENC_LITTLE_ENDIAN);
    if (ptvcursor_tree(cursor) == NULL) {/* g_error message */; return;};

or:
    si->lineId = tvb_get_letohl(ptvcursor_tvbuff(cursor),
ptvcursor_current_offset(cursor));
    if (cursor == NULL || !ptvcursor_add(cursor, hf_skinny_lineInstance, 4,
ENC_LITTLE_ENDIAN)) {
      /* g_error message */; 
      return;
    };

Would any of these be helpfull ?


You are receiving this mail because:
  • You are watching all bug changes.