Ethereal-dev: Re: [ethereal-dev] capture files that kill ethereal 0.8.7

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Gilbert Ramirez <gram@xxxxxxxxxx>
Date: Thu, 27 Apr 2000 15:33:44 -0500
On Thu, Apr 27, 2000 at 02:52:04PM -0500, don@xxxxxxxxxxxxxxxxxxxxxxx wrote:
> 
> 
> 
> ether3 - udp that captures ok (loading directly stalls briefly but works 
> also)
> but locks up and eventually cores when "dns" is entered into the filter 
> window.

On my system I got an infinite loop in dissect_ripng() for this file.
Packet 178 is identified as RIPng.

The following patch fixes that problem.

BTW, is the real trace data? Starting from the UDP checksum to the
end of the packet, the bytes are repeated. It looks like test packets
that are intentionally corrupt.  I'm sure there are more bugs like this
in Ethereal, but we're going to put in a fix to rid of all bugs related
to reading beyond the end of a packet.

--gilbert

--- /data/build/ethereal/src/packet-ripng.c	Tue Apr 11 10:14:27 2000
+++ packet-ripng.c	Thu Apr 27 15:26:14 2000
@@ -88,42 +88,48 @@
 	    rip6.rip6_vers);
 
 	offset += 4;
-	while ((pi.captured_len - offset) >= sizeof(struct netinfo6)){
-	    memcpy(&ni6, &pd[offset], sizeof(ni6));
-	    if (ni6.rip6_tag) {
-		ti = proto_tree_add_text(ripng_tree, offset,
-				sizeof(ni6), "IP Address: %s/%u, Metric: %u, tag: 0x%04x",
-				ip6_to_str(&ni6.rip6_dest),
-				ni6.rip6_plen,
-				ni6.rip6_metric,
+	if (BYTES_ARE_IN_FRAME(offset, sizeof(ni6))) {
+		while ((pi.captured_len - offset) >= sizeof(ni6)){
+		g_message("pi.caplen=%d  offset=%d  ni6=%d", pi.captured_len, offset, sizeof(ni6));
+		    memcpy(&ni6, &pd[offset], sizeof(ni6));
+		    if (ni6.rip6_tag) {
+			ti = proto_tree_add_text(ripng_tree, offset,
+					sizeof(ni6), "IP Address: %s/%u, Metric: %u, tag: 0x%04x",
+					ip6_to_str(&ni6.rip6_dest),
+					ni6.rip6_plen,
+					ni6.rip6_metric,
+					ntohs(ni6.rip6_tag));
+		    } else {
+			ti = proto_tree_add_text(ripng_tree, offset,
+					sizeof(ni6), "IP Address: %s/%u, Metric: %u",
+					ip6_to_str(&ni6.rip6_dest),
+					ni6.rip6_plen,
+					ni6.rip6_metric);
+		    }
+		    subtree = proto_item_add_subtree(ti, ett_ripng_addr);
+		    proto_tree_add_text(subtree,
+				offset + offsetof(struct netinfo6, rip6_dest),
+				sizeof(ni6.rip6_dest), "IP Address: %s",
+				ip6_to_str(&ni6.rip6_dest));
+		    proto_tree_add_text(subtree,
+				offset + offsetof(struct netinfo6, rip6_tag),
+				sizeof(ni6.rip6_tag), "Tag: 0x%04x",
 				ntohs(ni6.rip6_tag));
-	    } else {
-		ti = proto_tree_add_text(ripng_tree, offset,
-				sizeof(ni6), "IP Address: %s/%u, Metric: %u",
-				ip6_to_str(&ni6.rip6_dest),
-				ni6.rip6_plen,
+		    proto_tree_add_text(subtree,
+				offset + offsetof(struct netinfo6, rip6_plen),
+				sizeof(ni6.rip6_plen), "Prefix length: %u",
+				ni6.rip6_plen);
+		    proto_tree_add_text(subtree,
+				offset + offsetof(struct netinfo6, rip6_metric),
+				sizeof(ni6.rip6_metric), "Metric: %u",
 				ni6.rip6_metric);
-	    }
-	    subtree = proto_item_add_subtree(ti, ett_ripng_addr);
-	    proto_tree_add_text(subtree,
-			offset + offsetof(struct netinfo6, rip6_dest),
-			sizeof(ni6.rip6_dest), "IP Address: %s",
-			ip6_to_str(&ni6.rip6_dest));
-	    proto_tree_add_text(subtree,
-			offset + offsetof(struct netinfo6, rip6_tag),
-			sizeof(ni6.rip6_tag), "Tag: 0x%04x",
-			ntohs(ni6.rip6_tag));
-	    proto_tree_add_text(subtree,
-			offset + offsetof(struct netinfo6, rip6_plen),
-			sizeof(ni6.rip6_plen), "Prefix length: %u",
-			ni6.rip6_plen);
-	    proto_tree_add_text(subtree,
-			offset + offsetof(struct netinfo6, rip6_metric),
-			sizeof(ni6.rip6_metric), "Metric: %u",
-			ni6.rip6_metric);
 
-            offset += sizeof(ni6);
-        }
+		    offset += sizeof(ni6);
+		}
+	}
+	else {
+		proto_tree_add_text(ripng_tree, offset, 0, "No IP Address information");
+	}
     }
 }