On Tue, Sep 26, 2000 at 03:31:27PM +0300, Santeri Paavolainen wrote:
> I got this crash with Ethereal 0.8.12. Quite clearly it gets into eternal
> recursion, eventually running out of the packet data.
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x8087660 in dissect_transform (pd=0x827e290 "", offset=258177, fd=0x82619d0,
> tree=0x82977f4, protocol_id=1 '\001') at packet-isakmp.c:592
> 592 guint16 type = pntohs(pd + offset) & 0x7fff;
> (gdb) bt
> #0 0x8087660 in dissect_transform (pd=0x827e290 "", offset=258177,
> fd=0x82619d0, tree=0x82977f4, protocol_id=1 '\001') at packet-isakmp.c:592
> #1 0x8087797 in dissect_transform (pd=0x827e290 "", offset=1530,
> fd=0x82619d0, tree=0x82977f4, protocol_id=1 '\001') at packet-isakmp.c:625
Thanks. It's not infinite recursion, but recursion due to data that's
probably bad. Eventually the recursion takes us beyond the end of the
packet, and it segfaults. Unfortunately this dissector does not
use the tvbuff code to avoid this problem.
Does this patch help? Also, do you have a sample capture that you could
send me (privately, if you want)? I'd need that if I were to convert
the ISAKMP dissector to use tvbuffs.
thanks,
--gilbert
Index: packet-isakmp.c
===================================================================
RCS file: /usr/local/cvsroot/ethereal/packet-isakmp.c,v
retrieving revision 1.26
diff -u -r1.26 packet-isakmp.c
--- packet-isakmp.c 2000/08/13 14:08:18 1.26
+++ packet-isakmp.c 2000/09/26 15:04:20
@@ -618,6 +618,11 @@
offset += pack_len;
length -= pack_len;
}
+ if (!IS_DATA_IN_FRAME(offset)) {
+ proto_tree_add_text(ntree, NullTVB, 0, 0,
+ "Bad Offset: %u", offset);
+ return;
+ }
}
if (hdr->next_payload < NUM_LOAD_TYPES) {