Wireshark-bugs: [Wireshark-bugs] [Bug 1001] free() invalid pointer in dissect_802_3 at packet-ie
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1001
------- Comment #23 from gentoo-a7x@xxxxxxxxxxxxxxx 2006-07-30 19:36 GMT -------
(In reply to comment #22)
> if I didn't screw my math next_tvb offset is inside except_ch.
Is that right? I think except_ch is 28 bytes long so it ends just before
-220(%ebp). To me it looks like the compiler put except_state and
except_ch.except_obj.except_dyndata at the same address.
> Notes:
> dissect_802_3 has two TRY in the same functions it could confuse SSP gcc.
> or it's a mess with include files can you to :
Do any other functions have more than one TRY/CATCH/ENDTRY set? If so, maybe
we can create a pcap file with packets that will test those functions.
> 1) delete the first try (as long you don't capture truncated packet it should
> work)
I deleted lines 58-71 (inclusive) and it worked.
> 2) move the first TRY in a new function?
That also worked! Here is the patch I used:
--- epan/dissectors/packet-ieee8023.c 2006-07-17 15:59:00.000000000 -0400
+++ epan/dissectors/packet-ieee8023.c.new 2006-07-30 13:54:24.000000000
-0400
@@ -35,6 +35,27 @@
static dissector_handle_t ipx_handle;
static dissector_handle_t llc_handle;
+static tvbuff_t *
+ssp_test(tvbuff_t *tvb, int offset_after_length, int length)
+{
+ tvbuff_t *volatile trailer_tvb = NULL;
+ TRY {
+ trailer_tvb = tvb_new_subset(tvb, offset_after_length + length, -1, -1);
+ }
+ CATCH2(BoundsError, ReportedBoundsError) {
+ /* The packet has exactly "length" bytes worth of captured data
+ left in it, so the "tvb_new_subset()" creating "trailer_tvb"
+ threw an exception.
+
+ This means that all the data in the frame is within the length
+ value (assuming our offset isn't past the end of the tvb), so
+ we give all the data to the next protocol and have no trailer. */
+ trailer_tvb = NULL;
+ }
+ ENDTRY;
+ return trailer_tvb;
+}
+
void
dissect_802_3(int length, gboolean is_802_2, tvbuff_t *tvb,
int offset_after_length, packet_info *pinfo, proto_tree *tree,
@@ -55,20 +76,8 @@
if (captured_length > length)
captured_length = length;
next_tvb = tvb_new_subset(tvb, offset_after_length, captured_length,
length);
- TRY {
- trailer_tvb = tvb_new_subset(tvb, offset_after_length + length, -1, -1);
- }
- CATCH2(BoundsError, ReportedBoundsError) {
- /* The packet has exactly "length" bytes worth of captured data
- left in it, so the "tvb_new_subset()" creating "trailer_tvb"
- threw an exception.
-
- This means that all the data in the frame is within the length
- value (assuming our offset isn't past the end of the tvb), so
- we give all the data to the next protocol and have no trailer. */
- trailer_tvb = NULL;
- }
- ENDTRY;
+
+ trailer_tvb = ssp_test(tvb, offset_after_length, length);
/* Dissect the payload either as IPX or as an LLC frame.
Catch BoundsError and ReportedBoundsError, so that if the
--
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.