Wireshark-bugs: [Wireshark-bugs] [Bug 1001] free() invalid pointer in dissect_802_3 at packet-ie
Date: Sun, 30 Jul 2006 19:36:28 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1001





------- Comment #23 from gentoo-a7x@xxxxxxxxxxxxxxx  2006-07-30 19:36 GMT -------
(In reply to comment #22)
> if I didn't screw my math next_tvb offset is inside except_ch.

Is that right?  I think except_ch is 28 bytes long so it ends just before
-220(%ebp).  To me it looks like the compiler put except_state and
except_ch.except_obj.except_dyndata at the same address.

> Notes:
> dissect_802_3 has two TRY in the same functions it could confuse SSP gcc.
> or it's a mess with include files can you to :

Do any other functions have more than one TRY/CATCH/ENDTRY set?  If so, maybe
we can create a pcap file with packets that will test those functions.

> 1) delete the first try (as long you don't capture truncated packet it should
> work)

I deleted lines 58-71 (inclusive) and it worked.

> 2) move the first TRY in a new function?

That also worked!  Here is the patch I used:

--- epan/dissectors/packet-ieee8023.c   2006-07-17 15:59:00.000000000 -0400
+++ epan/dissectors/packet-ieee8023.c.new       2006-07-30 13:54:24.000000000
-0400
@@ -35,6 +35,27 @@
 static dissector_handle_t ipx_handle;
 static dissector_handle_t llc_handle;

+static tvbuff_t *
+ssp_test(tvbuff_t *tvb, int offset_after_length, int length)
+{
+  tvbuff_t *volatile trailer_tvb = NULL;
+  TRY {
+    trailer_tvb = tvb_new_subset(tvb, offset_after_length + length, -1, -1);
+  }
+  CATCH2(BoundsError, ReportedBoundsError) {
+    /* The packet has exactly "length" bytes worth of captured data
+       left in it, so the "tvb_new_subset()" creating "trailer_tvb"
+       threw an exception.
+
+       This means that all the data in the frame is within the length
+       value (assuming our offset isn't past the end of the tvb), so
+       we give all the data to the next protocol and have no trailer. */
+    trailer_tvb = NULL;
+  }
+  ENDTRY;
+  return trailer_tvb;
+}
+
 void
 dissect_802_3(int length, gboolean is_802_2, tvbuff_t *tvb,
              int offset_after_length, packet_info *pinfo, proto_tree *tree,
@@ -55,20 +76,8 @@
   if (captured_length > length)
     captured_length = length;
   next_tvb = tvb_new_subset(tvb, offset_after_length, captured_length,
length);
-  TRY {
-    trailer_tvb = tvb_new_subset(tvb, offset_after_length + length, -1, -1);
-  }
-  CATCH2(BoundsError, ReportedBoundsError) {
-    /* The packet has exactly "length" bytes worth of captured data
-       left in it, so the "tvb_new_subset()" creating "trailer_tvb"
-       threw an exception.
-
-       This means that all the data in the frame is within the length
-       value (assuming our offset isn't past the end of the tvb), so
-       we give all the data to the next protocol and have no trailer. */
-    trailer_tvb = NULL;
-  }
-  ENDTRY;
+
+  trailer_tvb = ssp_test(tvb, offset_after_length, length);

   /* Dissect the payload either as IPX or as an LLC frame.
      Catch BoundsError and ReportedBoundsError, so that if the


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.