Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 3884] New: Assertion caused by fuzz test file

[bugzilla-daemon@xxxxxxxxxxxxx]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3884

           Summary: Assertion caused by fuzz test file
           Product: Wireshark
           Version: 1.2.1
          Platform: x86
        OS/Version: Windows XP
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: wireshark@xxxxxxxxxxxxxxx


Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
Load the file:
http://www.wireshark.org/download/automated/captures/fuzz-2009-08-11-11171.pcap
Select (for example) packet 3341
Right click on "Channel Type - (Speech)
Apply as Filter->Not Selected

You get: 
        default:
                DISSECTOR_ASSERT_NOT_REACHED();
                value = 0;
                break;

at line 1023 of proto.c

This is because in packet-bssgp.c at line 1712, BVCI is being added as a 16bit
integer, but the actual length from the PDU (which is in this case corrupted)
is passed to proto_tree_add_item() which when adding an integer type, cannot
handle arbitrary lengths.

While this could be fixed in packet bssgp.c by always passing the expected
length to proto_tree_add_item(), I think that the correct fix is to change
proto_tree_new_item() so that it checks that the length is as expected for
fixed length types, and prints a suitable warning if the length is not as
expected.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.