Wireshark-bugs: [Wireshark-bugs] [Bug 6076] sflow dissector bug while parsing extended switch da
Date: Thu, 30 Jun 2011 08:00:39 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6076

--- Comment #2 from Subin <subin.c.m@xxxxxxxxx> 2011-06-30 08:00:38 PDT ---
Looked deeper, and found a possible bug in dissect_sflow_5_flow_sample()
....
    /* start loop processing flow records */
    /* we set an upper records limit to 255 in case corrupted data causes
     * huge number of loops! */
    for (i = 0; i < (g_ntohl(flow_header.records)&0x000000ff); i++) {

        offset = dissect_sflow_5_flow_record(tvb, pinfo, tree, offset);

    }
}

In dissect_sflow_5_flow_record(), the buffer offset is not getting incremented
properly in the dissectors of  Extended Switch, Router and Gateway Information.

static gint
dissect_sflow_245_extended_switch(tvbuff_t *tvb, proto_tree *tree, gint offset)
{
    gint32 len = 0;

    proto_tree_add_item(tree, hf_sflow_245_vlan_in, tvb, offset + len, 4,
FALSE);
    len += 4;
    proto_tree_add_item(tree, hf_sflow_245_pri_in, tvb, offset + len, 4,
FALSE);
    len += 4;
    proto_tree_add_item(tree, hf_sflow_245_vlan_out, tvb, offset + len, 4,
FALSE);
    len += 4;
    proto_tree_add_item(tree, hf_sflow_245_pri_out, tvb, offset + len, 4,
FALSE);
    len += 4;

    return len;  <-- This should really be "offset+len" so that we can parse
the next TLV. 
}

Similarly for dissect_sflow_245_extended_router() and
dissect_sflow_245_extended_gateway().

Please comment.

Thanks,
Subin

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.