Wireshark-bugs: [Wireshark-bugs] [Bug 6519] CIP dissector: Buildbot crash output: fuzz-2011-10-3
Date: Wed, 2 Nov 2011 23:36:14 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6519

--- Comment #13 from Roland Knall <rknall@xxxxxxxxx> 2011-11-02 23:36:13 PDT ---
It took me a lot of printf-catching and some playtime with gdb to catch the
problem in the first place, but I used the fuzz-2011-10-30-31495.pcap and the
fuzz test tool.

The method assumes that because num_services returns 9 and service is
SC_MULT_SERV_PACK the mr_mult_req_info->requests never gets checked if it is
not initialized. requests is in my case 0xBADDCAFEBADDCAFE . The call 

3584: mr_single_req_info = mr_mult_req_info->requests + i;

then sets the bad pointer in mr_single_req_info which will lead to the
seg-fault further on in dissect_cip_generic_service_rsp in the line 

3652: memcpy(&req_data, preq_info->ciaData, sizeof(cip_simple_request_info_t));

as preq_info->ciaData is 0xBADDCAFEBADDCAFFE.


So catching the pointer problem with a prober initializing to 0 would probably
catch the error. In the current version you simply cannot catch the wrong
pointer in line 3584, which is the underlying issue.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.