Wireshark-bugs: [Wireshark-bugs] [Bug 6519] CIP dissector: Buildbot crash output: fuzz-2011-10-3
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6519
--- Comment #13 from Roland Knall <rknall@xxxxxxxxx> 2011-11-02 23:36:13 PDT ---
It took me a lot of printf-catching and some playtime with gdb to catch the
problem in the first place, but I used the fuzz-2011-10-30-31495.pcap and the
fuzz test tool.
The method assumes that because num_services returns 9 and service is
SC_MULT_SERV_PACK the mr_mult_req_info->requests never gets checked if it is
not initialized. requests is in my case 0xBADDCAFEBADDCAFE . The call
3584: mr_single_req_info = mr_mult_req_info->requests + i;
then sets the bad pointer in mr_single_req_info which will lead to the
seg-fault further on in dissect_cip_generic_service_rsp in the line
3652: memcpy(&req_data, preq_info->ciaData, sizeof(cip_simple_request_info_t));
as preq_info->ciaData is 0xBADDCAFEBADDCAFFE.
So catching the pointer problem with a prober initializing to 0 would probably
catch the error. In the current version you simply cannot catch the wrong
pointer in line 3584, which is the underlying issue.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.