Wireshark-bugs: [Wireshark-bugs] [Bug 6983] New: Improper handling of Slow Protocol OAM Vendor S
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 22 Mar 2012 12:28:29 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6983

           Summary: Improper handling of Slow Protocol OAM Vendor Specific
                    Event Notification
           Product: Wireshark
           Version: SVN
          Platform: x86
        OS/Version: Windows 7
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: elliotparsons@xxxxxxxxx


Created attachment 8068
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=8068
Patch to bug described above.

Build Information:
Version 1.7.1-EParsonsBuild (SVN Rev 41699 from /trunk)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.24.10, with Cairo 1.10.2, with Pango 1.29.4, with
GLib 2.28.8, with WinPcap (4_1_2), with libz 1.2.5, without POSIX capabilities,
with SMI 0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS
2.10.3, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio
V19-devel (built Mar 21 2012), with AirPcap.

Running on 32-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.10.3, Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 30729
--
In the packet-slowprotocols dissector, there is a bug in the event notification
dissector. The code uses the incorrect value to skip past the data of a vendor
specific notification.

The following is taken from dissect_oampdu_event_notification:


            case OAMPDU_EVENT_TYPE_OSE:
            {
                event_tree = proto_item_add_subtree(event_item,
                                    ett_oampdu_event_ose);

                raw_octet = tvb_get_guint8(tvb, offset);
                proto_tree_add_uint(event_tree, hf_oampdu_event_length,
                        tvb, offset, 1, raw_octet);

                offset += OAMPDU_EVENT_LENGTH_SZ;

                offset += (raw_word-2);
                break;
            }

raw_octet is being set to the length of this notification, but raw_word is used
to adjust the offset. Depending on the value of raw_word, which is actually set
earlier in the function to the sequence number of this notification, the
dissector can enter an infinite loop, crashing Wireshark if the packet is
selected for display.

The attached patch file sets the offset to increment by raw_octet, which
corrects the issue.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.