Wireshark-bugs: [Wireshark-bugs] [Bug 7068] New: CID 525: unchecked signed return value
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7068
Summary: CID 525: unchecked signed return value
Product: Wireshark
Version: SVN
Platform: x86
OS/Version: All
Status: NEW
Severity: Normal
Priority: Low
Component: Wireshark
AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
ReportedBy: wireshark@xxxxxxxxx
Build Information:
TShark 1.7.2 (SVN Rev 42025 from /trunk)
Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.24.2, with libpcap, with libz 1.2.3.4, without
POSIX capabilities, without SMI, without c-ares, without ADNS, without Lua,
without Python, with GnuTLS 2.8.6, with Gcrypt 1.4.5, with MIT Kerberos,
without
GeoIP.
Running on Linux 2.6.32-5-amd64, with locale en_US.UTF-8, with libpcap version
1.1.1, with libz 1.2.3.4.
Built using gcc 4.4.5.
--
Dear all,
CID 525 is about tvb_new_octet_aligned(). datalen can be negative or 0 when
ep_alloc0(datalen) is called. If this happens, it's because of a dissector not
checking the bit_offset, I think a DISSECTOR_ASSERT() is ok for fixing this.
coverity complains about datalen==-1 but 0 is a problem as well since
buf[datalen-1] is used.
Best regards,
Martin
BTW the defect can be triggered by calling sth like
/* this triggers datalen==-1 */
tvb_test = tvb_new_octet_aligned(tvb, (tvb_length(tvb)+1) * 8 + 1, -1);
/* this triggers datalen==0 -> segfault */
tvb_test = tvb_new_octet_aligned(tvb, tvb_length(tvb) * 8 + 1, -1);
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.