Wireshark-bugs: [Wireshark-bugs] [Bug 7068] New: CID 525: unchecked signed return value
Date: Wed, 11 Apr 2012 13:11:21 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7068

           Summary: CID 525: unchecked signed return value
           Product: Wireshark
           Version: SVN
          Platform: x86
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: wireshark@xxxxxxxxx


Build Information:
TShark 1.7.2 (SVN Rev 42025 from /trunk)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.24.2, with libpcap, with libz 1.2.3.4, without
POSIX capabilities, without SMI, without c-ares, without ADNS, without Lua,
without Python, with GnuTLS 2.8.6, with Gcrypt 1.4.5, with MIT Kerberos,
without
GeoIP.

Running on Linux 2.6.32-5-amd64, with locale en_US.UTF-8, with libpcap version
1.1.1, with libz 1.2.3.4.

Built using gcc 4.4.5.

--
Dear all,

CID 525 is about tvb_new_octet_aligned(). datalen can be negative or 0 when
ep_alloc0(datalen) is called. If this happens, it's because of a dissector not
checking the bit_offset, I think a DISSECTOR_ASSERT() is ok for fixing this.

coverity complains about datalen==-1 but 0 is a problem as well since
buf[datalen-1] is used.

Best regards,

   Martin


BTW the defect can be triggered by calling sth like

/* this triggers datalen==-1 */
tvb_test = tvb_new_octet_aligned(tvb, (tvb_length(tvb)+1) * 8 + 1, -1);

/* this triggers datalen==0 -> segfault */
tvb_test = tvb_new_octet_aligned(tvb, tvb_length(tvb) * 8 + 1, -1);

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.