Wireshark-bugs: [Wireshark-bugs] [Bug 7563] Capture file that crashes wireshark
Date: Thu, 9 Aug 2012 06:21:19 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7563

Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #8927|review_for_checkin?         |review_for_checkin+
              Flags|                            |

--- Comment #19 from Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> 2012-08-09 06:21:18 PDT ---
Comment on attachment 8927
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=8927
Improve input validation for ERF channelised extension header

Checked in r44377 with one change: with this patch was Valgrind complained thus
on the fuzz'd capture file attached to this bug report:

~~~
==28191== Conditional jump or move depends on uninitialised value(s)
==28191==    at 0x62D19D8: channelised_fill_vc_id_string (packet-erf.c:738)
==28191==    by 0x62D1C43: dissect_channelised_ex_header (packet-erf.c:798)
==28191==    by 0x62D349E: dissect_erf_pseudo_extension_header
(packet-erf.c:1141)
==28191==    by 0x62D364C: dissect_erf (packet-erf.c:1190)
==28191==    by 0x607A980: call_dissector_through_handle (packet.c:419)
==28191==    by 0x607B16E: call_dissector_work (packet.c:510)
==28191==    by 0x607C291: dissector_try_uint_new (packet.c:935)
==28191==    by 0x630C9E8: dissect_frame (packet-frame.c:383)
==28191==    by 0x607A980: call_dissector_through_handle (packet.c:419)
==28191==    by 0x607B16E: call_dissector_work (packet.c:510)
==28191==    by 0x607B2D0: call_dissector (packet.c:2000)
==28191==    by 0x607CDE3: dissect_packet (packet.c:350)
~~~

So I changed the "if ( (0 == vc_size) || (vc_size > DECHAN_MAX_VC_SIZE) ||
(rate > DECHAN_MAX_LINE_RATE) )" condition to also set m_sdh_line_rate to 0.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.