Wireshark-bugs: [Wireshark-bugs] [Bug 8941] Fuzz failure: NTLMSSP caused crash in print_hex_data
Comment # 6
on bug 8941
from Anders Broman
(In reply to comment #5)
> OK, so the problem is that the NTLMSSP dissector is storing 2 different
> things on the FD:
>
> 1) dissect_ntlmssp_auth() stores a ntlmssp_info
> 2) decrypt_data_payload() and others store a packet_ntlmssp_info
>
> (This is OLD code: the 2nd use was added in r6825.)
>
> The problem is that in frame 13201 there's both an auth blob and another
> blob that gets descrypted. dissect_ntlmssp_auth() stores a ntlmssp_info and
> decrypt_data_payload() retrieves it, thinks its a packet_ntlmssp_info and
> eventually crashes on an invalid pointer.
>
> If I get rid of (1) the crash goes away AND the couple of sample captures I
> got (from bug 5251 and bug 2444) decode the same way. Probably requires
> more investigation before going that route... Maybe the solution is obvious
> to someone who knows the protocol better...
>
> Oh, yeah, there is one obvious solution: trunk and trunk-1.10 have a key
> used for storing proto_data. Make ntlmssp_info key=0 and
> packet_ntlmssp_info key=1 and then both functions can store there data on
> there. But that doesn't help trunk-1.8 (which also crashes on this capture).
Should we consider backporting the index thingy then? It requires an API change
so it's not straight forward. But perhaps the right thing to do...
You are receiving this mail because:
- You are watching all bug changes.