Wireshark-commits: [Wireshark-commits] master ec5adb0: tvbuff_composite: fix buffer overflow due to
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=ec5adb0ce98c37c8119feb972a5207e0e1721d9b
Submitter: "Anders Broman <a.broman58@xxxxxxxxx>"
Changed: branch: master
Repository: wireshark
Commits:
ec5adb0 by Peter Wu (peter@xxxxxxxxxxxxx):
tvbuff_composite: fix buffer overflow due to wrong offset adjustment
The tvb_offset method should return the offset of the buffer within the
backing tvb (ds_tvb). The currently returned non-zero offset is valid
for tvbuff_subset.c, but not for the composite TVB. The backing tvb is
the tvb itself, so the offset should be zero (or "counter" for
consistency with tvbuff_real.c and others).
This bug is observable with the capture from the bug. In tshark, the
data field in the PDML output has value "field length invalid!" and the
position attribute ("pos") is too large. With the -V option it even
crashes with a buffer overflow (read). In the GUI, the bytes tab shows
range 3199-19642 even if the data source is only 16444 bytes while the
selection should have been 0-16443.
Bug: 14466
Change-Id: I01399ff500321dba262eb60b67c4cddb173b4679
Reviewed-on: https://code.wireshark.org/review/30124
Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
Actions performed:
from 3bb6c5c ieee802154: Show FCF reserved bit
add ec5adb0 tvbuff_composite: fix buffer overflow due to wrong offset adjustment
Summary of changes:
epan/tvbuff_composite.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
