Wireshark-commits: [Wireshark-commits] master-2.6 ff4b861: frame: increase EXCEPTION_TREE_ITEMS.
From: Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>
Date: Wed, 08 May 2019 23:17:32 +0000
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=ff4b8613ffd6787a2d45d501402a7d9383dd1225
Submitter: "Peter Wu <peter@xxxxxxxxxxxxx>"
Changed: branch: master-2.6
Repository: wireshark

Commits:

ff4b861 by Dario Lombardo (lomato@xxxxxxxxx):

    frame: increase EXCEPTION_TREE_ITEMS.
    
    Thanks to Peter Wu for the deep analysis of the issue:
    
    Reproduce this issue with master v3.1.0rc0-662-gfd30adca44 and the reproducer from
    the oss-fuzz issue tracker:
    
    HOME=/x FUZZSHARK_TABLE=ip.proto FUZZSHARK_TARGET=ospf fuzzshark
        clusterfuzz-testcase-minimized-fuzzshark_ip_proto-ospf-5128657784799232
    
    Attached are the traces for watchpoints on changes to parent_tree.tree_data.count,
    this revealed 7 nodes that were added from the catch block in epan/expert.c:759
    
    show_reported_bounds_error adds a proto node and calls expert_add_info:
    1. _ws.malformed - protocol node via epan/show_exception.c:177
    
    expert_create_tree adds two items:
    2. _ws.malformed - expert tree via epan/expert.c:480
    3. _ws.malformed - protocol filter because group==PI_MALFORMED via epan/expert.c:488
    
    Because an explicit ei field was given: "add_expert_info(..., &ei_malformed)", two
    fields are added instead of one:
    4. _ws.malformed.expert - none node via epan/expert.c:543
    5. _ws.expert.message - string node via epan/expert.c:545
    
    Two more fields are added for the severity and group:
    6. _ws.expert.severity - uint node via epan/expert.c:549
    7. _ws.expert.group - uint node via epan/expert.c:552
    
    So this problem would never occur when an exception is triggered via DISSECTOR_ASSERT,
    but only for ReportedBoundsError exceptions (which occur when trying to use proto_tree_add_item
    with invalid bounds for a tvb).
    
    In conclusion, increasing EXCEPTION_TREE_ITEMS by 2 would suffice, but bump it to 10
    (double the current value) to prevent similar crashes to happen if few more items
    will be added in the future.
    
    Bug: 14978
    Change-Id: Ib9f5e254aeb4d756da5bab8f2e7ccf2572764aa4
    Reviewed-on: https://code.wireshark.org/review/33060
    Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
    Reviewed-by: Dario Lombardo <lomato@xxxxxxxxx>
    (cherry picked from commit f3a86c02dd8bda54cc23d0cc5fdd07702fbaa211)
    Reviewed-on: https://code.wireshark.org/review/33123
    

Actions performed:

    from  245b8fe   print: remove leak in ek_check_protocolfilter().
     add  ff4b861   frame: increase EXCEPTION_TREE_ITEMS.


Summary of changes:
 epan/dissectors/packet-frame.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)