Wireshark-dev: Re: [Wireshark-dev] [Wireshark-commits] rev 33464: /trunk/epan/dissectors/ /trun
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Wed, 07 Jul 2010 14:49:55 -0400
Gerald Combs wrote:
morriss@xxxxxxxxxxxxx wrote:
http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=33464

User: morriss
Date: 2010/07/07 08:52 AM

Log:
 Fix infinite recursion reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4984 : In try_get_ber_length() make sure we move forward before recursing.

Directory: /trunk/epan/dissectors/
  Changes    Path            Action
  +57 -56    packet-ber.c    Modified

If I apply the attached debugging code to packet-ber.c I see some high
stack counts in the fuzz capture from bug 4984. It looks like we're
still vulnerable to a stack overflow.

Interesting--I don't get any stacks deeper than 10 on that capture file.

Shouldn't we remove recursion from try_get_ber_length or at least throw
an exception when we run into, say, 5 levels of nesting?

I don't know enough to say what's a valid depth.

In looking at the sample captures I have, I only got to a depth above 10 on one which is probably supposed to be valid but throws an exception in the end.

But this sample capture:

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=c06-ldapv3-enc-r1.pcap.gz

gets depths as high as 25,604...