Having an avp_length be zero is invalid. avph.avp_length has to be at LEAST
the size of the AVP header. So, in this case (an invalid packet), instead of
your fix, there needs to be an error check.
But, the diameter dissector is currently under MAJOR revision, so your patch
will no longer address that particular problem.
I should be posting diffs to packet-diameter.c, packet-diameter-defs.h, and
packet-radius.c later this week.
Thanks for the catch though! It was definately a bug (since I wasn't handling
erroneous packets properly)
Later,
--Dave
On Sun, Feb 18, 2001 at 07:10:06PM +0100, Dick Gooris wrote:
> Gilbert, Guy,
>
> I tried to narrow down the issue I brought up. I think I found
> the code location where it hangs and created a bug-fix for it.
>
> See the info below. Please inform me if the fix is ok with you.
>
>
> File : packet-diameter.c
>
> Function : dissect_attribute_value_pairs();
>
> Location : In the loop : while (avplength > 0 ) {
>
> Cause : avplength = avplength - (avph.avp_length + fixAmt);
> The part : (avph.avp_length + fixAmt) is sometimes 0,
> which causes the while-loop control to never decrement,
> and causes hang.
>
> Solution : (To be approved by you or diameter owner)
>
> Just before 'avplength=avplength - ...'
>
> /* Loop control */
> if (avph.avp_length + fixAmt == 0 ) {
> break;
> }
>
> avplength=avplength - (avph.avp_length + fixAmt);
>
> :
> :
>
> Best regards,
>
> - Dick Gooris Hilversum, The Netherlands
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev