http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1513
Summary: Wrong length for tvb_memcpy in packet-bthci_acl.c
Product: Wireshark
Version: SVN
Platform: PC
OS/Version: Linux
Status: NEW
Severity: Normal
Priority: Low
Component: TShark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: florent.drouin@xxxxxxxxxx
Build Information:
TShark 0.99.6-SVN-21332
Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GLib 2.6.4, with libpcap 0.9.5, with libz 1.2.2, with libpcre
4.5,
without Net-SNMP, with ADNS, without Lua, with GnuTLS 1.0.16, with Gcrypt
1.2.0,
without Kerberos.
Running on Linux 2.6.17.3, with libpcap version 0.9.5.
Built using gcc 3.3.5 (Debian 1:3.3.5-13).
--
In dissect_btacl, the length of the allocated buller for the copy, is not the
same as the buffer to be copied.
<<
mfp=se_alloc(sizeof(multi_fragment_pdu_t));
mfp->first_frame=pinfo->fd->num;
mfp->last_frame=0;
mfp->tot_len=l2cap_length+4;
mfp->reassembled=se_alloc(l2cap_length+4);
tvb_memcpy(tvb, (guint8*)mfp->reassembled,
offset, tvb_length_remaining(tvb, offset));
mfp->cur_off=tvb_length_remaining(tvb, offset);
se_tree_insert32(chandle_data->start_fragments,
pinfo->fd->num, mfp);
>>
The tvb_memcpy should use mfp->tot_len, and not the remaining length.
I think the next tvb_memcpy, few lines hereafter, has the same problem, but I
am not sure we can apply the same correction.
The first error has been detected with Valgring.
--
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.