http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2470
Bill Meier <wmeier@xxxxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
--- Comment #6 from Bill Meier <wmeier@xxxxxxxxxxx> 2008-05-21 11:05:19 PDT ---
Fixed in SVN #25343.
Essentially: An attempt to reassemble a sequence of frames like the following
caused a crash in fragment_add_work() in reassemble.c
(The offsets, etc values are from the extract pcap attached).
frame #1: offset: 0 len: 1460
frame #2: offset: 1460 len: 1460
frame #3: offset: 2920 len: 1460
frame #4: offset: 15663 len: 1460
frame #5: offset: 15663 len: 1460
frame #6: offset: 2299 len: 1460; Flags: FIN + ...
Notes:
'DESEGMENT_UNTIL_FIN' was involved requiring a reassembly
of the fragments in the 6 frames;
The crash (which did not consistently occur on Windows) was due to a
memcmp() in fragment_add_work comparing beyond the end of a g_malloc'd buffer.
I'm guessing that the occurrence of the crash depended upon the
exact sequence of memory allocations, etc.
In fact, for tshark the crash would occur
or not occur depending upon the options supplied to tshark. (-n, etc)
--
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.