Wireshark-bugs: [Wireshark-bugs] [Bug 4992] Support to decode the Gearman protocol

Date: Tue, 13 Jul 2010 08:55:49 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4992

--- Comment #10 from Flier Lu <flier.lu@xxxxxxxxx> 2010-07-13 08:55:44 PDT ---
Created an attachment (id=4914)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=4914)
use tvb_format_text instead of tvb_get_ptr

I have fixed the tvb_get_ptr issues base on Gerald's suggestion, but there are
an another strange crash when I run the fuzz-test.sh


[flierlu@web wireshark]$ ./tools/fuzz-test.sh plugins/gearman/gearman.pcap      
Running ./tshark with args: -nVxr (forever)

Starting pass 1:
    plugins/gearman/gearman.pcap: ./tools/fuzz-test.sh: line 138: 26218 Aborted
                (core dumped) "$TSHARK" $TSHARK_ARGS $TMP_DIR/$TMP_FILE >
/dev/null 2> $TMP_DIR/$ERR_FILE

 ERROR
Processing failed.  Capture info follows:

  Output file: /tmp/fuzz-2010-07-13-26169.pcap
[flierlu@web wireshark]$ gdb /opt/disk2/home/flierlu/wireshark/.libs/lt-tshark
core.
core.26218  core.9453   
[flierlu@web wireshark]$ gdb /opt/disk2/home/flierlu/wireshark/.libs/lt-tshark
core.26218 
...
#11 0xb5cda5ae in g_malloc () from /usr/lib/libglib-2.0.so.0
#12 0xb62e921e in tvb_get_string (tvb=0xa051878, offset=1, length=3) at
tvbuff.c:2222
#13 0xb656e5b4 in dissect_binary_packet (tvb=0xa051878, pinfo=0xbf88f134,
gearman_tree=0xa1665a8) at packet-gearman.c:213

The code crash when it call g_malloc 

void 
dissect_binary_packet(tvbuff_t *tvb, packet_info *pinfo, proto_tree
*gearman_tree)
{
  gint offset = 0;
  char *magic_code = NULL;
  guint32 type, size;

  while (tvb_length_remaining(tvb, offset) >= GEARMAN_COMMAND_HEADER_SIZE)
  {
    magic_code = tvb_get_string(tvb, offset+1, 3); // crash here

but the tvb_get_string only try to allocate 2 bytes buffer

guint8 *
tvb_get_string(tvbuff_t *tvb, const gint offset, const gint length)
{
    const guint8 *ptr;
    guint8 *strbuf = NULL;

    tvb_ensure_bytes_exist(tvb, offset, length);

    ptr = ensure_contiguous(tvb, offset, length);
    strbuf = g_malloc(length + 1); // crash here
    if (length != 0) {
        memcpy(strbuf, ptr, length);
    }
    strbuf[length] = '\0';
    return strbuf;
}

I have no idea why and how to fix it, could you give me some advices?

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.