https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5825
--- Comment #1 from Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx> 2011-04-13 15:37:27 MDT ---
This problem is occuring because the function fDevice_Instance() in
packet-bacapp.c calls:
tag_len = fTagHeader (tvb, offset, &tag_no, &tag_info, &lvt);
ti = proto_tree_add_item(tree, hf, tvb, offset+tag_len, lvt, TRUE);
When using hf (passed as the final argument to the fDevice_Instance function)
of one of two types: hf_Device_Instance_Range_Low_Limit or
hf_Instance_Range_High_Limit. Both of these are type FT_UINT32. So the code
that is throwing the assert is in get_uint_value() in epan/proto.c, where it
checks the length for type *UINT* and it can only be 1, 2, 3 or 4 bytes long.
The fuzzed capture is causing the length (lvt variable above) to be 6, thus the
default case is taken in the switch(length) which is
DISSECTOR_ASSERT_NOT_REACHED.
Since fDevice_Instance is only called from two places in fWhoisRequest(), and
only with the two hf_ types above (both FT_UINT32), my best guess for a fix
would be to change it to not fetch the length as shown at the top of this
comment, but instead use 4 bytes each type (or lookup the right value based on
the hf_ type that is passed to the function).
Comments?
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.