https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6076
--- Comment #2 from Subin <subin.c.m@xxxxxxxxx> 2011-06-30 08:00:38 PDT ---
Looked deeper, and found a possible bug in dissect_sflow_5_flow_sample()
....
/* start loop processing flow records */
/* we set an upper records limit to 255 in case corrupted data causes
* huge number of loops! */
for (i = 0; i < (g_ntohl(flow_header.records)&0x000000ff); i++) {
offset = dissect_sflow_5_flow_record(tvb, pinfo, tree, offset);
}
}
In dissect_sflow_5_flow_record(), the buffer offset is not getting incremented
properly in the dissectors of Extended Switch, Router and Gateway Information.
static gint
dissect_sflow_245_extended_switch(tvbuff_t *tvb, proto_tree *tree, gint offset)
{
gint32 len = 0;
proto_tree_add_item(tree, hf_sflow_245_vlan_in, tvb, offset + len, 4,
FALSE);
len += 4;
proto_tree_add_item(tree, hf_sflow_245_pri_in, tvb, offset + len, 4,
FALSE);
len += 4;
proto_tree_add_item(tree, hf_sflow_245_vlan_out, tvb, offset + len, 4,
FALSE);
len += 4;
proto_tree_add_item(tree, hf_sflow_245_pri_out, tvb, offset + len, 4,
FALSE);
len += 4;
return len; <-- This should really be "offset+len" so that we can parse
the next TLV.
}
Similarly for dissect_sflow_245_extended_router() and
dissect_sflow_245_extended_gateway().
Please comment.
Thanks,
Subin
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.