https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7563
Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #8927|review_for_checkin? |review_for_checkin+
Flags| |
--- Comment #19 from Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> 2012-08-09 06:21:18 PDT ---
Comment on attachment 8927
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=8927
Improve input validation for ERF channelised extension header
Checked in r44377 with one change: with this patch was Valgrind complained thus
on the fuzz'd capture file attached to this bug report:
~~~
==28191== Conditional jump or move depends on uninitialised value(s)
==28191== at 0x62D19D8: channelised_fill_vc_id_string (packet-erf.c:738)
==28191== by 0x62D1C43: dissect_channelised_ex_header (packet-erf.c:798)
==28191== by 0x62D349E: dissect_erf_pseudo_extension_header
(packet-erf.c:1141)
==28191== by 0x62D364C: dissect_erf (packet-erf.c:1190)
==28191== by 0x607A980: call_dissector_through_handle (packet.c:419)
==28191== by 0x607B16E: call_dissector_work (packet.c:510)
==28191== by 0x607C291: dissector_try_uint_new (packet.c:935)
==28191== by 0x630C9E8: dissect_frame (packet-frame.c:383)
==28191== by 0x607A980: call_dissector_through_handle (packet.c:419)
==28191== by 0x607B16E: call_dissector_work (packet.c:510)
==28191== by 0x607B2D0: call_dissector (packet.c:2000)
==28191== by 0x607CDE3: dissect_packet (packet.c:350)
~~~
So I changed the "if ( (0 == vc_size) || (vc_size > DECHAN_MAX_VC_SIZE) ||
(rate > DECHAN_MAX_LINE_RATE) )" condition to also set m_sdh_line_rate to 0.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.