https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7804
Summary: se_tree_lookup32_array_le() can return a sub-tree
pointer i.s.o. node data pointer
Product: Wireshark
Version: 1.6.10
Platform: All
OS/Version: All
Status: NEW
Severity: Major
Priority: Low
Component: Dissection engine (libwireshark)
AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
ReportedBy: jaap.keuter@xxxxxxxxx
Created attachment 9282
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9282
Program to exercise se_tree_lookup32_array_le()
Build Information:
Wireshark on FC14 64bit and Debian weezy/sid 32bit
--
When using se_tree_lookup32_array_le() you can setup a search vector that may
contain keys that don't match the value of the nodes. The search then takes the
node with the next lower value.
Instead of continue working through the search vector the pointer to the node
with the next lower value is returned. If this is not from the lowest level
tree this pointer is actually a sub-tree pointer, not a node data pointer.
Using and or manipulating data through this pointer can invalidate the
integrity of the entire tree.
Attached is a program to exercise se_tree_lookup32_array_le() in the manner
described.
This bug applies to the Wireshark 1.4 and 1.6. In 1.8 these routines were
redone, removing this incorrect behaviour.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.