Wireshark-bugs: [Wireshark-bugs] [Bug 7804] New: se_tree_lookup32_array_le() can return a sub-tr

Date: Sat, 6 Oct 2012 14:52:07 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7804

           Summary: se_tree_lookup32_array_le() can return a sub-tree
                    pointer i.s.o. node data pointer
           Product: Wireshark
           Version: 1.6.10
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Dissection engine (libwireshark)
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: jaap.keuter@xxxxxxxxx


Created attachment 9282
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9282
Program to exercise se_tree_lookup32_array_le()

Build Information:
Wireshark on FC14 64bit and Debian weezy/sid 32bit
--
When using se_tree_lookup32_array_le() you can setup a search vector that may
contain keys that don't match the value of the nodes. The search then takes the
node with the next lower value. 
Instead of continue working through the search vector the pointer to the node
with the next lower value is returned. If this is not from the lowest level
tree this pointer is actually a sub-tree pointer, not a node data pointer.
Using and or manipulating data through this pointer can invalidate the
integrity of the entire tree.

Attached is a program to exercise se_tree_lookup32_array_le() in the manner
described.

This bug applies to the Wireshark 1.4 and 1.6. In 1.8 these routines were
redone, removing this incorrect behaviour.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.