Wireshark-bugs: [Wireshark-bugs] [Bug 7845] New: fuzztest crash in HART/IP - too many TAPS

Date: Wed, 10 Oct 2012 18:33:10 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7845

           Summary: fuzztest crash in HART/IP - too many TAPS
           Product: Wireshark
           Version: SVN
          Platform: x86
        OS/Version: Windows XP
            Status: NEW
          Severity: Critical
          Priority: Medium
         Component: Dissection engine (libwireshark)
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: mmann78@xxxxxxxxxxxx
                CC: wbschiller@xxxxxxxxx


Created attachment 9338
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9338
HART/IP fuzz crash

Build Information:
Version 1.9.0 (SVN Rev 45450 from /trunk)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.24.10, with Cairo 1.10.2, with Pango 1.30.0, with
GLib 2.32.2, with WinPcap (4_1_2), with libz 1.2.5, without POSIX capabilities,
without libnl, with SMI 0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python,
with GnuTLS 2.12.18, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with
PortAudio V19-devel (built Oct 10 2012), with AirPcap.

Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1.2
(packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b
(20091008), GnuTLS 2.12.18, Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 30729

--
The attached pcap crashes because the dissection of HART/IP loops over a
tapping point.

The problem is in packet 3006, where (on the "first" pass because there is no
"tree") the length field in the header is 0, so the while(1) loop is never
broken, and all of the taps get used.  Possible solutions include:

1. Sanity checking the length field. Since specs are not free, I can't verify
if header is included in length, so minimum increase of offset could/should be
at least 8.

2. Only tap where there is a tree.  Not sure of the ramifications of this, but
I'm guessing #1 is a better solution.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.