Wireshark-bugs: [Wireshark-bugs] [Bug 7879] Buildbot crash output: fuzz-2012-10-19-32463.pcap

Date: Fri, 19 Oct 2012 21:05:21 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7879

Chris Maynard <christopher.maynard@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #9386|                            |review_for_checkin?
              Flags|                            |

--- Comment #1 from Chris Maynard <christopher.maynard@xxxxxxxxx> 2012-10-19 21:05:20 PDT ---
Created attachment 9386
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9386
Avoid an infinite loop.

As far as I can tell, the problematic packet is 5992 where there is an infinite
loop in epan/dissectors/packet-rtcp.c due to dissect_rtcp_app() ~line 1601:

packet_len -= tvb_get_guint8( tvb, offset + packet_len - 1 );

Before this, offset=12, packet_len=8, and tvb_get_guint8() returns 20.
After this, packet_len=4294967284 (a.k.a., -12).
At line 1604: offset += packet_len, so after this offset=0, which is the return
value of dissect_rtcp_app() at line 2972:

offset = dissect_rtcp_app(...);

So now offset is 0, but this is what keeps us stuck in the while loop at line
2861:
while ( !srtcp_now_encrypted && tvb_bytes_exist( tvb, offset, 4) ) {

The attached patch resolves the infinite loop problem, but I'm not sure if it's
the best way to fix it or if there's a better way.  Maybe someone more familiar
with RTCP could review it please?

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.