Jeff Morriss
changed
bug 8111
| What |
Removed |
Added |
| Status |
UNCONFIRMED
|
CONFIRMED
|
| CC |
|
[email protected]
|
| Ever confirmed |
|
1
|
Comment # 4
on bug 8111
from Jeff Morriss
It crashes regularly for me using the test-fuzzed-cap.sh script.
It would appear that the problem is that the DTLS dissector calls
fragment_set_tot_len() to set the length of the reassembled packet and the
reassembly routines a) trust that and b) don't verify it when they set
FD_DEFRAGMENTED (i.e., when the reassembly is done). The crash happens when
another frame arrives which is part of the reassembled message and its offset
is a) within bounds of the length specified in fragment_set_tot_len() but b)
outside of the bounds of what was actually reassembled.
Actually I think the problem is not specific to dissectors which call
fragment_set_tot_len() but I could be wrong.
Not sure if/when I'll have time to look deeper into this.
You are receiving this mail because:
- You are watching all bug changes.