Wireshark-bugs: [Wireshark-bugs] [Bug 8111] DTLS dissector crash

Date: Mon, 24 Dec 2012 03:32:45 +0000

changed bug 8111

What Removed Added
CC   [email protected]

Comment # 12 on bug 8111 from
(In reply to comment #4)

> FD_DEFRAGMENTED (i.e., when the reassembly is done).  The crash happens when
> another frame arrives which is part of the reassembled message and its
> offset is a) within bounds of the length specified in fragment_set_tot_len()
> but b) outside of the bounds of what was actually reassembled.

To me, it looks like the fragment that causes the crash has a starting offset
that's larger than the length set by fragment_set_tot_len().

I tried a simple fix as attached: In the DTLS dissector, set the total len
_before_ adding the fragment. If the fragment's starting offset is out of
bounds in fragment_add_common(), return NULL (==reassembly not complete) and
don't add the fragment.

This "works for me" but I'm not sure if it's a proper fix. Should the check be
in fragment_add_common() or in fragment_add_work()? Do we need something
similar in fragment_add_check()?


You are receiving this mail because:
  • You are watching all bug changes.