Wireshark-bugs: [Wireshark-bugs] [Bug 9027] Another fuzz failure in print_hex_data_buffer

Date: Sun, 11 Aug 2013 16:22:34 +0000

Comment # 10 on bug 9027 from
(In reply to comment #9)
> I'm still not sure how exactly this bug gets triggered. I've been through
> the TCP dissector several times, and cannot see how it could add a data
> source before reassembly is complete...

Evan, but from your comment #8 of bug #8825 (bug #8825 comment #8)
I understand that reassembly is completed.

I don't understand how exactly tcp reassembly code works, I have done some
analysis why it crashes on tshark.pcap
(http://www.wireshark.org/~darkjames/anal-8825.txt), but TCP reassembly code is
beyond me.

>From my analysis if you do:
  smth = fragment_add() and later
  use reassembly tvb (smth->tvb_data) as any data_source (or by
tvb_new_proxy())
  you can't later call again fragment_add() [cause it'll free old reassembly]

... but this code fragment:

1863                 if (tvb_length_remaining(tvb, offset) > 0)
1864                     goto again;

is quite old, really don't understand how it works ;|


You are receiving this mail because:
  • You are watching all bug changes.