Wireshark-bugs: [Wireshark-bugs] [Bug 9579] Clang ASAN : global-buffer-overflow SNMP : dissect_b

Date: Tue, 06 May 2014 09:39:22 +0000

changed bug 9579

What Removed Added
Status UNCONFIRMED CONFIRMED
CC   [email protected]
Ever confirmed   1

Comment # 5 on bug 9579 from
For some reason, ch has become choice + 3 which is past the choice array:
(gdb) p ch
$14 = (const ber_choice_t *) 0x7ffff34c5db8
(gdb) p choice
$15 = (const ber_choice_t *) 0x7ffff34c5d40 <RegisterResponse_choice>
(gdb) p choice + 1
$16 = (const ber_choice_t *) 0x7ffff34c5d68 <RegisterResponse_choice+40>
(gdb) p choice + 2
$17 = (const ber_choice_t *) 0x7ffff34c5d90 <RegisterResponse_choice+80>
(gdb) p choice + 3
$18 = (const ber_choice_t *) 0x7ffff34c5db8



// choice is an array of size 3 with the last element being empty
ch = choice;
while (ch->func || first_pass) {
    // ...
choice_try_again:
    // ...
    if ((count == 0) && (((ch->ber_class == ber_class) && (ch->tag == -1) &&
(ch->flags & BER_FLAGS_NOOWNTAG)) || !first_pass)) {
        ch++;   // (1)
        goto choice_try_again;  // <-- oops
    }
    // ...
    ch++;
}

&choice[1] is the last non-empty element. If (1) gets executed twice, then ch =
&choice[3] which is past the buffer. That piece of code really needs closer
attention (ifdef REMOVED?!), but I am unfamiliar with BER and do not know the
correct way to fix this (throw exception? break unconditionally? break if
!first_pass?).


You are receiving this mail because:
  • You are watching all bug changes.