Peter Wu
changed
bug 12851
Comment # 1
on bug 12851
from Peter Wu
There are very long loops inside the dissector that do not make much progress
on the passed tvb. See frame 327, we have a TVB of length 40, but there are
43694 iterations that add items to to the tree.
Is there a way to know when the loop can be terminated earlier?
The offending commit is likely v2.1.0rc0-3160-gc0e679e (bug 12216), I have
tested it with tshark -r fuzz-2016-09-09-25074.pcap -V > out and then observed
the output and timing.
gdb output:
dissect_PNIO_C_SDU_RTC1 (tvb=0x61d0001814f0, offset=0, pinfo=0x61400000ee58,
tree=0x61900014f720, drep=0x7fffffffb080 "") at
plugins/profinet/packet-pn-rtc-one.c:501
501 objectCounter = number_io_data_objects_input_cr +
number_iocs_input_cr;
(gdb) next
502 while (objectCounter--) {
(gdb) info locals
data_tree = 0x7fffd53b0620
frameOffset = 0
objectCounter = 43694
inputFlag = 1
outputFlag = 0
psInfoText = 0
IODataObject_item = 0x10000000001
IODataObject_item_info = 0x7fffd53b0ce0
IODataObject_tree = 0xffffffff5fe
ModuleID_item = 0x7fffffffb050
ModuleDiff_item = 0x7fffec10e3d6 <compute_offset_and_remaining+45>
moduleName = 0x7fffffffffff
toggleBitSb = 236 '\354'
toggleBitCb = 127 '\177'
f_data = 0
statusbyte = 8 '\b'
controlbyte = 255 '\377'
number_io_data_objects_input_cr = 43690
number_iocs_input_cr = 4
number_io_data_objects_output_cr = 0
number_iocs_output_cr = 0
conversation = 0x7fffd55b3410
station_info = 0x7fffd55b34b0
iocs_object = 0x7fffffffb010
io_data_object = 0x61d000181630
module_diff_info = 0x7fffffffafc0
frame = 0x7fffd53b0310
frame_diff = 0x7fffe0e2b100 <_IO_strn_jumps>
(gdb) p *tvb
$3 = {next = 0x0, ops = 0x7ffff055b2c0 <tvb_subset_ops>, initialized = 1, flags
= 0, ds_tvb = 0x61d0001c3920, real_data = 0x61d00019c894 "", length = 40,
reported_length = 40, raw_offset = 20}
You are receiving this mail because:
- You are watching all bug changes.