Wireshark-bugs: [Wireshark-bugs] [Bug 13044] Buildbot crash output: fuzz-2016-10-25-19751.pcap

Date: Thu, 01 Dec 2016 03:33:05 +0000

Comment # 14 on bug 13044 from
In dissect_cops_pdu() we do:

        if (!pinfo->fd->flags.visited) {
            cops_call = wmem_new(wmem_file_scope(), cops_call_t);
            cops_call->op_code = op_code;
            cops_call->solicited = is_solicited;
            cops_call->req_num = pinfo->num;
            cops_call->rsp_num = 0;
            cops_call->req_time = pinfo->abs_ts;
            g_ptr_array_add(pdus_array, cops_call);
        }
        else {
            for (i=0; i < pdus_array->len; i++) {
                cops_call = (cops_call_t*)g_ptr_array_index(pdus_array, i);
                if ( cops_call->req_num == pinfo->num
                  && cops_call->rsp_num != 0)  {
                    ti = proto_tree_add_uint_format(cops_tree,
hf_cops_response_in, tvb, 0, 0, cops_call->rsp_num,
                                                      "Response to this request
is in frame %u", cops_call->rsp_num);
                    PROTO_ITEM_SET_GENERATED(ti);
                }
            }
        }

cops_call is either allocated or fetched from an array; the only way one we
allocate would have solicited being uninitialized would be if is_solicited were
uninitialized.

However, it's always set before it's used.

So either there's something subtle going on here that I've missed, or this is a
false positive.


You are receiving this mail because:
  • You are watching all bug changes.