URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f3a86c02dd8bda54cc23d0cc5fdd07702fbaa211
Submitter: "Dario Lombardo <lomato@xxxxxxxxx>"
Changed: branch: master
Repository: wireshark
Commits:
f3a86c0 by Dario Lombardo (lomato@xxxxxxxxx):
frame: increase EXCEPTION_TREE_ITEMS.
Thanks to Peter Wu for the deep analysis of the issue:
Reproduce this issue with master v3.1.0rc0-662-gfd30adca44 and the reproducer from
the oss-fuzz issue tracker:
HOME=/x FUZZSHARK_TABLE=ip.proto FUZZSHARK_TARGET=ospf fuzzshark
clusterfuzz-testcase-minimized-fuzzshark_ip_proto-ospf-5128657784799232
Attached are the traces for watchpoints on changes to parent_tree.tree_data.count,
this revealed 7 nodes that were added from the catch block in epan/expert.c:759
show_reported_bounds_error adds a proto node and calls expert_add_info:
1. _ws.malformed - protocol node via epan/show_exception.c:177
expert_create_tree adds two items:
2. _ws.malformed - expert tree via epan/expert.c:480
3. _ws.malformed - protocol filter because group==PI_MALFORMED via epan/expert.c:488
Because an explicit ei field was given: "add_expert_info(..., &ei_malformed)", two
fields are added instead of one:
4. _ws.malformed.expert - none node via epan/expert.c:543
5. _ws.expert.message - string node via epan/expert.c:545
Two more fields are added for the severity and group:
6. _ws.expert.severity - uint node via epan/expert.c:549
7. _ws.expert.group - uint node via epan/expert.c:552
So this problem would never occur when an exception is triggered via DISSECTOR_ASSERT,
but only for ReportedBoundsError exceptions (which occur when trying to use proto_tree_add_item
with invalid bounds for a tvb).
In conclusion, increasing EXCEPTION_TREE_ITEMS by 2 would suffice, but bump it to 10
(double the current value) to prevent similar crashes to happen if few more items
will be added in the future.
Bug: 14978
Change-Id: Ib9f5e254aeb4d756da5bab8f2e7ccf2572764aa4
Reviewed-on: https://code.wireshark.org/review/33060
Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
Reviewed-by: Dario Lombardo <lomato@xxxxxxxxx>
Actions performed:
from 69e50be HTTP: fix bad reassembly with Content-Type and no Content-Length
add f3a86c0 frame: increase EXCEPTION_TREE_ITEMS.
Summary of changes:
epan/dissectors/packet-frame.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)