On Sun, Dec 10, 2006 at 01:57:15PM +0000, Bill Meier wrote:
> Julian:
>
> Could you possibly take a look at report # 1264 (if you haven't
> already seen it) ?
>
> http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1264
>
> It seems to involve an "Infinite loop at frame 75 on fragmented
> DCP-PFT protocol in packet-dcp-etsi.c"
I've found the culprit - a pair of loops starting at line 273 of
packet-dcp-etsi.c:
for(i=0,j=0; i<fragments; i++,j++) {
while(j<got[i]) {
frag = fragment_add_seq_check (dummytvb, 0, pinfo, seq,
dcp_fragment_table, dcp_reassembled_table, j, plen, (j+1!=fcount));
.
.
Why would it be running fragment_add_seq_check() for every fragment
number from 0 to the fragment index number from the packet (got[0]) (in
this fuzz capture's case, 4,456,448)? I can't find any fragmented
DPC-PFT captures to test changes on as the fuzz file only has one.
Steve