Wireshark-dev: Re: [Wireshark-dev] Packet Size limited during capture message

From: Jakub Zawadzki <darkjames@xxxxxxxxxxxxxxxx>
Date: Thu, 25 Mar 2010 22:50:45 +0100
On Wed, Mar 24, 2010 at 09:59:36AM -0400, Brian Oleksa wrote:
> So I did some more troubleshooting only to find the following:
> The dissector crashes in WinXP but not on my Fedora Core 9 box. This is 
> weird.
>
> Using editcap... I was able to find the frame on windows to which wireshark 
> crashed on (which was frame 17641).
> I opened the same .pcap file on my FC-9 box (it did not crash)...but I went 
> to frame 17641 only to find out that it is a Malformed Packet.
>
> Any thoughts..??

I'd bet on calls to gmtime().

1/ gmtime() can return NULL.
2/ Windows-specific: 
   These functions validate their parameter. (...) if the timer value is negative, these functions invoke an invalid
   parameter handler, as described in Parameter Validation. [1]

   The behavior of the C Runtime when an invalid parameter is found is to call the currently assigned invalid parameter handler. 
   The default invalid parameter invokes Watson crash reporting, which *causes the application to crash* (...) [2]

Which reminds me of some checks in to_str.c ( e.g. if (abs_time->secs > 2000000000) tmp = NULL; )
maybe custom handler for _set_invalid_parameter_handler() [3] would be enough?
(I can't test it ;/)

Cheers.

[1] http://msdn.microsoft.com/en-us/library/0z9czt0w%28VS.80%29.aspx
[2] http://msdn.microsoft.com/en-us/library/ksazx244%28VS.80%29.aspx
[3] http://msdn.microsoft.com/en-us/library/a9yf33zb%28VS.80%29.aspx