Gerald Combs wrote:
morriss@xxxxxxxxxxxxx wrote:
http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=33464
User: morriss
Date: 2010/07/07 08:52 AM
Log:
Fix infinite recursion reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4984 : In try_get_ber_length() make sure we move forward before recursing.
Directory: /trunk/epan/dissectors/
Changes Path Action
+57 -56 packet-ber.c Modified
If I apply the attached debugging code to packet-ber.c I see some high
stack counts in the fuzz capture from bug 4984. It looks like we're
still vulnerable to a stack overflow.
Interesting--I don't get any stacks deeper than 10 on that capture file.
Shouldn't we remove recursion from try_get_ber_length or at least throw
an exception when we run into, say, 5 levels of nesting?
I don't know enough to say what's a valid depth.
In looking at the sample captures I have, I only got to a depth above 10
on one which is probably supposed to be valid but throws an exception in
the end.
But this sample capture:
http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=c06-ldapv3-enc-r1.pcap.gz
gets depths as high as 25,604...