Wireshark-dev: Re: [Wireshark-dev] [Wireshark-commits] rev 37826: /trunk/epan/dissectors/ /trun

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 29 Jun 2011 00:47:35 -0700
On Jun 29, 2011, at 12:04 AM, Stig Bjørlykke wrote:

> I have strengthened the heuristics in revision 37828, which seems to
> really fix the problem.

Well, it fixes the problem with that *particular* capture.

The underlying problem is that proto_tree_add_item() might not end up doing anything that checks the validity of the offset, so if nitems in dissect_rpcap_filter() has an absurdly large value, the loop in dissect_rpcap_filter() can go well past the end of the packet and only stop when it's put "too many" items into the protocol tree - unfortunately, "too many" is large enough that this could take a while.

A packet could be synthesized that would pass the heuristics and still end up spinning for a very long time in that loop.

> The offset calculations was left on purpose, to easy extend the dissector later.

OK, so what should dissect_rpcap_packet() return in the case where the caplen value is bogus?