diff options
| author | Hadriel Kaplan <hadrielk@yahoo.com> | 2014-03-16 17:20:07 -0400 |
|---|---|---|
| committer | Anders Broman <a.broman58@gmail.com> | 2014-03-19 05:09:12 +0000 |
| commit | 30ba425e7e95f7b61b3a3e5ff0c46e4be9d3d8d7 (patch) | |
| tree | ee01bf1d2d567159a852199911e098f2560bf145 /epan/dissectors/packet-sdp.c | |
| parent | fff998d6c1c7d38f3929eaa6e5101683c071744a (diff) | |
Fix Bug 9885: 'Buildbot crash output: fuzz-2014-03-14-15333.pcap'
The Buildbot found a crash which is cause by a bug that has
been there all along, but a recent change exposed. This bug is
likely in 1.10.6 as well, so I'll backport this if I can
reproduce it in 1.10.6.
Change-Id: I505bc73cbe6281e6d64f00de441c8e6231b55000
Reviewed-on: https://code.wireshark.org/review/702
Reviewed-by: Hadriel Kaplan <hadrielk@yahoo.com>
Reviewed-by: Evan Huus <eapache@gmail.com>
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan/dissectors/packet-sdp.c')
| -rw-r--r-- | epan/dissectors/packet-sdp.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/epan/dissectors/packet-sdp.c b/epan/dissectors/packet-sdp.c index d7cbaa62b2..3989fe52e5 100644 --- a/epan/dissectors/packet-sdp.c +++ b/epan/dissectors/packet-sdp.c @@ -1816,6 +1816,18 @@ setup_sdp_transport(tvbuff_t *tvb, packet_info *pinfo, enum sdp_exchange_type ex if (in_media_description) { /* Increase the count of media channels, but don't walk off the end of the arrays. */ + /* XXX: I don't know why this was done here - I'm keeping it here in case + * removing it causes problems, but it's wrong. transport_info->media_count + * is already incremented in the while() loop above. Incrementing it + * again here will cause bugs. The name of this is misleading, because + * 'transport_info->media_count' is actually an index, not count. + * In other words, it's a 0-based number, of the current rtp channel. + * So debug printing shows bogus rtp channels get created and then later + * removed because luckily it knows they were bogus. But it will cause bugs + * because if we're not delaying, then for the SDP_EXCHANGE_ANSWER_ACCEPT + * run through this function, it will add new RTP channels at a +1 index, + * which will likely cause problems. + */ if (transport_info->media_count < (SDP_MAX_RTP_CHANNELS-1)) transport_info->media_count++; if (media_info.media_count < (SDP_MAX_RTP_CHANNELS-1)) |