diff options
author | Pascal Quantin <pascal.quantin@gmail.com> | 2013-12-11 12:54:10 +0000 |
---|---|---|
committer | Pascal Quantin <pascal.quantin@gmail.com> | 2013-12-11 12:54:10 +0000 |
commit | 3b59a3b6925f62ae6a644ecca3a6e43e2ce44abe (patch) | |
tree | b4c53aa621874309b4bd95f4789e8e3adc13ab84 /epan/dissectors | |
parent | c25611b9e763b9281852bb4aaca806bf77a56a2d (diff) |
Fix an out of bounds access found by ASAN and reported by Alexis:
==21553==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffbc0b2a5e at pc 0x7fe8684147a3 bp 0x7fffbc0b2950 sp 0x7fffbc0b2948
READ of size 2 at 0x7fffbc0b2a5e thread T0
#0 0x7fe8684147a2 in dissect_schedule_message /home/alagoutte/wireshark-clang/epan/dissectors/packet-gsm_cbch.c:309
#1 0x7fe867ed70a9 in call_dissector_through_handle /home/alagoutte/wireshark-clang/epan/packet.c:512
#2 0x7fe867eda42c in call_dissector_only /home/alagoutte/wireshark-clang/epan/packet.c:2139
#3 0x7fe867ed70a9 in call_dissector_through_handle /home/alagoutte/wireshark-clang/epan/packet.c:512
#4 0x7fe867ed735b in dissector_try_uint_new /home/alagoutte/wireshark-clang/epan/packet.c:1030
#5 0x7fe868a3ebd4 in decode_udp_ports /home/alagoutte/wireshark-clang/epan/dissectors/packet-udp.c:411
#6 0x7fe868a41886 in dissect /home/alagoutte/wireshark-clang/epan/dissectors/packet-udp.c:747
#7 0x7fe867ed70a9 in call_dissector_through_handle /home/alagoutte/wireshark-clang/epan/packet.c:512
#8 0x7fe867ed6d03 in dissector_try_uint_new /home/alagoutte/wireshark-clang/epan/packet.c:1030
#9 0x7fe8684eaa1f in dissect_ip /home/alagoutte/wireshark-clang/epan/dissectors/packet-ip.c:2401
#10 0x7fe867ed70a9 in call_dissector_through_handle /home/alagoutte/wireshark-clang/epan/packet.c:512
#11 0x7fe867ed735b in dissector_try_uint_new /home/alagoutte/wireshark-clang/epan/packet.c:1030
#12 0x7fe868333e98 in dissect_ethertype /home/alagoutte/wireshark-clang/epan/dissectors/packet-ethertype.c:305
#13 0x7fe867ed707d in call_dissector_through_handle /home/alagoutte/wireshark-clang/epan/packet.c:508
#14 0x7fe867eda42c in call_dissector_only /home/alagoutte/wireshark-clang/epan/packet.c:2139
#15 0x7fe8683328ad in dissect_eth_common /home/alagoutte/wireshark-clang/epan/dissectors/packet-eth.c:472
#16 0x7fe867ed70a9 in call_dissector_through_handle /home/alagoutte/wireshark-clang/epan/packet.c:512
#17 0x7fe867ed735b in dissector_try_uint_new /home/alagoutte/wireshark-clang/epan/packet.c:1030
#18 0x7fe868382460 in dissect_frame /home/alagoutte/wireshark-clang/epan/dissectors/packet-frame.c:485
#19 0x7fe867ed70a9 in call_dissector_through_handle /home/alagoutte/wireshark-clang/epan/packet.c:512
#20 0x7fe867eda42c in call_dissector_only /home/alagoutte/wireshark-clang/epan/packet.c:2139
#21 0x7fe867ed5baf in call_dissector /home/alagoutte/wireshark-clang/epan/packet.c:2169
#22 0x7fe867eb6388 in epan_dissect_run_with_taps /home/alagoutte/wireshark-clang/epan/epan.c:329
#23 0x4a0ef9 in process_packet /home/alagoutte/wireshark-clang/tshark.c:3434
#24 0x49c985 in load_cap_file /home/alagoutte/wireshark-clang/tshark.c:3237
#25 0x7fe860e8ede4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260
#26 0x48586c in _start ??:?
Address 0x7fffbc0b2a5e is located in stack of thread T0 at offset 126 in frame
#0 0x7fe86841353f in dissect_cbch /home/alagoutte/wireshark-clang/epan/dissectors/packet-gsm_cbch.c:345
This frame has 2 object(s):
[32, 80) 'new_slots.i'
[128, 224) 'other_slots.i' <== Memory access at offset 126 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
svn path=/trunk/; revision=53934
Diffstat (limited to 'epan/dissectors')
-rw-r--r-- | epan/dissectors/packet-gsm_cbch.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/epan/dissectors/packet-gsm_cbch.c b/epan/dissectors/packet-gsm_cbch.c index 8117ffb284..a93a2affaa 100644 --- a/epan/dissectors/packet-gsm_cbch.c +++ b/epan/dissectors/packet-gsm_cbch.c @@ -301,7 +301,7 @@ dissect_schedule_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *top_tree ++k; } } - else if ((octet1 & 0xC0) == 0) + else if (octet1 && ((octet1 & 0xC0) == 0)) { /* MDT 00 */ if (octet1 < k) |