On Thu, Oct 10, 2002 at 10:13:16AM -0700, Jaime Fournier wrote:
> I have found that the dissector for AFS is causing
> tethereal/ethereal to die on certain packets.
> I have provided a backtrace of the crash that I can
> reproduce with a large capture file I have.
It's crashing because it's being asked to allocate a huge amount of
memory; the "OUT_RXString()" does
i = tvb_get_ntohl(tvb, offset); \
offset += 4; \
len = ((i+4-1)/4)*4; \
tmp = g_malloc(i+1); \
memcpy(tmp, tvb_get_ptr(tvb,offset,i), i); \
tmp[i] = '\0'; \
which will, if the length value is bogus (for whatever reason) and
overly large, fail in "g_malloc()" rather than failing by throwing a
"mangled packet" exception, the latter being what it *should* do.
Doing it as
i = tvb_get_ntohl(tvb, offset); \
offset += 4; \
p = tvb_get_ptr(tvb,offset,i); \
len = ((i+4-1)/4)*4; \
tmp = g_malloc(i+1); \
memcpy(tmp, p, i); \
tmp[i] = '\0'; \
(with an additional temporary variable "p" - or whatever name makes it
work) - should fix that.
I'll test that and check it in.
