Re: [Wireshark-commits] rev 33464: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-ber.c

[Jeff Morriss <jeff.morriss.ws () gmail com>]

Gerald Combs wrote:
> morriss () wireshark org wrote:
> > http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=33464
> >
> > User: morriss
> > Date: 2010/07/07 08:52 AM
> >
> > Log:
> >  Fix infinite recursion reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4984 : In 
> > try_get_ber_length() make sure we move forward before recursing.
> >
> > Directory: /trunk/epan/dissectors/
> >   Changes    Path            Action
> >   +57 -56    packet-ber.c    Modified
>
> If I apply the attached debugging code to packet-ber.c I see some high
> stack counts in the fuzz capture from bug 4984. It looks like we're
> still vulnerable to a stack overflow.

Interesting--I don't get any stacks deeper than 10 on that capture file.

> Shouldn't we remove recursion from try_get_ber_length or at least throw
> an exception when we run into, say, 5 levels of nesting?

I don't know enough to say what's a valid depth.

In looking at the sample captures I have, I only got to a depth above 10 
on one which is probably supposed to be valid but throws an exception in 
the end.

But this sample capture:

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=c06-ldapv3-enc-r1.pcap.gz

gets depths as high as 25,604...
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe