On Thu, May 30, 2002 at 12:27:26PM -0700, Guy Harris wrote:
> No - I just downloaded the capture, and tried it with a recent CVS
> version of tcpdump, and it crashed.
>
> I'll look into fixing it.
Well, the problem appears to be that the "TTEST2()" macro;
/* True if "l" bytes of "var" were captured */
#define TTEST2(var, l) ((u_char *)&(var) <= snapend - (l))
is insufficiently robust; if "l" is large enough, "snapend - l" could be
greater than (point after) "snapend", so that the check would succeed.
"l", in this case is somewhere > 2^30, so that could - and did - happen.
/* True if "l" bytes of "var" were captured */
#define TTEST2(var, l) (snapend - (l) < snapend && \
(const u_char *)&(var) <= snapend - (l))
should handle that case (and does handle that case for the capture file
attached to the Red Hat bug report) - if "l" is a constant (most if not
all constants in calls to TTEST2 and macros that call it are small),
it's doing an extra test, but if that matters, many of the cases where
"l" is a constant could probably be optimized by replacing "TTEST()"
with
/* True if "var" was captured */
#define TTEST(var) ((u_char *)&(var) <= snapend - (sizeof var))
and replacing "TCHECK()" with
/* Bail if "var" was not captured */
#define TCHECK(var) if (!TTEST(var)) goto trunc
but I'm inclined not to bother with that optimization for now.
I have vague memories that this issue came up at some point (and have
vague memories of Bill Fenner being involved with the discussion), but
don't remember where the discussion was or what conclusions we came to.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
