https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12851

Peter Wu <pe...@lekensteyn.nl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |birol.c...@siemens.com,
                   |                            |fixed-term.Tobias.Scholz@bo
                   |                            |schrexroth.de,
                   |                            |mman...@netscape.net,
                   |                            |pe...@lekensteyn.nl

--- Comment #1 from Peter Wu <pe...@lekensteyn.nl> ---
There are very long loops inside the dissector that do not make much progress
on the passed tvb. See frame 327, we have a TVB of length 40, but there are
43694 iterations that add items to to the tree.

Is there a way to know when the loop can be terminated earlier?

The offending commit is likely v2.1.0rc0-3160-gc0e679e (bug 12216), I have
tested it with tshark -r fuzz-2016-09-09-25074.pcap -V > out and then observed
the output and timing.

gdb output:

dissect_PNIO_C_SDU_RTC1 (tvb=0x61d0001814f0, offset=0, pinfo=0x61400000ee58,
tree=0x61900014f720, drep=0x7fffffffb080 "") at
plugins/profinet/packet-pn-rtc-one.c:501
501             objectCounter = number_io_data_objects_input_cr +
number_iocs_input_cr;
(gdb) next
502             while (objectCounter--) {
(gdb) info locals
data_tree = 0x7fffd53b0620
frameOffset = 0
objectCounter = 43694
inputFlag = 1
outputFlag = 0
psInfoText = 0
IODataObject_item = 0x10000000001
IODataObject_item_info = 0x7fffd53b0ce0
IODataObject_tree = 0xffffffff5fe
ModuleID_item = 0x7fffffffb050
ModuleDiff_item = 0x7fffec10e3d6 <compute_offset_and_remaining+45>
moduleName = 0x7fffffffffff
toggleBitSb = 236 '\354'
toggleBitCb = 127 '\177'
f_data = 0
statusbyte = 8 '\b'
controlbyte = 255 '\377'
number_io_data_objects_input_cr = 43690
number_iocs_input_cr = 4
number_io_data_objects_output_cr = 0
number_iocs_output_cr = 0
conversation = 0x7fffd55b3410
station_info = 0x7fffd55b34b0
iocs_object = 0x7fffffffb010
io_data_object = 0x61d000181630
module_diff_info = 0x7fffffffafc0
frame = 0x7fffd53b0310
frame_diff = 0x7fffe0e2b100 <_IO_strn_jumps>
(gdb) p *tvb
$3 = {next = 0x0, ops = 0x7ffff055b2c0 <tvb_subset_ops>, initialized = 1, flags
= 0, ds_tvb = 0x61d0001c3920, real_data = 0x61d00019c894 "", length = 40,
reported_length = 40, raw_offset = 20}

-- 
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

Reply via email to