Wireshark mailing list archives
Re: Is this a bug in the ipv6 dissector?
From: Pascal Quantin <pascal.quantin () gmail com>
Date: Sat, 3 Jan 2015 20:49:35 +0100
2014-11-28 12:40 GMT+01:00 Pascal Quantin <pascal.quantin () gmail com>:
2014-11-27 16:37 GMT+01:00 Evan Huus <eapache () gmail com>:On Thu, Nov 27, 2014 at 10:21 AM, Alexis La Goutte <alexis.lagoutte () gmail com> wrote:Hi, On Thu, Nov 27, 2014 at 4:13 AM, 蓝常珍 <lanczyx () gmail com> wrote:In the function "dissect_ipv6" of the ipv6 dissector(packet-ipv6.c),the ip6_hdr struct is allocated on the stack,then it's address is passed to tap_queue_packet.I notice that the other dissectors do not look like this. The code snippet of the dissect_ipv6 function,from dev-version 1.99.0: static void dissect_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { struct ip6_hdr ipv6; ... tap_queue_packet(ipv6_tap, pinfo, &ipv6); ... }What the bug ?I think the implication is that when the tap runs, the pointer will be invalid because the stack frame will have been destroyed. So any tap trying to access that structure will cause an invalid memory access?Hi, yes I agree. Fortunately it looks like there is no listener for this tap (unless I missed it). Should we fix it or remove it completely?
Actually there are users of this tap. I fixed it in https://code.wireshark.org/review/#/c/6276/ Regards, Pascal.
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Is this a bug in the ipv6 dissector? Pascal Quantin (Jan 03)