Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is this a bug in the ipv6 dissector?

From: Pascal Quantin <pascal.quantin () gmail com>
Date: Sat, 3 Jan 2015 20:49:35 +0100
2014-11-28 12:40 GMT+01:00 Pascal Quantin <pascal.quantin () gmail com>:



2014-11-27 16:37 GMT+01:00 Evan Huus <eapache () gmail com>:


On Thu, Nov 27, 2014 at 10:21 AM, Alexis La Goutte
<alexis.lagoutte () gmail com> wrote:

Hi,

On Thu, Nov 27, 2014 at 4:13 AM, 蓝常珍 <lanczyx () gmail com> wrote:

In the function "dissect_ipv6" of the ipv6
dissector(packet-ipv6.c),the ip6_hdr struct is allocated on the
stack,then it's address is passed to tap_queue_packet.I notice that
the other dissectors do not look like this.

The code snippet of the dissect_ipv6 function,from dev-version 1.99.0:

static void
dissect_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
struct ip6_hdr ipv6;
...
tap_queue_packet(ipv6_tap, pinfo, &ipv6);
...
}

What the bug ?


I think the implication is that when the tap runs, the pointer will be
invalid because the stack frame will have been destroyed. So any tap
trying to access that structure will cause an invalid memory access?



Hi,

yes I agree. Fortunately it looks like there is no listener for this tap
(unless I missed it). Should we fix it or remove it completely?



Actually there are users of this tap. I fixed it in
https://code.wireshark.org/review/#/c/6276/

Regards,
Pascal.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: