11830 – Wireshark static out-of-bounds read in dissect_zcl_pwr_prof_pwrprofstatersp

Bug 11830 - Wireshark static out-of-bounds read in dissect_zcl_pwr_prof_pwrprofstatersp

Summary: Wireshark static out-of-bounds read in dissect_zcl_pwr_prof_pwrprofstatersp

Status:	RESOLVED FIXED

Alias:	None

Product:	Wireshark
Classification:	Unclassified
Component:	Dissection engine (libwireshark) (show other bugs)
Version:	Git
Hardware:	All All

Importance:	Low Major (vote)
Target Milestone:	---
Assignee:	Bugzilla Administrator

URL:

Depends on:
Blocks:

Reported:	2015-11-30 16:38 UTC by Mateusz Jurczyk
Modified:	2016-02-05 20:45 UTC (History)
CC List:	0 users

See Also:

Attachments
Reproducers. (1.04 KB, application/zip) 2015-11-30 16:38 UTC, Mateusz Jurczyk	Details
Reproducer for the second described crash. (190 bytes, application/vnd.tcpdump.pcap) 2015-11-30 16:48 UTC, Mateusz Jurczyk	Details
Reproducer for the third described crash. (109 bytes, application/vnd.tcpdump.pcap) 2015-11-30 17:05 UTC, Mateusz Jurczyk	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mateusz Jurczyk 2015-11-30 16:38:47 UTC

Created attachment 14090 [details]
Reproducers.

Build Information:
Wireshark git master.
--
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):

Attached are three files which trigger the crash.

--- cut ---
==7849==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f8e33764094 at pc 0x7f8e29788726 bp 0x7ffe27806640 sp 0x7ffe27806638
READ of size 4 at 0x7f8e33764094 thread T0
    #0 0x7f8e29788725 in dissect_zcl_pwr_prof_pwrprofstatersp wireshark/epan/dissectors/packet-zbee-zcl-general.c:3847:21
    #1 0x7f8e2977f2be in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3494:21
    #2 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #3 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
    #4 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #5 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #6 0x7f8e297738ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
    #7 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #8 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
    #9 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #10 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #11 0x7f8e2974de40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21
    #12 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #13 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
    #14 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #15 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #16 0x7f8e29757897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
    #17 0x7f8e297518aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
    #18 0x7f8e29752ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
    #19 0x7f8e271ab417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
    #20 0x7f8e2826863b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
    #21 0x7f8e2825e35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5
    #22 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #23 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
    #24 0x7f8e271a2dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #25 0x7f8e27eb25f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
    #26 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #27 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
    #28 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #29 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #30 0x7f8e2719e33b in dissect_record wireshark/epan/packet.c:501:3
    #31 0x7f8e2714c3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
    #32 0x5264eb in process_packet wireshark/tshark.c:3728:5
    #33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
    #34 0x515daf in main wireshark/tshark.c:2197:13

0x7f8e33764094 is located 44 bytes to the left of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13' (0x7f8e337640c0) of size 64
0x7f8e33764094 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_pwrprofiles' defined in 'packet-zbee-zcl-general.c:3328:13' (0x7f8e33764080) of size 20
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:3847:21 in dissect_zcl_pwr_prof_pwrprofstatersp
Shadow bytes around the buggy address:
  0x0ff2466e47c0: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
  0x0ff2466e47d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff2466e47e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0ff2466e47f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2466e4800: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
=>0x0ff2466e4810: 00 00[04]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff2466e4820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2466e4830: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff2466e4840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2466e4850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2466e4860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7849==ABORTING
--- cut ---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

Comment 1 Mateusz Jurczyk 2015-11-30 16:47:53 UTC

Update: there is also a similar crash due to out-of-bounds access to the global "ett_zbee_zcl_pwr_prof_enphases" array, see the report below.

Attached is a file which triggers the crash.

--- cut ---
==8228==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f0d4f321100 at pc 0x7f0d45344cd5 bp 0x7fff69e4e4a0 sp 0x7fff69e4e498
READ of size 4 at 0x7f0d4f321100 thread T0
    #0 0x7f0d45344cd4 in dissect_zcl_pwr_prof_enphsschednotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25
    #1 0x7f0d4533bd04 in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3463:21
    #2 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #3 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #4 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #5 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #6 0x7f0d453308ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
    #7 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #8 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #9 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #10 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #11 0x7f0d4530b750 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1680:9
    #12 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #13 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #14 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #15 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #16 0x7f0d4530aee1 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1033:13
    #17 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #18 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #19 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #20 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #21 0x7f0d45314897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
    #22 0x7f0d4530e8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
    #23 0x7f0d4530fef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
    #24 0x7f0d42d68417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
    #25 0x7f0d43e2563b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
    #26 0x7f0d43e1b40a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:594:5
    #27 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #28 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #29 0x7f0d42d5fdbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #30 0x7f0d43a6f5f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
    #31 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #32 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #33 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #34 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #35 0x7f0d42d5b33b in dissect_record wireshark/epan/packet.c:501:3
    #36 0x7f0d42d093c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
    #37 0x5264eb in process_packet wireshark/tshark.c:3728:5
    #38 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
    #39 0x515daf in main wireshark/tshark.c:2197:13

0x7f0d4f321100 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:4460:13' (0x7f0d4f321120) of size 128
0x7f0d4f321100 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13' (0x7f0d4f3210c0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25 in dissect_zcl_pwr_prof_enphsschednotif
Shadow bytes around the buggy address:
  0x0fe229e5c1d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0fe229e5c1e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0fe229e5c1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe229e5c200: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x0fe229e5c210: 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x0fe229e5c220:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe229e5c230: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0fe229e5c240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe229e5c250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe229e5c260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe229e5c270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8228==ABORTING
--- cut ---

Comment 2 Mateusz Jurczyk 2015-11-30 16:48:28 UTC

Created attachment 14091 [details]
Reproducer for the second described crash.

Comment 3 Mateusz Jurczyk 2015-11-30 17:05:13 UTC

Furthermore, there is yet another similar condition in a somewhat related area of code, see the attached file and report below:

--- cut ---
==8856==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f148fad2900 at pc 0x7f1485afc15d bp 0x7ffd41dc3de0 sp 0x7ffd41dc3dd8
READ of size 4 at 0x7f148fad2900 thread T0
    #0 0x7f1485afc15c in dissect_zcl_appl_evtalt_get_alerts_rsp wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21
    #1 0x7f1485afab0f in dissect_zbee_zcl_appl_evtalt wireshark/epan/dissectors/packet-zbee-zcl-ha.c:818:21
    #2 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #3 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
    #4 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #5 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #6 0x7f1485ae18ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
    #7 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #8 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
    #9 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #10 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #11 0x7f1485abbe40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21
    #12 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #13 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
    #14 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #15 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #16 0x7f1485ac5897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
    #17 0x7f1485abf8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
    #18 0x7f1485ac0ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
    #19 0x7f1483519417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
    #20 0x7f14845d663b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
    #21 0x7f14845cc35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5
    #22 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #23 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
    #24 0x7f1483510dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #25 0x7f14842205f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
    #26 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #27 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
    #28 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #29 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #30 0x7f148350c33b in dissect_record wireshark/epan/packet.c:501:3
    #31 0x7f14834ba3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
    #32 0x5264eb in process_packet wireshark/tshark.c:3728:5
    #33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
    #34 0x515daf in main wireshark/tshark.c:2197:13

0x7f148fad2900 is located 32 bytes to the left of global variable 'ett' defined in 'packet-zbee-zcl-ha.c:1391:18' (0x7f148fad2920) of size 136
0x7f148fad2900 is located 0 bytes to the right of global variable 'ett_zbee_zcl_appl_evtalt_alerts_struct' defined in 'packet-zbee-zcl-ha.c:698:13' (0x7f148fad28e0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21 in dissect_zcl_appl_evtalt_get_alerts_rsp
Shadow bytes around the buggy address:
  0x0fe311f524d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f524e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f524f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f52500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f52510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe311f52520:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f52530: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0fe311f52540: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0fe311f52550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f52560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f52570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8856==ABORTING
--- cut ---

Comment 4 Mateusz Jurczyk 2015-11-30 17:05:46 UTC

Created attachment 14092 [details]
Reproducer for the third described crash.

Comment 5 Gerrit Code Review 2015-12-12 02:50:35 UTC

Change 12555 had a related patch set uploaded by Michael Mann:
Range check ett_ array access.

https://code.wireshark.org/review/12555

Comment 6 Gerrit Code Review 2015-12-12 14:07:10 UTC

Change 12555 merged by Michael Mann:
Range check ett_ array access.

https://code.wireshark.org/review/12555

Comment 7 Gerrit Code Review 2015-12-12 14:07:23 UTC

Change 12568 had a related patch set uploaded by Michael Mann:
Range check ett_ array access.

https://code.wireshark.org/review/12568

Comment 8 Gerrit Code Review 2015-12-12 14:07:30 UTC

Change 12568 merged by Michael Mann:
Range check ett_ array access.

https://code.wireshark.org/review/12568

Comment 9 Gerrit Code Review 2015-12-12 14:07:39 UTC

Change 12569 had a related patch set uploaded by Michael Mann:
Range check ett_ array access.

https://code.wireshark.org/review/12569

Comment 10 Gerrit Code Review 2015-12-12 14:07:54 UTC

Change 12569 merged by Michael Mann:
Range check ett_ array access.

https://code.wireshark.org/review/12569

Comment 11 Mateusz Jurczyk 2016-01-11 13:47:43 UTC

I'm reopening this bug, as it turns out that the provided patch only fixes the first reported problem, and doesn't address the other ones (i.e. similar issues in functions dissect_zcl_pwr_prof_enphsschednotif and dissect_zcl_appl_evtalt_get_alerts_rsp).

Comment 12 Gerrit Code Review 2016-02-05 20:45:24 UTC

Change 13771 had a related patch set uploaded by Balint Reczey:
Range check ett_ array access.

https://code.wireshark.org/review/13771

Comment 13 Gerrit Code Review 2016-02-05 20:45:32 UTC

Change 13771 merged by Balint Reczey:
Range check ett_ array access.

https://code.wireshark.org/review/13771