Ethereal-dev: [Ethereal-dev] Ethereal core dump

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Pierre-Yves Bonnetain <bonnetain@xxxxxxx>
Date: Fri, 08 Mar 2002 09:32:16 +0100
   Hello you all,

   Still playing with Ethereal on my data, which today comes from a
test 
network where I am playing with some attack tools. And lo, ethereal
core dumps
again.

[bonnetain@maquette]$ tethereal -v
tethereal 0.8.20, with GLib 1.2.6, with libpcap 0.6, with libz 1.1.3, 
with CMU SNMP V1.14, Shared (1:14:0)

Begining of stack backtrace is :

(gdb) where
#0  asn1_oid_value_decode (asn1=0xbffff10c, enc_len=2147483647, 
    oid=0xbfffe8a4, len=0xbfffe8a8) at asn1.c:813
#1  0x8127392 in asn1_oid_decode (asn1=0xbffff10c, oid=0xbfffe8a4, 
    len=0xbfffe8a8, nbytes=0xbfffe8f0) at asn1.c:878
#2  0x8102e1f in dissect_common_pdu (tvb=0x830b264, offset=27, 
    pinfo=0x826d140, tree=0x0, asn1={tvb = 0x830b264, offset = 36}, 
    pdu_type=0, start=13) at packet-snmp.c:1225
#3  0x8103d3a in dissect_snmp_pdu (tvb=0x830b264, offset=0,
pinfo=0x826d140, 
    tree=0x0, proto_name=0x81d7402 "SNMP", proto=3061, ett=766)
    at packet-snmp.c:1825
#4  0x81044db in dissect_snmp (tvb=0x830b264, pinfo=0x826d140,
tree=0x0)
    at packet-snmp.c:2138
#5  0x813a242 in dissector_try_port (sub_dissectors=0x82b6388,
port=161, 
    tvb=0x830b264, pinfo=0x826d140, tree=0x0) at packet.c:459
#6  0x810fe19 in decode_udp_ports (tvb=0x830b230, offset=8,
pinfo=0x826d140, 
    tree=0x0, uh_sport=1298, uh_dport=161) at packet-udp.c:102
#7  0x8110200 in dissect_udp (tvb=0x830b230, pinfo=0x826d140,
tree=0x0)
    at packet-udp.c:227
#8  0x813a242 in dissector_try_port (sub_dissectors=0x8270e48,
port=17, 
    tvb=0x830b230, pinfo=0x826d140, tree=0x0) at packet.c:459
#9  0x80a0453 in dissect_ip (tvb=0x830b1fc, pinfo=0x826d140, tree=0x0)
    at packet-ip.c:1109

   Looking at asn1_oid_value_decude, I have :

809         if (subid < 40) {
810             optr[0] = 0;
811             optr[1] = subid;
812         } else if (subid < 80) {
813             optr[0] = 1;
814             optr[1] = subid - 40;
815         } else {

   And, otherwise it would not be fun :

(gdb) print optr
$4 = (subid_t *) 0x0

   This seems to come from :

(gdb) list asn1_oid_value_decode
789     int
790     asn1_oid_value_decode ( ASN1_SCK *asn1, int enc_len, subid_t
**oid, guint *len)
791     {
792         int          ret;
793         int          eoc;
794         subid_t      subid;
795         guint        size;
(gdb) 
796         subid_t      *optr;
797
798         eoc = asn1->offset + enc_len;
799         size = enc_len + 1;
800         *oid = g_malloc(size * sizeof(gulong));
801         optr = *oid;

   Where I have, surprise surprise...

(gdb) print size
$5 = 2147483648

   A little too big for anyone around here :-)
   Since the g_malloc fails but the fail condition is not checked, I
go down
the drain.

   I have attached a mini-tcpdump file (two packets). The second
packet is
the offending one.

   Keep me posted as to a patch or any corrective action. I'll be
delighted to
1/ analyze my data 2/ help you enhance this great tool.
   Sincerely,

-- Pierre-Yves Bonnetain
   Consultant S�curit� -- B&A Consultants
   T�l +33 (0) 563 277 241 -- Fax +33 (0) 563 277 245

Attachment: sauve.pcap
Description: Binary data