Wireshark-bugs: [Wireshark-bugs] [Bug 1823] New: crash on fuzzed capture in RTSE dissector
Date: Wed, 5 Sep 2007 01:09:52 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1823 Summary: crash on fuzzed capture in RTSE dissector Product: Wireshark Version: SVN Platform: PC OS/Version: Linux Status: NEW Severity: Critical Priority: High Component: TShark AssignedTo: wireshark-bugs@xxxxxxxxxxxxx ReportedBy: jeff.morriss@xxxxxxxxxxx Build Information: TShark 0.99.7 (SVN Rev 22791) Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled with GLib 2.12.9, with libpcap 0.9.4, with libz 1.2.3, without libpcre, without SMI, without ADNS, without Lua, with GnuTLS 1.4.1, with Gcrypt 1.2.3, with MIT Kerberos. NOTE: this build doesn't support the "matches" operator for Wireshark filter syntax. Running on Linux 2.6.22.2-42.fc6, with libpcap version 0.9.4. Built using gcc 4.1.2 20070626 (Red Hat 4.1.2-13). -- I got a crash on a fuzz'd file from the Wiki SampleCaptures: ../caps/SampleCaptures/p772-transfer-success.pcap.gz: tools/fuzz-test.sh: line 108: 1870 Segmentation fault (core dumped) "$TSHARK" $TSHARK_ARGS $TMP_DIR/$TMP_FILE >/dev/null 2>$TMP_DIR/$ERR_FILE backtrace is: #0 0x0117c5ce in dissect_indirect_reference (tree=0xa4ba750, tvb=0xa3d5ea8, offset=0, actx=0xbfdd8fc0) at rtse.cnf:125 #1 0x00b484b0 in dissect_ber_old_sequence (implicit_tag=1, actx=0xbfdd8fc0, parent_tree=0xa4ba750, tvb=0xa4bc5a8, offset=dwarf2_read_address: Corrupted DWARF expression. ) at packet-ber.c:1914 #2 0x0117b93a in dissect_rtse_EXTERNALt (implicit_tag=0, tvb=0xa4bc5a8, offset=0, actx=0xbfdd8fc0, tree=0xa4ba750, hf_index=-1) at rtse.cnf:111 #3 0x0117bb97 in dissect_rtse (tvb=0xa4bc570, pinfo=0xa4b15e0, parent_tree=0xa4b18d0) at packet-rtse-template.c:257 #4 0x00a74a68 in call_dissector_through_handle (handle=0xa2db768, tvb=0xa4bc570, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:396 #5 0x00a74d37 in call_dissector_work (handle=0xa2db768, tvb=0xa4bc570, pinfo_arg=<value optimized out>, tree=dwarf2_read_address: Corrupted DWARF expression. ) at packet.c:574 #6 0x00a754e3 in dissector_try_string (sub_dissectors=0x9f9ece8, string=0xb5e8b2e8 "2.6.0.2.12", tvb=0xa4bc570, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:1093 #7 0x00b4a7b7 in call_ber_oid_callback (oid=0xb5e8b2e8 "2.6.0.2.12", tvb=0xa4bc6a8, offset=0, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet-ber.c:579 #8 0x010c31a2 in dissect_pres (tvb=0xa4bc6a8, pinfo=0xa4b15e0, parent_tree=0xa4b18d0) at packet-pres-template.c:275 #9 0x00a74a68 in call_dissector_through_handle (handle=0xa1b2ae8, tvb=0xa4bc6a8, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:396 #10 0x00a74d37 in call_dissector_work (handle=0xa1b2ae8, tvb=0xa4bc6a8, pinfo_arg=<value optimized out>, tree=dwarf2_read_address: Corrupted DWARF expression. ) at packet.c:574 #11 0x00a751f4 in call_dissector (handle=0x0, tvb=0xa4bc6a8, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:1750 #12 0x00e9aeec in dissect_spdu (tvb=0xa4bc670, offset=<value optimized out>, pinfo=0xa4b15e0, tree=0xa4b18d0, tokens=0) at packet-ses.c:1072 #13 0x00e9b120 in dissect_ses (tvb=0xa4bc670, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet-ses.c:1118 #14 0x00e9b283 in dissect_ses_heur (tvb=0xa4bc670, pinfo=0xa4b15e0, parent_tree=0xa4b18d0) at packet-ses.c:1853 #15 0x00a74b46 in dissector_try_heuristic (sub_dissectors=0xa3fd860, tvb=0xa4bc670, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:1571 #16 0x00b97b2d in ositp_decode_DT (tvb=0xa4bc638, offset=<value optimized out>, li=<value optimized out>, tpdu=15 '\017', pinfo=0xa4b15e0, tree=0xa4b18d0, uses_inactive_subset=0, subdissector_found=0xbfdd978c) at packet-clnp.c:1095 #17 0x00b985dc in dissect_ositp_internal (tvb=0xa4bc638, pinfo=0xa4b15e0, tree=0xa4b18d0, uses_inactive_subset=0) at packet-clnp.c:1775 #18 0x00b9a003 in dissect_ositp (tvb=0xa4bc638, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet-clnp.c:1830 #19 0x00a74a68 in call_dissector_through_handle (handle=0x9fc96e8, tvb=0xa4bc638, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:396 #20 0x00a74d37 in call_dissector_work (handle=0x9fc96e8, tvb=0xa4bc638, pinfo_arg=<value optimized out>, tree=dwarf2_read_address: Corrupted DWARF expression. ) at packet.c:574 #21 0x00a751f4 in call_dissector (handle=0x0, tvb=0xa4bc638, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:1750 #22 0x00f35629 in dissect_tpkt_encap (tvb=0xa4bc840, pinfo=0xa4b15e0, tree=0xa4b18d0, desegment=1, subdissector_handle=0x9fc96e8) at packet-tpkt.c:302 #23 0x00f357af in dissect_tpkt (tvb=0xa4bc840, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet-tpkt.c:327 #24 0x00a74a68 in call_dissector_through_handle (handle=0xa43f838, tvb=0xa4bc840, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:396 ---Type <return> to continue, or q <return> to quit---[A #25 0x00a74d37 in call_dissector_work (handle=0xa43f838, tvb=0xa4bc840, pinfo_arg=<value optimized out>, tree=dwarf2_read_address: Corrupted DWARF expression. ) at packet.c:574 #26 0x00a755e3 in dissector_try_port (sub_dissectors=0xa3114a8, port=102, tvb=0xa4bc840, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:850 #27 0x00f22830 in decode_tcp_ports (tvb=0xa4bc808, offset=20, pinfo=0xa4b15e0, tree=0xa4b18d0, src_port=2289, dst_port=102, tcpd=0xb5e8af28) at packet-tcp.c:2270 #28 0x00f22ae6 in process_tcp_payload (tvb=0xa4bc808, offset=20, pinfo=0xa4b15e0, tree=0xa4b18d0, tcp_tree=0xa4b1d98, src_port=2289, dst_port=102, seq=250, nxtseq=1092, is_tcp_segment=1, tcpd=0xb5e8af28) at packet-tcp.c:2329 #29 0x00f231a3 in dissect_tcp_payload (tvb=0xa4bc808, pinfo=0xa4b15e0, offset=20, seq=250, nxtseq=1092, sport=2289, dport=102, tree=0xa4b18d0, tcp_tree=0xa4b1d98, tcpd=0xb5e8af28) at packet-tcp.c:2405 #30 0x00f2538d in dissect_tcp (tvb=0xa4bc808, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet-tcp.c:2999 #31 0x00a74a68 in call_dissector_through_handle (handle=0xa43eeb0, tvb=0xa4bc808, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:396 #32 0x00a74d37 in call_dissector_work (handle=0xa43eeb0, tvb=0xa4bc808, pinfo_arg=<value optimized out>, tree=dwarf2_read_address: Corrupted DWARF expression. ) at packet.c:574 #33 0x00a755e3 in dissector_try_port (sub_dissectors=0xa0ffce8, port=6, tvb=0xa4bc808, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:850 #34 0x00cff657 in dissect_ip (tvb=0xa4bc788, pinfo=0xa4b15e0, parent_tree=0xa4b18d0) at packet-ip.c:1547 #35 0x00a74a68 in call_dissector_through_handle (handle=0xa107d30, tvb=0xa4bc788, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:396 #36 0x00a74d37 in call_dissector_work (handle=0xa107d30, tvb=0xa4bc788, pinfo_arg=<value optimized out>, tree=dwarf2_read_address: Corrupted DWARF expression. ) at packet.c:574 #37 0x00a755e3 in dissector_try_port (sub_dissectors=0xa0a0a60, port=2048, tvb=0xa4bc788, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:850 #38 0x00c4e122 in ethertype (etype=2048, tvb=0xa3d5f18, offset_after_etype=14, pinfo=0xa4b15e0, tree=0xa4b18d0, fh_tree=0xa4b1840, etype_id=12717, trailer_id=12719, fcs_len=-1) at packet-ethertype.c:211 #39 0x00c4aef2 in dissect_eth_common (tvb=0xa3d5f18, pinfo=0xa4b15e0, parent_tree=0xa4b18d0, fcs_len=-1) at packet-eth.c:344 #40 0x00a74a68 in call_dissector_through_handle (handle=0xa3fa280, tvb=0xa3d5f18, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:396 #41 0x00a74d37 in call_dissector_work (handle=0xa3fa280, tvb=0xa3d5f18, pinfo_arg=<value optimized out>, tree=dwarf2_read_address: Corrupted DWARF expression. ) at packet.c:574 #42 0x00a755e3 in dissector_try_port (sub_dissectors=0xa0c3b90, port=1, tvb=0xa3d5f18, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:850 #43 0x00c7cd40 in dissect_frame (tvb=0xa3d5f18, pinfo=0xa4b15e0, parent_tree=0xa4b18d0) at packet-frame.c:299 #44 0x00a74a68 in call_dissector_through_handle (handle=0xa0c4638, tvb=0xa3d5f18, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:396 #45 0x00a74d37 in call_dissector_work (handle=0xa0c4638, tvb=0xa3d5f18, pinfo_arg=<value optimized out>, tree=dwarf2_read_address: Corrupted DWARF expression. ) at packet.c:574 #46 0x00a751f4 in call_dissector (handle=0x0, tvb=0xa3d5f18, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:1750 #47 0x00a76de7 in dissect_packet (edt=0xa4b15d8, pseudo_header=0xa48bb44, pd=0xa4923a8 "", fd=0xbfddabec, cinfo=0x0) at packet.c:332 #48 0x00a6e18e in epan_dissect_run (edt=0xa4b15d8, pseudo_header=0xa48bb44, data=0xa4923a8 "", fd=0xbfddabec, cinfo=0x0) at epan.c:158 #49 0x08063267 in process_packet (cf=0x8073480, offset=<value optimized out>, whdr=0xa48bb30, pseudo_header=0xa48bb44, pd=0xa4923a8 "") at tshark.c:2403 #50 0x08065e6c in main (argc=3, argv=0xbfddadf4) at tshark.c:2202 -- Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
- Follow-Ups:
- [Wireshark-bugs] [Bug 1823] crash on fuzzed capture in RTSE dissector
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 1823] crash on fuzzed capture in RTSE dissector
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 1823] crash on fuzzed capture in RTSE dissector
- Prev by Date: [Wireshark-bugs] [Bug 1822] UNISTIM Tap interface plus call grapher
- Next by Date: [Wireshark-bugs] [Bug 1823] crash on fuzzed capture in RTSE dissector
- Previous by thread: [Wireshark-bugs] [Bug 1822] UNISTIM Tap interface plus call grapher
- Next by thread: [Wireshark-bugs] [Bug 1823] crash on fuzzed capture in RTSE dissector
- Index(es):