Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 3062] New: Some Lua scripts may lead to corruption via out of bounds stack

Wireshark-bugs: [Wireshark-bugs] [Bug 3062] New: Some Lua scripts may lead to corruption via out

Date: Fri, 14 Nov 2008 08:43:16 -0800 (PST)

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3062

           Summary: Some Lua scripts may lead to corruption via out of
                    bounds stack
           Product: Wireshark
           Version: SVN
          Platform: PC
        OS/Version: Ubuntu
            Status: NEW
          Severity: Major
          Priority: High
         Component: TShark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: mbriggs@xxxxxxxxx



Matthew Briggs <mbriggs@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2489|                            |review_for_checkin?
               Flag|                            |


Created an attachment (id=2489)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=2489)
Patch for epan/wslua/wslua.h

Build Information:
TShark 1.1.2 (SVN Rev 26685)

Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.16.4, with libpcap 0.9.8, with libz 1.2.3.3, without POSIX
capabilities, without libpcre, without SMI, without c-ares, without ADNS, with
Lua 5.1, without GnuTLS, without Gcrypt, without Kerberos, without GeoIP.
NOTE: this build doesn't support the "matches" operator for Wireshark filter
syntax.

Running on Linux 2.6.24-19-server, with libpcap version 0.9.8.

Built using gcc 4.2.3 (Ubuntu 4.2.3-2ubuntu7).
--
This patch attempts to resolve problems that lead to an out of bounds (Lua)
stack pointer when using Lua scripts.

It first attempts to clean up after the initialization macros:
WSLUA_REGISTER_CLASS and WSLUA_REGISTER_META.

It also uses luaL_checkstack in the push##C macro to ensure there is enough
stack space for the operation. It was found that push functions (e.g.
PushFieldInfo) would be called within loops and exceed the maximum stack size.

Also, my data required that I rebuild the Lua (5.1.2 in my case) library after
changing LUAI_MAXCSTACK in the luaconf.h:

#define LUAI_MAXCSTACK  0x2000 // Worked for me, but may need more?

I would recommend that when performing tests to wslua code, you #define
LUA_USE_APICHECK in luaconf.h as well. This will enable assertions that will
catch an out of bounds stack.

The following is an example script that would cause tshark to segfault some
large smb captures:

  -- define tap filter
  local pp_expr = "smb.cmd"

  -- smb
  smb_file_extr = Field.new("smb.file")

  -- PreProcess Tap
  tap = Listener.new(nil,pp_expr)

  function tap.packet(pinfo)
     -- smb
     local smb_file = smb_file_extr() -- this causes tshark failure in many smb
captures
     io.write(smb_file.value,"\n")
  end


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Prev by Date: [Wireshark-bugs] [Bug 3061] Error in filtering logic
Next by Date: [Wireshark-bugs] [Bug 3063] New: Improvements for the AIM dissector
Previous by thread: [Wireshark-bugs] [Bug 3061] Error in filtering logic
Next by thread: [Wireshark-bugs] [Bug 3063] New: Improvements for the AIM dissector
Index(es):
- Date
- Thread