Wireshark-bugs: [Wireshark-bugs] [Bug 3938] New: ESP dissector has integer underflow
Date: Tue, 25 Aug 2009 07:14:26 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3938 Summary: ESP dissector has integer underflow Product: Wireshark Version: SVN Platform: x86 OS/Version: Debian Status: NEW Severity: Major Priority: Low Component: Wireshark AssignedTo: wireshark-bugs@xxxxxxxxxxxxx ReportedBy: laforge@xxxxxxxxxxxx Build Information: wireshark svn rev. 29482, built on Debian unstable, x86 -- when loading a certain pcap (which I cannot provide [yet], sorry), wireshark crashes with the following message: GLib-ERROR **: /build/buildd-glib2.0_2.20.4-1-i386-6KfM1O/glib2.0-2.20.4/glib/gmem.c:136: failed to allocate 4294967293 bytes aborting... [1] 28478 abort (core dumped) ~/projects/svn/wireshark/wireshark ./reboot-call-sms.pcap gdb tells me: Program terminated with signal 6, Aborted. #0 0xb80ba424 in __kernel_vsyscall () (gdb) bt #0 0xb80ba424 in __kernel_vsyscall () #1 0xb5a433d0 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #2 0xb5a46a85 in *__GI_abort () at abort.c:88 #3 0xb5ce740c in g_logv () from /usr/lib/libglib-2.0.so.0 #4 0xb5ce7436 in g_log () from /usr/lib/libglib-2.0.so.0 #5 0xb5ce592e in g_malloc () from /usr/lib/libglib-2.0.so.0 #6 0xb5cfdfce in g_memdup () from /usr/lib/libglib-2.0.so.0 #7 0xb6ab20cc in dissect_esp (tvb=0xa63b3a8, pinfo=0xbffd5cc4, tree=0xa386590) at packet-ipsec.c:2419 #8 0xb675a895 in call_dissector_through_handle (handle=0x9d383e8, tvb=0xa63b3a8, pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:376 #9 0xb675b06e in call_dissector_work (handle=0x9d383e8, tvb=0xa63b3a8, pinfo_arg=0xbffd5cc4, tree=0xa386590, add_proto_name=1) at packet.c:467 #10 0xb675c279 in dissector_try_port_new (sub_dissectors=0x9d46760, port=50, tvb=0xa63b3a8, pinfo=0xbffd5cc4, tree=0xa386590, add_proto_name=1) at packet.c:866 #11 0xb675c2e1 in dissector_try_port (sub_dissectors=0x9d46760, port=50, tvb=0xa63b3a8, pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:892 #12 0xb6ab2841 in dissect_esp (tvb=0xa63b338, pinfo=0xbffd5cc4, tree=0xa386590) at packet-ipsec.c:2454 #13 0xb675a895 in call_dissector_through_handle (handle=0x9d383e8, tvb=0xa63b338, pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:376 #14 0xb675b06e in call_dissector_work (handle=0x9d383e8, tvb=0xa63b338, pinfo_arg=0xbffd5cc4, tree=0xa386590, add_proto_name=1) at packet.c:467 #15 0xb675b20a in call_dissector (handle=0x9d383e8, tvb=0xa63b338, pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:1796 #16 0xb6ab35dd in dissect_udpencap (tvb=0xa63b338, pinfo=0xbffd5cc4, tree=0xa386590) at packet-ipsec-udp.c:81 #17 0xb675a895 in call_dissector_through_handle (handle=0xa118bb0, tvb=0xa63b338, pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:376 #18 0xb675b06e in call_dissector_work (handle=0xa118bb0, tvb=0xa63b338, pinfo_arg=0xbffd5cc4, tree=0xa386590, add_proto_name=1) at packet.c:467 #19 0xb675c279 in dissector_try_port_new (sub_dissectors=0xa00af38, port=4500, tvb=0xa63b338, pinfo=0xbffd5cc4, tree=0xa386590, add_proto_name=1) at packet.c:866 #20 0xb675c2e1 in dissector_try_port (sub_dissectors=0xa00af38, port=4500, tvb=0xa63b338, pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:892 #21 0xb6d95bb4 in decode_udp_ports (tvb=0xa63b300, offset=8, pinfo=0xbffd5cc4, tree=0xa386590, uh_sport=4500, uh_dport=4500, uh_ulen=124) at packet-udp.c:286 #22 0xb6d96333 in dissect (tvb=0xa63b300, pinfo=0xbffd5cc4, tree=0xa386590, ip_proto=17) at packet-udp.c:588 #23 0xb675a895 in call_dissector_through_handle (handle=0xa00aef8, tvb=0xa63b300, pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:376 #24 0xb675b06e in call_dissector_work (handle=0xa00aef8, tvb=0xa63b300, pinfo_arg=0xbffd5cc4, tree=0xa386590, add_proto_name=1) at packet.c:467 #25 0xb675c279 in dissector_try_port_new (sub_dissectors=0x9d46760, port=17, tvb=0xa63b300, pinfo=0xbffd5cc4, tree=0xa386590, add_proto_name=1) at packet.c:866 #26 0xb675c2e1 in dissector_try_port (sub_dissectors=0x9d46760, port=17, tvb=0xa63b300, pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:892 #27 0xb6aa8e3e in dissect_ip (tvb=0xa63b2c8, pinfo=0xbffd5cc4, parent_tree=0xa386590) at packet-ip.c:1668 #28 0xb675a895 in call_dissector_through_handle (handle=0x9d145f8, tvb=0xa63b2c8, pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:376 Further investigation: (gdb) frame 7 #7 0xb6ab20cc in dissect_esp (tvb=0xa63b3a8, pinfo=0xbffd5cc4, tree=0xa386590) at packet-ipsec.c:2419 2419 tvb_decrypted = tvb_new_child_real_data(tvb, g_memdup(decrypted_data+sizeof(guint8)*esp_iv_len,(decrypted_len - esp_iv_len)*sizeof(guint8)), decrypted_len - esp_iv_len, decrypted_len - esp_iv_len); (gdb) p decrypted_len $1 = 0 (gdb) p esp_iv_len $3 = 16 which means decrypted_len - esp_iv len will render a negative value and thus cause the problem. -- Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
- Follow-Ups:
- [Wireshark-bugs] [Bug 3938] ESP dissector has integer underflow
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 3938] ESP dissector has integer underflow
- Prev by Date: [Wireshark-bugs] [Bug 3937] trunk code compiling error(warnings)
- Next by Date: [Wireshark-bugs] [Bug 3938] ESP dissector has integer underflow
- Previous by thread: [Wireshark-bugs] [Bug 3937] trunk code compiling error(warnings)
- Next by thread: [Wireshark-bugs] [Bug 3938] ESP dissector has integer underflow
- Index(es):