Wireshark-bugs: [Wireshark-bugs] [Bug 3938] New: ESP dissector has integer underflow

Date: Tue, 25 Aug 2009 07:14:26 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3938

           Summary: ESP dissector has integer underflow
           Product: Wireshark
           Version: SVN
          Platform: x86
        OS/Version: Debian
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: laforge@xxxxxxxxxxxx


Build Information:
wireshark svn rev. 29482, built on Debian unstable, x86
--
when loading a certain pcap (which I cannot provide [yet], sorry), wireshark
crashes with the following message:

GLib-ERROR **:
/build/buildd-glib2.0_2.20.4-1-i386-6KfM1O/glib2.0-2.20.4/glib/gmem.c:136:
failed to allocate 4294967293 bytes
aborting...
[1]    28478 abort (core dumped)  ~/projects/svn/wireshark/wireshark
./reboot-call-sms.pcap

gdb tells me:

Program terminated with signal 6, Aborted.
#0  0xb80ba424 in __kernel_vsyscall ()
(gdb) bt
#0  0xb80ba424 in __kernel_vsyscall ()
#1  0xb5a433d0 in *__GI_raise (sig=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0xb5a46a85 in *__GI_abort () at abort.c:88
#3  0xb5ce740c in g_logv () from /usr/lib/libglib-2.0.so.0
#4  0xb5ce7436 in g_log () from /usr/lib/libglib-2.0.so.0
#5  0xb5ce592e in g_malloc () from /usr/lib/libglib-2.0.so.0
#6  0xb5cfdfce in g_memdup () from /usr/lib/libglib-2.0.so.0
#7  0xb6ab20cc in dissect_esp (tvb=0xa63b3a8, pinfo=0xbffd5cc4, tree=0xa386590)
    at packet-ipsec.c:2419
#8  0xb675a895 in call_dissector_through_handle (handle=0x9d383e8,
tvb=0xa63b3a8, 
    pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:376
#9  0xb675b06e in call_dissector_work (handle=0x9d383e8, tvb=0xa63b3a8, 
    pinfo_arg=0xbffd5cc4, tree=0xa386590, add_proto_name=1) at packet.c:467
#10 0xb675c279 in dissector_try_port_new (sub_dissectors=0x9d46760, port=50, 
    tvb=0xa63b3a8, pinfo=0xbffd5cc4, tree=0xa386590, add_proto_name=1)
    at packet.c:866
#11 0xb675c2e1 in dissector_try_port (sub_dissectors=0x9d46760, port=50, 
    tvb=0xa63b3a8, pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:892
#12 0xb6ab2841 in dissect_esp (tvb=0xa63b338, pinfo=0xbffd5cc4, tree=0xa386590)
    at packet-ipsec.c:2454
#13 0xb675a895 in call_dissector_through_handle (handle=0x9d383e8,
tvb=0xa63b338, 
    pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:376
#14 0xb675b06e in call_dissector_work (handle=0x9d383e8, tvb=0xa63b338, 
    pinfo_arg=0xbffd5cc4, tree=0xa386590, add_proto_name=1) at packet.c:467
#15 0xb675b20a in call_dissector (handle=0x9d383e8, tvb=0xa63b338, 
    pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:1796
#16 0xb6ab35dd in dissect_udpencap (tvb=0xa63b338, pinfo=0xbffd5cc4, 
    tree=0xa386590) at packet-ipsec-udp.c:81
#17 0xb675a895 in call_dissector_through_handle (handle=0xa118bb0,
tvb=0xa63b338, 
    pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:376
#18 0xb675b06e in call_dissector_work (handle=0xa118bb0, tvb=0xa63b338, 
    pinfo_arg=0xbffd5cc4, tree=0xa386590, add_proto_name=1) at packet.c:467
#19 0xb675c279 in dissector_try_port_new (sub_dissectors=0xa00af38, port=4500, 
    tvb=0xa63b338, pinfo=0xbffd5cc4, tree=0xa386590, add_proto_name=1)
    at packet.c:866
#20 0xb675c2e1 in dissector_try_port (sub_dissectors=0xa00af38, port=4500, 
    tvb=0xa63b338, pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:892
#21 0xb6d95bb4 in decode_udp_ports (tvb=0xa63b300, offset=8, pinfo=0xbffd5cc4, 
    tree=0xa386590, uh_sport=4500, uh_dport=4500, uh_ulen=124) at
packet-udp.c:286
#22 0xb6d96333 in dissect (tvb=0xa63b300, pinfo=0xbffd5cc4, tree=0xa386590, 
    ip_proto=17) at packet-udp.c:588
#23 0xb675a895 in call_dissector_through_handle (handle=0xa00aef8,
tvb=0xa63b300, 
    pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:376
#24 0xb675b06e in call_dissector_work (handle=0xa00aef8, tvb=0xa63b300, 
    pinfo_arg=0xbffd5cc4, tree=0xa386590, add_proto_name=1) at packet.c:467
#25 0xb675c279 in dissector_try_port_new (sub_dissectors=0x9d46760, port=17, 
    tvb=0xa63b300, pinfo=0xbffd5cc4, tree=0xa386590, add_proto_name=1)
    at packet.c:866
#26 0xb675c2e1 in dissector_try_port (sub_dissectors=0x9d46760, port=17, 
    tvb=0xa63b300, pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:892
#27 0xb6aa8e3e in dissect_ip (tvb=0xa63b2c8, pinfo=0xbffd5cc4, 
    parent_tree=0xa386590) at packet-ip.c:1668
#28 0xb675a895 in call_dissector_through_handle (handle=0x9d145f8,
tvb=0xa63b2c8, 
    pinfo=0xbffd5cc4, tree=0xa386590) at packet.c:376

Further investigation:

(gdb) frame 7
#7  0xb6ab20cc in dissect_esp (tvb=0xa63b3a8, pinfo=0xbffd5cc4, tree=0xa386590)
    at packet-ipsec.c:2419
2419                          tvb_decrypted = tvb_new_child_real_data(tvb,
g_memdup(decrypted_data+sizeof(guint8)*esp_iv_len,(decrypted_len -
esp_iv_len)*sizeof(guint8)), decrypted_len - esp_iv_len, decrypted_len -
esp_iv_len);
(gdb) p decrypted_len
$1 = 0
(gdb) p esp_iv_len
$3 = 16


which means decrypted_len - esp_iv len will render a negative value and thus
cause the problem.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.