Wireshark-bugs: [Wireshark-bugs] [Bug 5908] New: http decoder corruption - double free

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 12 May 2011 01:34:28 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5908

           Summary: http decoder corruption - double free
           Product: Wireshark
           Version: 1.4.6
          Platform: x86
        OS/Version: Ubuntu
            Status: NEW
          Severity: Critical
          Priority: High
         Component: TShark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: dmaciejak@xxxxxxxxxxxx
             Group: private


Created an attachment (id=6330)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=6330)
poc

Build Information:
TShark 1.4.6

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GLib 2.28.6, with libpcap 1.0.0, with libz 1.2.3.4, with
POSIX capabilities (Linux), without libpcre, with SMI 0.4.8, with c-ares 1.7.3,
with Lua 5.1, without Python, with GnuTLS 2.8.6, with Gcrypt 1.4.6, with MIT
Kerberos, with GeoIP.

Running on Linux 2.6.38-8-generic, with libpcap version 1.0.0, with libz
1.2.3.4.

Built using gcc 4.5.2.

--
Hi guys,

Just playing with pcaps and came across a crash, see below the gdb trace.
I can reproduce it on linux but not on windows. Wireshark is also crashing and
freezing as soon as the pcap is opened. I did not dig into it, as it s a double
free maybe it's exploitable. See the poc enclosed.

Please check if you already know this issue, if it's not the case i will assign
a Fortinet id ref number.

thx,
David Maciejak of Fortinet's FortiGuard Labs.



*** glibc detected *** /usr/bin/tshark: double free or corruption (!prev):
0x00aa3208 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x6b961)[0xb5bd3961]
/lib/i386-linux-gnu/libc.so.6(+0x6d28b)[0xb5bd528b]
/lib/i386-linux-gnu/libc.so.6(cfree+0x6d)[0xb5bd841d]
/lib/i386-linux-gnu/libglib-2.0.so.0(g_free+0x36)[0xb5d98c86]
/usr/lib/libwireshark.so.0(tvb_uncompress+0x1cc)[0xb6390ffc]
/usr/lib/libwireshark.so.0(tvb_child_uncompress+0x30)[0xb63913e0]
/usr/lib/libwireshark.so.0(+0x849dad)[0xb6676dad]
/usr/lib/libwireshark.so.0(+0x84a2f2)[0xb66772f2]
/usr/lib/libwireshark.so.0(+0x530e26)[0xb635de26]
/usr/lib/libwireshark.so.0(+0x53148c)[0xb635e48c]
/usr/lib/libwireshark.so.0(dissector_try_port_new+0x53)[0xb635ecd3]
/usr/lib/libwireshark.so.0(dissector_try_port+0x41)[0xb635ed31]
/usr/lib/libwireshark.so.0(decode_tcp_ports+0x2af)[0xb6994e0f]
/usr/lib/libwireshark.so.0(+0xb680ea)[0xb69950ea]
/usr/lib/libwireshark.so.0(dissect_tcp_payload+0x56a)[0xb69958da]
/usr/lib/libwireshark.so.0(+0xb69d5c)[0xb6996d5c]
/usr/lib/libwireshark.so.0(+0x530e26)[0xb635de26]
/usr/lib/libwireshark.so.0(+0x53148c)[0xb635e48c]
/usr/lib/libwireshark.so.0(dissector_try_port_new+0x53)[0xb635ecd3]
/usr/lib/libwireshark.so.0(dissector_try_port+0x41)[0xb635ed31]
/usr/lib/libwireshark.so.0(+0x8916c5)[0xb66be6c5]
/usr/lib/libwireshark.so.0(+0x530e26)[0xb635de26]
/usr/lib/libwireshark.so.0(+0x53148c)[0xb635e48c]
/usr/lib/libwireshark.so.0(dissector_try_port_new+0x53)[0xb635ecd3]
/usr/lib/libwireshark.so.0(dissector_try_port+0x41)[0xb635ed31]
/usr/lib/libwireshark.so.0(ethertype+0x47d)[0xb65b55dd]
/usr/lib/libwireshark.so.0(+0x7871e5)[0xb65b41e5]
/usr/lib/libwireshark.so.0(+0x530e26)[0xb635de26]
/usr/lib/libwireshark.so.0(+0x53148c)[0xb635e48c]
/usr/lib/libwireshark.so.0(dissector_try_port_new+0x53)[0xb635ecd3]
/usr/lib/libwireshark.so.0(dissector_try_port+0x41)[0xb635ed31]
/usr/lib/libwireshark.so.0(+0x7c6339)[0xb65f3339]
/usr/lib/libwireshark.so.0(+0x530e26)[0xb635de26]
/usr/lib/libwireshark.so.0(+0x53148c)[0xb635e48c]
/usr/lib/libwireshark.so.0(call_dissector+0x3a)[0xb636025a]
/usr/lib/libwireshark.so.0(dissect_packet+0x2a9)[0xb63605b9]
/usr/lib/libwireshark.so.0(epan_dissect_run+0x3e)[0xb635461e]
/usr/bin/tshark(+0x231a1)[0x1331a1]
/usr/bin/tshark(main+0x2049)[0x135819]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0xb5b7ee37]
/usr/bin/tshark(+0x7af1)[0x117af1]
======= Memory map: ========
00110000-00140000 r-xp 00000000 08:03 2148407    /usr/bin/tshark
00140000-00141000 r--p 00030000 08:03 2148407    /usr/bin/tshark
00141000-00142000 rw-p 00031000 08:03 2148407    /usr/bin/tshark
00142000-00aef000 rw-p 00000000 00:00 0          [heap]
b3c00000-b3c21000 rw-p 00000000 00:00 0 
b3c21000-b3d00000 ---p 00000000 00:00 0 
b3d1d000-b3d37000 r-xp 00000000 08:03 6474350   
/lib/i386-linux-gnu/libgcc_s.so.1
b3d37000-b3d38000 r--p 00019000 08:03 6474350   
/lib/i386-linux-gnu/libgcc_s.so.1
b3d38000-b3d39000 rw-p 0001a000 08:03 6474350   
/lib/i386-linux-gnu/libgcc_s.so.1
b3d56000-b3d58000 rw-p 00000000 00:00 0 
b3d58000-b3d59000 ---p 00000000 00:00 0 
b3d59000-b4756000 rw-p 00000000 00:00 0 
b4756000-b4757000 ---p 00000000 00:00 0 
b4757000-b4758000 rw-p 00000000 00:00 0 
b4758000-b4759000 r--p 002a1000 08:03 2162747    /usr/lib/locale/locale-archive
b4759000-b4959000 r--p 00000000 08:03 2162747    /usr/lib/locale/locale-archive
b4959000-b49be000 rw-p 00000000 00:00 0 
b4a20000-b4a2a000 r-xp 00000000 08:03 6474329   
/lib/i386-linux-gnu/libnss_files-2.13.so
b4a2a000-b4a2b000 r--p 00009000 08:03 6474329   
/lib/i386-linux-gnu/libnss_files-2.13.so
b4a2b000-b4a2c000 rw-p 0000a000 08:03 6474329   
/lib/i386-linux-gnu/libnss_files-2.13.so
b4a2c000-b4a35000 r-xp 00000000 08:03 6474316   
/lib/i386-linux-gnu/libnss_nis-2.13.so
b4a35000-b4a36000 r--p 00008000 08:03 6474316   
/lib/i386-linux-gnu/libnss_nis-2.13.so
b4a36000-b4a37000 rw-p 00009000 08:03 6474316   
/lib/i386-linux-gnu/libnss_nis-2.13.so
b4a37000-b4a4a000 r-xp 00000000 08:03 6474313   
/lib/i386-linux-gnu/libnsl-2.13.so
b4a4a000-b4a4b000 r--p 00012000 08:03 6474313   
/lib/i386-linux-gnu/libnsl-2.13.so
b4a4b000-b4a4c000 rw-p 00013000 08:03 6474313   
/lib/i386-linux-gnu/libnsl-2.13.so
b4a4c000-b4a4e000 rw-p 00000000 00:00 0 
b4a4e000-b4a54000 r-xp 00000000 08:03 6474317   
/lib/i386-linux-gnu/libnss_compat-2.13.so
b4a54000-b4a55000 r--p 00005000 08:03 6474317   
/lib/i386-linux-gnu/libnss_compat-2.13.so
b4a55000-b4a56000 rw-p 00006000 08:03 6474317   
/lib/i386-linux-gnu/libnss_compat-2.13.so
b4a73000-b4a7e000 r-xp 00000000 08:03 2314814   
/usr/lib/wireshark/libwireshark0/plugins/tango.so
b4a7e000-b4a7f000 r--p 0000a000 08:03 2314814   
/usr/lib/wireshark/libwireshark0/plugins/tango.so
b4a7f000-b4a80000 rw-p 0000b000 08:03 2314814   
/usr/lib/wireshark/libwireshark0/plugins/tango.so
b4a80000-b4af7000 r-xp 00000000 08:03 2444999   
/usr/lib/wireshark/libwireshark0/plugins/wimax.so
b4af7000-b4afa000 r--p 00076000 08:03 2444999   
/usr/lib/wireshark/libwireshark0/plugins/wimax.so
b4afa000-b4b13000 rw-p 00079000 08:03 2444999   
/usr/lib/wireshark/libwireshark0/plugins/wimax.so
b4b13000-b4b14000 rw-p 00000000 00:00 0 
b4b14000-b4b17000 r-xp 00000000 08:03 2213077   
/usr/lib/wireshark/libwireshark0/plugins/cosnaming.so
b4b17000-b4b18000 r--p 00002000 08:03 2213077   
/usr/lib/wireshark/libwireshark0/plugins/cosnaming.so
b4b18000-b4b19000 rw-p 00003000 08:03 2213077   
/usr/lib/wireshark/libwireshark0/plugins/cosnaming.so
b4b19000-b4b22000 r-xp 00000000 08:03 2244727   
/usr/lib/wireshark/libwireshark0/plugins/irda.so
b4b22000-b4b23000 r--p 00009000 08:03 2244727   
/usr/lib/wireshark/libwireshark0/plugins/irda.so
b4b23000-b4b25000 rw-p 0000a000 08:03 2244727   
/usr/lib/wireshark/libwireshark0/plugins/irda.so
b4b25000-b4b26000 rw-p 00000000 00:00 0 
b4b26000-b4b3a000 r-xp 00000000 08:03 2314816   
/usr/lib/wireshark/libwireshark0/plugins/unistim.so
b4b3a000-b4b3c000 r--p 00014000 08:03 2314816   
/usr/lib/wireshark/libwireshark0/plugins/unistim.so
b4b3c000-b4b41000 rw-p 00016000 08:03 2314816   
/usr/lib/wireshark/libwireshark0/plugins/unistim.so
b4b41000-b4b4e000 r-xp 00000000 08:03 2445007   
/usr/lib/wireshark/libwireshark0/plugins/wimaxasncp.so
b4b4e000-b4b4f000 r--p 0000d000 08:03 2445007   
/usr/lib/wireshark/libwireshark0/plugins/wimaxasncp.so
b4b4f000-b4b50000 rw-p 0000e000 08:03 2445007   
/usr/lib/wireshark/libwireshark0/plugins/wimaxasncp.so
b4b50000-b4b76000 r-xp 00000000 08:03 2244734   
/usr/lib/wireshark/libwireshark0/plugins/opcua.so
b4b76000-b4b78000 r--p 00025000 08:03 2244734   
/usr/lib/wireshark/libwireshark0/plugins/opcua.so
b4b78000-b4b80000 rw-p 00027000 08:03 2244734   
/usr/lib/wireshark/libwireshark0/plugins/opcua.so
b4b80000-b4b95000 r-xp 00000000 08:03 2244732   
/usr/lib/wireshark/libwireshark0/plugins/mate.so
b4b95000-b4b96000 r--p 00014000 08:03 2244732   
/usr/lib/wireshark/libwireshark0/plugins/mate.so
b4b96000-b4b97000 rw-p 00015000 08:03 2244732   
/usr/lib/wireshark/libwireshark0/plugins/mate.so
b4b97000-b4ba9000 rw-p 00000000 00:00 0 
b4ba9000-b4be7000 r-xp 00000000 08:03 2244739   
/usr/lib/wireshark/libwireshark0/plugins/profinet.so
b4be7000-b4bea000 r--p 0003d000 08:03 2244739   
/usr/lib/wireshark/libwireshark0/plugins/profinet.so
b4bea000-b4bf5000 rw-p 00040000 08:03 2244739   
/usr/lib/wireshark/libwireshark0/plugins/profinet.so
b4bf5000-b4c06000 r-xp 00000000 08:03 2213056   
/usr/lib/wireshark/libwireshark0/plugins/asn1.so
b4c06000-b4c07000 r--p 00010000 08:03 2213056   
/usr/lib/wireshark/libwireshark0/plugins/asn1.so
b4c07000-b4c08000 rw-p 00011000 08:03 2213056   
/usr/lib/wireshark/libwireshark0/plugins/asn1.so
b4c08000-b4c0c000 rw-p 00000000 00:00 0 
b4c0c000-b4c20000 r-xp 00000000 08:03 2213081   
/usr/lib/wireshark/libwireshark0/plugins/ethercat.so
b4c20000-b4c21000 r--p 00013000 08:03 2213081   
/usr/lib/wireshark/libwireshark0/plugins/ethercat.so
b4c21000-b4c28000 rw-p 00014000 08:03 2213081   
/usr/lib/wireshark/libwireshark0/plugins/ethercat.so
b4c28000-b4cdc000 r-xp 00000000 08:03 2244737   
/usr/lib/wireshark/libwireshark0/plugins/parlay.so
b4cdc000-b4cde000 r--p 000b4000 08:03 2244737   
/usr/lib/wireshark/libwireshark0/plugins/parlay.so
b4cde000-b4cdf000 rw-p 000b6000 08:03 2244737   
/usr/lib/wireshark/libwireshark0/plugins/parlay.so
b4cdf000-b4d7a000 rw-p 00000000 00:00 0 
b4d7d000-b4d7f000 r-xp 00000000 08:03 2213074   
/usr/lib/wireshark/libwireshark0/plugins/coseventcomm.so
Program received signal SIGABRT, Aborted.
0xb7fe1416 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7fe1416 in __kernel_vsyscall ()
#1  0xb5b92e71 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0xb5b9634e in abort () at abort.c:92
#3  0xb5bc9577 in __libc_message (do_abort=2, fmt=0xb5ca28ac "*** glibc
detected *** %s: %s: 0x%s ***\n") at
../sysdeps/unix/sysv/linux/libc_fatal.c:189
#4  0xb5bd3961 in malloc_printerr (action=<value optimized out>, str=<value
optimized out>, ptr=0xaa3208) at malloc.c:6283
#5  0xb5bd528b in _int_free (av=<value optimized out>, p=0xaa3200) at
malloc.c:4795
#6  0xb5bd841d in __libc_free (mem=0xaa3208) at malloc.c:3738
#7  0xb5d98c86 in g_free (mem=0xaa3208) at
/build/buildd/glib2.0-2.28.6/./glib/gmem.c:263
#8  0xb6390ffc in tvb_uncompress () from /usr/lib/libwireshark.so.0
#9  0xb63913e0 in tvb_child_uncompress () from /usr/lib/libwireshark.so.0
#10 0xb6676dad in ?? () from /usr/lib/libwireshark.so.0
#11 0xb66772f2 in ?? () from /usr/lib/libwireshark.so.0
#12 0xb635de26 in ?? () from /usr/lib/libwireshark.so.0
#13 0xb635e48c in ?? () from /usr/lib/libwireshark.so.0
#14 0xb635ecd3 in dissector_try_port_new () from /usr/lib/libwireshark.so.0
#15 0xb635ed31 in dissector_try_port () from /usr/lib/libwireshark.so.0
#16 0xb6994e0f in decode_tcp_ports () from /usr/lib/libwireshark.so.0
#17 0xb69950ea in ?? () from /usr/lib/libwireshark.so.0
#18 0xb69958da in dissect_tcp_payload () from /usr/lib/libwireshark.so.0
#19 0xb6996d5c in ?? () from /usr/lib/libwireshark.so.0
#20 0xb635de26 in ?? () from /usr/lib/libwireshark.so.0
#21 0xb635e48c in ?? () from /usr/lib/libwireshark.so.0
#22 0xb635ecd3 in dissector_try_port_new () from /usr/lib/libwireshark.so.0
#23 0xb635ed31 in dissector_try_port () from /usr/lib/libwireshark.so.0
#24 0xb66be6c5 in ?? () from /usr/lib/libwireshark.so.0
#25 0xb635de26 in ?? () from /usr/lib/libwireshark.so.0
#26 0xb635e48c in ?? () from /usr/lib/libwireshark.so.0
#27 0xb635ecd3 in dissector_try_port_new () from /usr/lib/libwireshark.so.0
#28 0xb635ed31 in dissector_try_port () from /usr/lib/libwireshark.so.0
#29 0xb65b55dd in ethertype () from /usr/lib/libwireshark.so.0
#30 0xb65b41e5 in ?? () from /usr/lib/libwireshark.so.0
#31 0xb635de26 in ?? () from /usr/lib/libwireshark.so.0
#32 0xb635e48c in ?? () from /usr/lib/libwireshark.so.0
#33 0xb635ecd3 in dissector_try_port_new () from /usr/lib/libwireshark.so.0
#34 0xb635ed31 in dissector_try_port () from /usr/lib/libwireshark.so.0
#35 0xb65f3339 in ?? () from /usr/lib/libwireshark.so.0
#36 0xb635de26 in ?? () from /usr/lib/libwireshark.so.0
#37 0xb635e48c in ?? () from /usr/lib/libwireshark.so.0
#38 0xb636025a in call_dissector () from /usr/lib/libwireshark.so.0
#39 0xb63605b9 in dissect_packet () from /usr/lib/libwireshark.so.0
#40 0xb635461e in epan_dissect_run () from /usr/lib/libwireshark.so.0
#41 0x001331a1 in ?? ()
#42 0x00135819 in main ()

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.