Wireshark-bugs: [Wireshark-bugs] [Bug 7567] New: Capture file that crashes wireshark in packet-l
Date: Fri, 3 Aug 2012 04:22:45 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7567 Summary: Capture file that crashes wireshark in packet-ldp.c Product: Wireshark Version: 1.8.1 Platform: x86 OS/Version: All Status: NEW Severity: Critical Priority: Low Component: Wireshark AssignedTo: bugzilla-admin@xxxxxxxxxxxxx ReportedBy: laurentb@xxxxxxxxx Created attachment 8893 --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=8893 capture triggering the crash Build Information: 1.8.1 -- Hi, Here is a PCAP file triggering a crash that could enable a remote party to trigger (a least) a remote denial of service. This was successfully tested on 1.8.1. This file was generated thanks to a fuzz testing campaign. Laurent Butti. Program received signal SIGSEGV, Segmentation fault. 0x00c1062e in dissect_subtlv_interface_parameters (tvb=0x87f50a8, offset=<value optimized out>, tree=0xb6914d08, rem=<value optimized out>, interface_parameters_hf=0x223a360) at packet-ldp.c:2873 2873 proto_tree_add_item(vcintparam_tree, *interface_parameters_hf[36], tvb, offset+2, 1, ENC_BIG_ENDIAN); (gdb) bt #0 0x00c1062e in dissect_subtlv_interface_parameters (tvb=0x87f50a8, offset=<value optimized out>, tree=0xb6914d08, rem=<value optimized out>, interface_parameters_hf=0x223a360) at packet-ldp.c:2873 #1 0x00c13cd3 in dissect_tlv (tvb=<value optimized out>, offset=66, tree=0xb6914990, rem=<value optimized out>) at packet-ldp.c:2477 #2 0x00c158f4 in dissect_msg (tvb=<value optimized out>, pinfo=<value optimized out>, tree=0xb6914000) at packet-ldp.c:2621 #3 dissect_ldp_pdu (tvb=<value optimized out>, pinfo=<value optimized out>, tree=0xb6914000) at packet-ldp.c:2666 #4 0x00c15e19 in dissect_ldp_tcp (tvb=0x87f5070, pinfo=0xbfffe424, tree=0xb6914000) at packet-ldp.c:3032 #5 0x007887c1 in call_dissector_through_handle (handle=0x8834bc8, tvb=0xb690c78e, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:415 #6 0x00788fe9 in call_dissector_work (handle=0x8834bc8, tvb=<value optimized out>, pinfo_arg=0xbfffe424, tree=0xb6914000, add_proto_name=1) at packet.c:510 #7 0x0078a38b in dissector_try_uint_new (sub_dissectors=0x8589860, uint_val=646, tvb=0x87f5070, pinfo=0xbfffe424, tree=0xb6914000, add_proto_name=1) at packet.c:935 #8 0x0078a401 in dissector_try_uint (sub_dissectors=0x8589860, uint_val=646, tvb=0x87f5070, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:961 #9 0x00f11007 in decode_tcp_ports (tvb=0x87f5038, offset=32, pinfo=0xbfffe424, tree=0xb6914000, src_port=65513, dst_port=646, tcpd=0xb6a84888) at packet-tcp.c:3876 #10 0x00f11862 in process_tcp_payload (tvb=<value optimized out>, offset=32, pinfo=0xbfffe424, tree=0xb6914000, tcp_tree=0xb69144c8, src_port=65513, dst_port=646, seq=0, nxtseq=0, is_tcp_segment=0, tcpd=0xb6a84888) at packet-tcp.c:3936 #11 0x00f11e0d in desegment_tcp (tvb=0x87f5038, pinfo=0xbfffe424, offset=32, seq=1, nxtseq=79, sport=65513, dport=646, tree=0xb6914000, tcp_tree=0xb69144c8, tcpd=0xb6a84888) at packet-tcp.c:1799 #12 dissect_tcp_payload (tvb=0x87f5038, pinfo=0xbfffe424, offset=32, seq=1, nxtseq=79, sport=65513, dport=646, tree=0xb6914000, tcp_tree=0xb69144c8, tcpd=0xb6a84888) at packet-tcp.c:4002 #13 0x00f13e5a in dissect_tcp (tvb=0x87f5038, pinfo=0xbfffe424, tree=0xb6914000) at packet-tcp.c:4750 #14 0x00788786 in call_dissector_through_handle (handle=0x8589848, tvb=<value optimized out>, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:419 #15 0x00788fe9 in call_dissector_work (handle=0x8589848, tvb=<value optimized out>, pinfo_arg=0xbfffe424, tree=0xb6914000, add_proto_name=1) at packet.c:510 #16 0x0078a38b in dissector_try_uint_new (sub_dissectors=0x83444a8, uint_val=6, tvb=0x87f5038, pinfo=0xbfffe424, tree=0xb6914000, add_proto_name=1) ---Type <return> to continue, or q <return> to quit--- at packet.c:935 #17 0x0078a401 in dissector_try_uint (sub_dissectors=0x83444a8, uint_val=6, tvb=0x87f5038, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:961 #18 0x00ba80f1 in dissect_ip (tvb=0x87f5000, pinfo=0xbfffe424, parent_tree=0xb6914000) at packet-ip.c:2370 #19 0x00788786 in call_dissector_through_handle (handle=0x8345920, tvb=<value optimized out>, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:419 #20 0x00788fe9 in call_dissector_work (handle=0x8345920, tvb=<value optimized out>, pinfo_arg=0xbfffe424, tree=0xb6914000, add_proto_name=1) at packet.c:510 #21 0x0078a38b in dissector_try_uint_new (sub_dissectors=0x8267a80, uint_val=2048, tvb=0x87f5000, pinfo=0xbfffe424, tree=0xb6914000, add_proto_name=1) at packet.c:935 #22 0x0078a401 in dissector_try_uint (sub_dissectors=0x8267a80, uint_val=2048, tvb=0x87f5000, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:961 #23 0x00a49f65 in ethertype (etype=2048, tvb=0x87f4fa8, offset_after_etype=14, pinfo=0xbfffe424, tree=0xb6914000, fh_tree=0xb6914168, etype_id=21582, trailer_id=21586, fcs_len=-1) at packet-ethertype.c:270 #24 0x00a4894a in dissect_eth_common (tvb=0x87f4fa8, pinfo=0xbfffe424, parent_tree=0xb6914000, fcs_len=-1) at packet-eth.c:403 #25 0x00788786 in call_dissector_through_handle (handle=0x8267a28, tvb=<value optimized out>, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:419 #26 0x00788fe9 in call_dissector_work (handle=0x8267a28, tvb=<value optimized out>, pinfo_arg=0xbfffe424, tree=0xb6914000, add_proto_name=1) at packet.c:510 #27 0x0078a38b in dissector_try_uint_new (sub_dissectors=0x828b9e0, uint_val=1, tvb=0x87f4fa8, pinfo=0xbfffe424, tree=0xb6914000, add_proto_name=1) at packet.c:935 #28 0x0078a401 in dissector_try_uint (sub_dissectors=0x828b9e0, uint_val=1, tvb=0x87f4fa8, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:961 #29 0x00a8a859 in dissect_frame (tvb=0x87f4fa8, pinfo=0xbfffe424, parent_tree=0xb6914000) at packet-frame.c:383 #30 0x00788786 in call_dissector_through_handle (handle=0x828bab0, tvb=<value optimized out>, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:419 #31 0x00788fe9 in call_dissector_work (handle=0x828bab0, tvb=<value optimized out>, pinfo_arg=0xbfffe424, tree=0xb6914000, add_proto_name=1) at packet.c:510 #32 0x007891ea in call_dissector (handle=0x828bab0, tvb=0x87f4fa8, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:1996 #33 0x0078afa2 in dissect_packet (edt=0xbfffe41c, pseudo_header=0x88c5228, pd=0x88ca9e0 "", fd=0xbfffe548, cinfo=0x0) at packet.c:350 #34 0x00780009 in epan_dissect_run (edt=0xbfffe41c, pseudo_header=0x88c5228, data=0x88ca9e0 "", fd=0xbfffe548, cinfo=0x0) at epan.c:210 #35 0x0805d90b in process_packet (cf=0x8085300, offset=<value optimized out>, whdr=0x88c51dc, pseudo_header=0x88c5228, pd=0x88ca9e0 "", ---Type <return> to continue, or q <return> to quit--- filtering_tap_listeners=0, tap_flags=<value optimized out>) at tshark.c:3074 #36 0x08061503 in load_cap_file (argc=3, argv=0xbfffeb04) at tshark.c:2867 #37 main (argc=3, argv=0xbfffeb04) at tshark.c:1759 -- Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 7567] Capture file that crashes wireshark in packet-ldp.c
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 7567] Capture file that crashes wireshark in packet-ldp.c
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 7567] Capture file that crashes wireshark in packet-ldp.c
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 7567] Capture file that crashes wireshark in packet-ldp.c
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 7567] Capture file that crashes wireshark in packet-ldp.c
- Prev by Date: [Wireshark-bugs] [Bug 7566] New: Capture file that crashes wireshark in packet-dcp-etsi.c
- Next by Date: [Wireshark-bugs] [Bug 7568] New: Capture file that crashes wireshark in packet-rtps2.c
- Previous by thread: [Wireshark-bugs] [Bug 7566] Capture file that crashes wireshark in packet-dcp-etsi.c
- Next by thread: [Wireshark-bugs] [Bug 7567] Capture file that crashes wireshark in packet-ldp.c
- Index(es):