Wireshark-bugs: [Wireshark-bugs] [Bug 7568] New: Capture file that crashes wireshark in packet-r

Date: Fri, 3 Aug 2012 04:24:12 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7568

           Summary: Capture file that crashes wireshark in packet-rtps2.c
           Product: Wireshark
           Version: 1.8.1
          Platform: x86
        OS/Version: All
            Status: NEW
          Severity: Critical
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: laurentb@xxxxxxxxx


Created attachment 8894
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=8894
capture triggering the crash

Build Information:
1.8.1
--
Hi,

Here is a PCAP file triggering a crash that could enable a remote party to
trigger (a least) a remote denial of service.

This was successfully tested on 1.8.1.

This file was generated thanks to a fuzz testing campaign.

Laurent Butti.

Program received signal SIGABRT, Aborted.
0x0012d422 in __kernel_vsyscall ()
(gdb) bt
#0  0x0012d422 in __kernel_vsyscall ()
#1  0x02a90651 in *__GI_raise (sig=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x02a93a82 in *__GI_abort () at abort.c:92
#3  0x02ac706d in __libc_message (do_abort=2, fmt=0x2b9a095 "*** %s ***: %s
terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#4  0x02b482d0 in *__GI___fortify_fail (msg=<value optimized out>) at
fortify_fail.c:32
#5  0x02b4827a in __stack_chk_fail () at stack_chk_fail.c:29
#6  0x015474c4 in __stack_chk_fail_local () from
/home/laurent/wireshark-1.8.1/lib/libwireshark.so.2
#7  0x00e13e05 in rtps_util_add_bitmap (tree=<value optimized out>, tvb=<value
optimized out>, offset=40, little_endian=0, label=0x19e754f "gapList")
    at packet-rtps2.c:3145
#8  0x00e1f079 in dissect_GAP (tvb=0x87f5070, pinfo=0xbfffe424,
tree=0xb6914000) at packet-rtps2.c:7026
#9  dissect_rtps (tvb=0x87f5070, pinfo=0xbfffe424, tree=0xb6914000) at
packet-rtps2.c:8843
#10 0x0078898e in dissector_try_heuristic (sub_dissectors=0x8749b00,
tvb=0x87f5070, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:1727
#11 0x00f524f9 in decode_udp_ports (tvb=0x87f5038, offset=8, pinfo=0xbfffe424,
tree=0xb6914000, uh_sport=58018, uh_dport=7401, uh_ulen=132)
    at packet-udp.c:281
#12 0x00f52cda in dissect (tvb=<value optimized out>, pinfo=<value optimized
out>, tree=0xb6914000, ip_proto=17) at packet-udp.c:595
#13 0x00788786 in call_dissector_through_handle (handle=0x86cb010, tvb=<value
optimized out>, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:419
#14 0x00788fe9 in call_dissector_work (handle=0x86cb010, tvb=<value optimized
out>, pinfo_arg=0xbfffe424, tree=0xb6914000, add_proto_name=1) at packet.c:510
#15 0x0078a38b in dissector_try_uint_new (sub_dissectors=0x83444a8,
uint_val=17, tvb=0x87f5038, pinfo=0xbfffe424, tree=0xb6914000,
add_proto_name=1)
    at packet.c:935
#16 0x0078a401 in dissector_try_uint (sub_dissectors=0x83444a8, uint_val=17,
tvb=0x87f5038, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:961
#17 0x00ba80f1 in dissect_ip (tvb=0x87f5000, pinfo=0xbfffe424,
parent_tree=0xb6914000) at packet-ip.c:2370
#18 0x00788786 in call_dissector_through_handle (handle=0x8345920, tvb=<value
optimized out>, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:419
#19 0x00788fe9 in call_dissector_work (handle=0x8345920, tvb=<value optimized
out>, pinfo_arg=0xbfffe424, tree=0xb6914000, add_proto_name=1) at packet.c:510
---Type <return> to continue, or q <return> to quit---
#20 0x0078a38b in dissector_try_uint_new (sub_dissectors=0x8267a80,
uint_val=2048, tvb=0x87f5000, pinfo=0xbfffe424, tree=0xb6914000,
add_proto_name=1)
    at packet.c:935
#21 0x0078a401 in dissector_try_uint (sub_dissectors=0x8267a80, uint_val=2048,
tvb=0x87f5000, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:961
#22 0x00a49f65 in ethertype (etype=2048, tvb=0x87f4fa8, offset_after_etype=14,
pinfo=0xbfffe424, tree=0xb6914000, fh_tree=0xb6914168, etype_id=21582, 
    trailer_id=21586, fcs_len=-1) at packet-ethertype.c:270
#23 0x00a4894a in dissect_eth_common (tvb=0x87f4fa8, pinfo=0xbfffe424,
parent_tree=0xb6914000, fcs_len=-1) at packet-eth.c:403
#24 0x00788786 in call_dissector_through_handle (handle=0x8267a28, tvb=<value
optimized out>, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:419
#25 0x00788fe9 in call_dissector_work (handle=0x8267a28, tvb=<value optimized
out>, pinfo_arg=0xbfffe424, tree=0xb6914000, add_proto_name=1) at packet.c:510
#26 0x0078a38b in dissector_try_uint_new (sub_dissectors=0x828b9e0, uint_val=1,
tvb=0x87f4fa8, pinfo=0xbfffe424, tree=0xb6914000, add_proto_name=1)
    at packet.c:935
#27 0x0078a401 in dissector_try_uint (sub_dissectors=0x828b9e0, uint_val=1,
tvb=0x87f4fa8, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:961
#28 0x00a8a859 in dissect_frame (tvb=0x87f4fa8, pinfo=0xbfffe424,
parent_tree=0xb6914000) at packet-frame.c:383
#29 0x00788786 in call_dissector_through_handle (handle=0x828bab0, tvb=<value
optimized out>, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:419
#30 0x00788fe9 in call_dissector_work (handle=0x828bab0, tvb=<value optimized
out>, pinfo_arg=0xbfffe424, tree=0xb6914000, add_proto_name=1) at packet.c:510
#31 0x007891ea in call_dissector (handle=0x828bab0, tvb=0x87f4fa8,
pinfo=0xbfffe424, tree=0xb6914000) at packet.c:1996
#32 0x0078afa2 in dissect_packet (edt=0xbfffe41c, pseudo_header=0x88c5228,
pd=0x88ca9e0 "\001", fd=0xbfffe548, cinfo=0x0) at packet.c:350
#33 0x00780009 in epan_dissect_run (edt=0xbfffe41c, pseudo_header=0x88c5228,
data=0x88ca9e0 "\001", fd=0xbfffe548, cinfo=0x0) at epan.c:210
#34 0x0805d90b in process_packet (cf=0x8085300, offset=<value optimized out>,
whdr=0x88c51dc, pseudo_header=0x88c5228, pd=0x88ca9e0 "\001", 
    filtering_tap_listeners=0, tap_flags=<value optimized out>) at
tshark.c:3074
#35 0x08061503 in load_cap_file (argc=3, argv=0xbfffeb04) at tshark.c:2867
#36 main (argc=3, argv=0xbfffeb04) at tshark.c:1759

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.