Wireshark-bugs: [Wireshark-bugs] [Bug 8110] New: CLNP dissector crash

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 20 Dec 2012 20:22:25 +0000
Bug ID 8110
Summary CLNP dissector crash
Classification Unclassified
Product Wireshark
Version 1.8.4
Hardware x86-64
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component Wireshark
Assignee [email protected]
Reporter [email protected] 

Created attachment 9724 [details]
crashfile

Build Information:

--
Hi,

Here is a PCAP file triggering an SIGSEGV that could enable (at least) a remote
party to trigger a denial of service.

This file was generated thanks to a fuzz testing campaign.

Laurent Butti.

--
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff2eb09f2 in vfprintf () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007ffff2eb09f2 in vfprintf () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff2f70d80 in __vsnprintf_chk () from
/lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff5188d9f in proto_tree_set_representation (pi=<optimized out>,
format=0x7ffff5d32208 "Holding Time : %u (%u.%u secs)", ap=0x7fffff7ff618)
    at proto.c:3652
#3  0x00007ffff518f8e5 in proto_tree_add_uint_format (tree=<optimized out>,
hfindex=<optimized out>, tvb=<optimized out>, start=<optimized out>, 
    length=<optimized out>, value=<optimized out>, format=0x7ffff5d32208
"Holding Time : %u (%u.%u secs)") at proto.c:2985
#4  0x00007ffff52da0c8 in dissect_clnp (tvb=0x1895700, pinfo=0x7fffffffd520,
tree=0x7fffe7d88960) at packet-clnp.c:260
#5  0x00007ffff517d180 in call_dissector_through_handle (handle=0x146ce40,
tvb=0x1895700, pinfo=0x7fffffffd520, tree=0x7fffe7d88960) at packet.c:433
#6  0x00007ffff517d6de in call_dissector_work_error (handle=0x146ce40,
tvb=0x1895700, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d88960) at packet.c:589
#7  0x00007ffff517d7e8 in call_dissector_work (handle=0x146ce40, tvb=0x1895700,
pinfo_arg=0x7fffffffd520, tree=0x7fffe7d88960, add_proto_name=1)
    at packet.c:519
#8  0x00007ffff517f5a1 in call_dissector (handle=<optimized out>,
tvb=0x1895700,
pinfo=0x7fffffffd520, tree=0x7fffe7d88960) at packet.c:2050
#9  0x00007ffff52da8ba in dissect_clnp (tvb=<optimized out>,
pinfo=0x7fffffffd520, tree=0x7fffe7d88600) at packet-clnp.c:529
#10 0x00007ffff517d180 in call_dissector_through_handle (handle=0x146ce40,
tvb=0x18956a0, pinfo=0x7fffffffd520, tree=0x7fffe7d88600) at packet.c:433
#11 0x00007ffff517d6de in call_dissector_work_error (handle=0x146ce40,
tvb=0x18956a0, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d88600) at packet.c:589
#12 0x00007ffff517d7e8 in call_dissector_work (handle=0x146ce40, tvb=0x18956a0,
pinfo_arg=0x7fffffffd520, tree=0x7fffe7d88600, add_proto_name=1)
    at packet.c:519
#13 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>,
tvb=0x18956a0,
pinfo=0x7fffffffd520, tree=0x7fffe7d88600) at packet.c:2050
#14 0x00007ffff52da8ba in dissect_clnp (tvb=<optimized out>,
pinfo=0x7fffffffd520, tree=0x7fffe7d882a0) at packet-clnp.c:529
#15 0x00007ffff517d180 in call_dissector_through_handle (handle=0x146ce40,
tvb=0x1895640, pinfo=0x7fffffffd520, tree=0x7fffe7d882a0) at packet.c:433
#16 0x00007ffff517d6de in call_dissector_work_error (handle=0x146ce40,
tvb=0x1895640, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d882a0) at packet.c:589
#17 0x00007ffff517d7e8 in call_dissector_work (handle=0x146ce40, tvb=0x1895640,
pinfo_arg=0x7fffffffd520, tree=0x7fffe7d882a0, add_proto_name=1)
    at packet.c:519
#18 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>,
tvb=0x1895640,
pinfo=0x7fffffffd520, tree=0x7fffe7d882a0) at packet.c:2050
#19 0x00007ffff52da8ba in dissect_clnp (tvb=<optimized out>,
pinfo=0x7fffffffd520, tree=0x7fffe7d96f20) at packet-clnp.c:529
#20 0x00007ffff517d180 in call_dissector_through_handle (handle=0x146ce40,
tvb=0x18955e0, pinfo=0x7fffffffd520, tree=0x7fffe7d96f20) at packet.c:433
#21 0x00007ffff517d6de in call_dissector_work_error (handle=0x146ce40,
tvb=0x18955e0, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d96f20) at packet.c:589
#22 0x00007ffff517d7e8 in call_dissector_work (handle=0x146ce40, tvb=0x18955e0,
pinfo_arg=0x7fffffffd520, tree=0x7fffe7d96f20, add_proto_name=1)
    at packet.c:519
#23 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>,
tvb=0x18955e0,
pinfo=0x7fffffffd520, tree=0x7fffe7d96f20) at packet.c:2050
#24 0x00007ffff52da8ba in dissect_clnp (tvb=<optimized out>,
pinfo=0x7fffffffd520, tree=0x7fffe7d96bc0) at packet-clnp.c:529
#25 0x00007ffff517d180 in call_dissector_through_handle (handle=0x146ce40,
tvb=0x1895580, pinfo=0x7fffffffd520, tree=0x7fffe7d96bc0) at packet.c:433
#26 0x00007ffff517d6de in call_dissector_work_error (handle=0x146ce40,
tvb=0x1895580, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d96bc0) at packet.c:589
#27 0x00007ffff517d7e8 in call_dissector_work (handle=0x146ce40, tvb=0x1895580,
pinfo_arg=0x7fffffffd520, tree=0x7fffe7d96bc0, add_proto_name=1)
    at packet.c:519
#28 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>,
tvb=0x1895580,
pinfo=0x7fffffffd520, tree=0x7fffe7d96bc0) at packet.c:2050
#29 0x00007ffff52da8ba in dissect_clnp (tvb=<optimized out>,
pinfo=0x7fffffffd520, tree=0x7fffe7d96860) at packet-clnp.c:529
#30 0x00007ffff517d180 in call_dissector_through_handle (handle=0x146ce40,
tvb=0x1895520, pinfo=0x7fffffffd520, tree=0x7fffe7d96860) at packet.c:433
#31 0x00007ffff517d6de in call_dissector_work_error (handle=0x146ce40,
tvb=0x1895520, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d96860) at packet.c:589
#32 0x00007ffff517d7e8 in call_dissector_work (handle=0x146ce40, tvb=0x1895520,
pinfo_arg=0x7fffffffd520, tree=0x7fffe7d96860, add_proto_name=1)
    at packet.c:519
#33 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>,
tvb=0x1895520,
pinfo=0x7fffffffd520, tree=0x7fffe7d96860) at packet.c:2050
#34 0x00007ffff52da8ba in dissect_clnp (tvb=<optimized out>,
pinfo=0x7fffffffd520, tree=0x7fffe7d96500) at packet-clnp.c:529
#35 0x00007ffff517d180 in call_dissector_through_handle (handle=0x146ce40,
tvb=0x18954c0, pinfo=0x7fffffffd520, tree=0x7fffe7d96500) at packet.c:433
#36 0x00007ffff517d6de in call_dissector_work_error (handle=0x146ce40,
tvb=0x18954c0, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d96500) at packet.c:589
#37 0x00007ffff517d7e8 in call_dissector_work (handle=0x146ce40, tvb=0x18954c0,
pinfo_arg=0x7fffffffd520, tree=0x7fffe7d96500, add_proto_name=1)
    at packet.c:519
#38 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>,
tvb=0x18954c0,
pinfo=0x7fffffffd520, tree=0x7fffe7d96500) at packet.c:2050
#39 0x00007ffff52da8ba in dissect_clnp (tvb=<optimized out>,
pinfo=0x7fffffffd520, tree=0x7fffe7d961a0) at packet-clnp.c:529
#40 0x00007ffff517d180 in call_dissector_through_handle (handle=0x146ce40,
tvb=0x1895460, pinfo=0x7fffffffd520, tree=0x7fffe7d961a0) at packet.c:433
#41 0x00007ffff517d6de in call_dissector_work_error (handle=0x146ce40,
tvb=0x1895460, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d961a0) at packet.c:589
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) info registers
rax            0xfffffff5   4294967285
rbx            0x7fffff7ff480   140737479963776
rcx            0x0  0
rdx            0x7fffff7ff618   140737479964184
rsi            0x7ffff5d32208   140737317642760
rdi            0x7fffff7ff480   140737479963776
rbp            0x7fffff7ff470   0x7fffff7ff470
rsp            0x7fffff7fee10   0x7fffff7fee10
r8             0x0  0
r9             0x7fffff7ff618   140737479964184
r10            0x25e6   9702
r11            0x1  1
r12            0x7fffff7ff618   140737479964184
r13            0x7ffff5d32208   140737317642760
r14            0xef 239
r15            0x7ffff5d32208   140737317642760
rip            0x7ffff2eb09f2   0x7ffff2eb09f2 <vfprintf+50>
eflags         0x10202  [ IF RF ]
cs             0x33 51
ss             0x2b 43
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0

You are receiving this mail because:
  • You are watching all bug changes.