Wireshark-bugs: [Wireshark-bugs] [Bug 8111] New: DTLS dissector crash

Date: Thu, 20 Dec 2012 20:24:14 +0000
Bug ID 8111
Summary DTLS dissector crash
Classification Unclassified
Product Wireshark
Version 1.8.4
Hardware x86-64
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component Wireshark
Assignee [email protected]
Reporter [email protected]

Created attachment 9725 [details]
crashfile

Build Information:

--
Hi,

Here is a PCAP file triggering an SIGSEGV that could enable (at least) a remote
party to trigger a denial of service.

This file was generated thanks to a fuzz testing campaign.

Laurent Butti.

--

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff2ef3782 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007ffff2ef3782 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff51991d9 in fragment_add_work (fd_head=0x1556ac0, tvb=0x15eae40,
offset=25, frag_offset=<optimized out>, frag_data_len=109, more_frags=1, 
    pinfo=<optimized out>) at reassemble.c:721
#2  0x00007ffff51996bc in fragment_add_common (tvb=0x15eae40, offset=25,
pinfo=0x7fffffffd520, id=<optimized out>, fragment_table=0x15d6c00, 
    frag_offset=10354688, frag_data_len=109, more_frags=1,
check_already_added=1) at reassemble.c:961
#3  0x00007ffff5199b20 in fragment_add (tvb=<optimized out>, offset=<optimized
out>, pinfo=<optimized out>, id=<optimized out>, 
    fragment_table=<optimized out>, frag_offset=<optimized out>,
frag_data_len=109, more_frags=1) at reassemble.c:980
#4  0x00007ffff537e22c in dissect_dtls_handshake (tvb=<optimized out>,
pinfo=0x7fffffffd520, tree=0x7ffff7fefcf0, offset=13, record_length=95, 
    conv_version=0x7fffecfcdc38, ssl=0x7fffecfcd9c0, content_type=22 '\026') at
packet-dtls.c:1228
#5  0x00007ffff537fc24 in dissect_dtls_record (tvb=0x15eae40,
pinfo=0x7fffffffd520, tree=<optimized out>, offset=13,
conv_version=0x7fffecfcdc38, 
    ssl=0x7fffecfcd9c0) at packet-dtls.c:908
#6  0x00007ffff537fe59 in dissect_dtls (tvb=0x15eae40, pinfo=0x7fffffffd520,
tree=<optimized out>) at packet-dtls.c:509
#7  0x00007ffff517d180 in call_dissector_through_handle (handle=0x9b4a60,
tvb=0x15eae40, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:433
#8  0x00007ffff517d865 in call_dissector_work (handle=0x9b4a60, tvb=0x15eae40,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
    at packet.c:524
#9  0x00007ffff517f5a1 in call_dissector (handle=<optimized out>,
tvb=0x15eae40,
pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:2050
#10 0x00007ffff52b265f in dissect_capwap_control (tvb=0x15fd400,
pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet-capwap.c:1365
#11 0x00007ffff517d1bb in call_dissector_through_handle (handle=0x7633f0,
tvb=0x15fd400, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:429
#12 0x00007ffff517d865 in call_dissector_work (handle=0x7633f0, tvb=0x15fd400,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
    at packet.c:524
#13 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=5246, tvb=0x15fd400, pinfo=0x7fffffffd520, tree=0x7ffff7fef000, 
    add_proto_name=1) at packet.c:943
#14 0x00007ffff579b3b5 in decode_udp_ports (tvb=<optimized out>,
offset=<optimized out>, pinfo=0x7fffffffd520, tree=0x7ffff7fef000,
uh_sport=5246, 
    uh_dport=32768, uh_ulen=1484) at packet-udp.c:273
#15 0x00007ffff579b9c3 in dissect (tvb=0x15fd460, pinfo=0x7fffffffd520,
tree=0x7ffff7fef000, ip_proto=<optimized out>) at packet-udp.c:595
#16 0x00007ffff517d180 in call_dissector_through_handle (handle=0x1207a70,
tvb=0x15fd460, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:433
#17 0x00007ffff517d865 in call_dissector_work (handle=0x1207a70, tvb=0x15fd460,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
    at packet.c:524
#18 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=17, tvb=0x15fd460, pinfo=0x7fffffffd520, tree=0x7ffff7fef000, 
    add_proto_name=1) at packet.c:943
#19 0x00007ffff54bfe6b in dissect_ip (tvb=0x15fd4c0, pinfo=<optimized out>,
parent_tree=0x7ffff7fef000) at packet-ip.c:2396
#20 0x00007ffff517d180 in call_dissector_through_handle (handle=0xb99b30,
tvb=0x15fd4c0, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:433
#21 0x00007ffff517d865 in call_dissector_work (handle=0xb99b30, tvb=0x15fd4c0,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
    at packet.c:524
#22 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=2048, tvb=0x15fd4c0, pinfo=0x7fffffffd520, tree=0x7ffff7fef000, 
    add_proto_name=1) at packet.c:943
#23 0x00007ffff53adffa in ethertype (etype=2048, tvb=0x15fd520,
offset_after_etype=14, pinfo=0x7fffffffd520, tree=0x7ffff7fef000,
fh_tree=0x7ffff7fef3c0, 
    etype_id=21641, trailer_id=21645, fcs_len=-1) at packet-ethertype.c:270
#24 0x00007ffff53acabc in dissect_eth_common (tvb=0x15fd520,
pinfo=0x7fffffffd520, parent_tree=0x7ffff7fef000, fcs_len=-1) at
packet-eth.c:403
#25 0x00007ffff517d180 in call_dissector_through_handle (handle=0x9e2820,
tvb=0x15fd520, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:433
#26 0x00007ffff517d865 in call_dissector_work (handle=0x9e2820, tvb=0x15fd520,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
    at packet.c:524
#27 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=1, tvb=0x15fd520, pinfo=0x7fffffffd520, tree=0x7ffff7fef000, 
    add_proto_name=1) at packet.c:943
#28 0x00007ffff53dfc1b in dissect_frame (tvb=0x15fd520, pinfo=0x7fffffffd520,
parent_tree=0x7ffff7fef000) at packet-frame.c:383
#29 0x00007ffff517d180 in call_dissector_through_handle (handle=0xa2a740,
tvb=0x15fd520, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:433
#30 0x00007ffff517d865 in call_dissector_work (handle=0xa2a740, tvb=0x15fd520,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
    at packet.c:524
#31 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>,
tvb=0x15fd520,
pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:2050
#32 0x00007ffff517f9b4 in dissect_packet (edt=0x7fffffffd510,
pseudo_header=0x0,
pd=0x15fc0b0 "", fd=0x7fffffffd6b0, cinfo=0x0) at packet.c:364
#33 0x000000000041ad8b in process_packet (cf=0x6449e0, offset=<optimized out>,
whdr=<optimized out>, pseudo_header=0x15cf328, pd=0x15fc0b0 "", 
---Type <return> to continue, or q <return> to quit---
    filtering_tap_listeners=<optimized out>, tap_flags=4) at tshark.c:3106
#34 0x000000000040dc5f in load_cap_file (max_byte_count=0,
max_packet_count=-34,
out_file_name_res=0, out_file_type=2, save_file=0x0, cf=<optimized out>)
    at tshark.c:2899
#35 main (argc=<optimized out>, argv=<optimized out>) at tshark.c:1791
(gdb) info registers
rax            0x15fc0f7    23052535
rbx            0x1556ac0    22375104
rcx            0x6d 109
rdx            0x6d 109
rsi            0xffffffffff61ee07   -10359289
rdi            0x1fdd2f0    33411824
rbp            0x19 0x19
rsp            0x7fffffffc3f8   0x7fffffffc3f8
r8             0x0  0
r9             0x7fffffffc3a4   140737488339876
r10            0x6d 109
r11            0x1fdd35d    33411933
r12            0x15eae40    22982208
r13            0x7fffffffd530   140737488344368
r14            0x1601290    23073424
r15            0x6d 109
rip            0x7ffff2ef3782   0x7ffff2ef3782
eflags         0x10202  [ IF RF ]
cs             0x33 51
ss             0x2b 43
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0
(gdb) python import exploitable
(gdb) exploitable
Description: Access violation on source operand
Short description: SourceAv (18/21)
Hash: 8ac36a471d38e9d6db94e02ccae34eb7.0935f1e8c61e0e5e03841d77046c8fe5
Exploitability Classification: UNKNOWN
Explanation: The target crashed on an access violation at an address matching
the source operand of the current instruction. This likely indicates a read
access violation.
Other tags: AccessViolation (20/21)


You are receiving this mail because:
  • You are watching all bug changes.