Created attachment 9725 [details]
crashfile
Build Information:
--
Hi,
Here is a PCAP file triggering an SIGSEGV that could enable (at least) a remote
party to trigger a denial of service.
This file was generated thanks to a fuzz testing campaign.
Laurent Butti.
--
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff2ef3782 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff2ef3782 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff51991d9 in fragment_add_work (fd_head=0x1556ac0, tvb=0x15eae40,
offset=25, frag_offset=<optimized out>, frag_data_len=109, more_frags=1,
pinfo=<optimized out>) at reassemble.c:721
#2 0x00007ffff51996bc in fragment_add_common (tvb=0x15eae40, offset=25,
pinfo=0x7fffffffd520, id=<optimized out>, fragment_table=0x15d6c00,
frag_offset=10354688, frag_data_len=109, more_frags=1,
check_already_added=1) at reassemble.c:961
#3 0x00007ffff5199b20 in fragment_add (tvb=<optimized out>, offset=<optimized
out>, pinfo=<optimized out>, id=<optimized out>,
fragment_table=<optimized out>, frag_offset=<optimized out>,
frag_data_len=109, more_frags=1) at reassemble.c:980
#4 0x00007ffff537e22c in dissect_dtls_handshake (tvb=<optimized out>,
pinfo=0x7fffffffd520, tree=0x7ffff7fefcf0, offset=13, record_length=95,
conv_version=0x7fffecfcdc38, ssl=0x7fffecfcd9c0, content_type=22 '\026') at
packet-dtls.c:1228
#5 0x00007ffff537fc24 in dissect_dtls_record (tvb=0x15eae40,
pinfo=0x7fffffffd520, tree=<optimized out>, offset=13,
conv_version=0x7fffecfcdc38,
ssl=0x7fffecfcd9c0) at packet-dtls.c:908
#6 0x00007ffff537fe59 in dissect_dtls (tvb=0x15eae40, pinfo=0x7fffffffd520,
tree=<optimized out>) at packet-dtls.c:509
#7 0x00007ffff517d180 in call_dissector_through_handle (handle=0x9b4a60,
tvb=0x15eae40, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:433
#8 0x00007ffff517d865 in call_dissector_work (handle=0x9b4a60, tvb=0x15eae40,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
at packet.c:524
#9 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>,
tvb=0x15eae40,
pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:2050
#10 0x00007ffff52b265f in dissect_capwap_control (tvb=0x15fd400,
pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet-capwap.c:1365
#11 0x00007ffff517d1bb in call_dissector_through_handle (handle=0x7633f0,
tvb=0x15fd400, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:429
#12 0x00007ffff517d865 in call_dissector_work (handle=0x7633f0, tvb=0x15fd400,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
at packet.c:524
#13 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=5246, tvb=0x15fd400, pinfo=0x7fffffffd520, tree=0x7ffff7fef000,
add_proto_name=1) at packet.c:943
#14 0x00007ffff579b3b5 in decode_udp_ports (tvb=<optimized out>,
offset=<optimized out>, pinfo=0x7fffffffd520, tree=0x7ffff7fef000,
uh_sport=5246,
uh_dport=32768, uh_ulen=1484) at packet-udp.c:273
#15 0x00007ffff579b9c3 in dissect (tvb=0x15fd460, pinfo=0x7fffffffd520,
tree=0x7ffff7fef000, ip_proto=<optimized out>) at packet-udp.c:595
#16 0x00007ffff517d180 in call_dissector_through_handle (handle=0x1207a70,
tvb=0x15fd460, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:433
#17 0x00007ffff517d865 in call_dissector_work (handle=0x1207a70, tvb=0x15fd460,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
at packet.c:524
#18 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=17, tvb=0x15fd460, pinfo=0x7fffffffd520, tree=0x7ffff7fef000,
add_proto_name=1) at packet.c:943
#19 0x00007ffff54bfe6b in dissect_ip (tvb=0x15fd4c0, pinfo=<optimized out>,
parent_tree=0x7ffff7fef000) at packet-ip.c:2396
#20 0x00007ffff517d180 in call_dissector_through_handle (handle=0xb99b30,
tvb=0x15fd4c0, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:433
#21 0x00007ffff517d865 in call_dissector_work (handle=0xb99b30, tvb=0x15fd4c0,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
at packet.c:524
#22 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=2048, tvb=0x15fd4c0, pinfo=0x7fffffffd520, tree=0x7ffff7fef000,
add_proto_name=1) at packet.c:943
#23 0x00007ffff53adffa in ethertype (etype=2048, tvb=0x15fd520,
offset_after_etype=14, pinfo=0x7fffffffd520, tree=0x7ffff7fef000,
fh_tree=0x7ffff7fef3c0,
etype_id=21641, trailer_id=21645, fcs_len=-1) at packet-ethertype.c:270
#24 0x00007ffff53acabc in dissect_eth_common (tvb=0x15fd520,
pinfo=0x7fffffffd520, parent_tree=0x7ffff7fef000, fcs_len=-1) at
packet-eth.c:403
#25 0x00007ffff517d180 in call_dissector_through_handle (handle=0x9e2820,
tvb=0x15fd520, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:433
#26 0x00007ffff517d865 in call_dissector_work (handle=0x9e2820, tvb=0x15fd520,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
at packet.c:524
#27 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=1, tvb=0x15fd520, pinfo=0x7fffffffd520, tree=0x7ffff7fef000,
add_proto_name=1) at packet.c:943
#28 0x00007ffff53dfc1b in dissect_frame (tvb=0x15fd520, pinfo=0x7fffffffd520,
parent_tree=0x7ffff7fef000) at packet-frame.c:383
#29 0x00007ffff517d180 in call_dissector_through_handle (handle=0xa2a740,
tvb=0x15fd520, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:433
#30 0x00007ffff517d865 in call_dissector_work (handle=0xa2a740, tvb=0x15fd520,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
at packet.c:524
#31 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>,
tvb=0x15fd520,
pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:2050
#32 0x00007ffff517f9b4 in dissect_packet (edt=0x7fffffffd510,
pseudo_header=0x0,
pd=0x15fc0b0 "", fd=0x7fffffffd6b0, cinfo=0x0) at packet.c:364
#33 0x000000000041ad8b in process_packet (cf=0x6449e0, offset=<optimized out>,
whdr=<optimized out>, pseudo_header=0x15cf328, pd=0x15fc0b0 "",
---Type <return> to continue, or q <return> to quit---
filtering_tap_listeners=<optimized out>, tap_flags=4) at tshark.c:3106
#34 0x000000000040dc5f in load_cap_file (max_byte_count=0,
max_packet_count=-34,
out_file_name_res=0, out_file_type=2, save_file=0x0, cf=<optimized out>)
at tshark.c:2899
#35 main (argc=<optimized out>, argv=<optimized out>) at tshark.c:1791
(gdb) info registers
rax 0x15fc0f7 23052535
rbx 0x1556ac0 22375104
rcx 0x6d 109
rdx 0x6d 109
rsi 0xffffffffff61ee07 -10359289
rdi 0x1fdd2f0 33411824
rbp 0x19 0x19
rsp 0x7fffffffc3f8 0x7fffffffc3f8
r8 0x0 0
r9 0x7fffffffc3a4 140737488339876
r10 0x6d 109
r11 0x1fdd35d 33411933
r12 0x15eae40 22982208
r13 0x7fffffffd530 140737488344368
r14 0x1601290 23073424
r15 0x6d 109
rip 0x7ffff2ef3782 0x7ffff2ef3782
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) python import exploitable
(gdb) exploitable
Description: Access violation on source operand
Short description: SourceAv (18/21)
Hash: 8ac36a471d38e9d6db94e02ccae34eb7.0935f1e8c61e0e5e03841d77046c8fe5
Exploitability Classification: UNKNOWN
Explanation: The target crashed on an access violation at an address matching
the source operand of the current instruction. This likely indicates a read
access violation.
Other tags: AccessViolation (20/21)