Wireshark-bugs: [Wireshark-bugs] [Bug 8380] New: dissect_dtls dissector crash
Date: Fri, 22 Feb 2013 14:17:17 +0000
| Bug ID | 8380 |
|---|---|
| Summary | dissect_dtls dissector crash |
| Classification | Unclassified |
| Product | Wireshark |
| Version | 1.8.5 |
| Hardware | x86-64 |
| OS | Linux (other) |
| Status | UNCONFIRMED |
| Severity | Major |
| Priority | Low |
| Component | TShark |
| Assignee | [email protected] |
| Reporter | [email protected] |
Created attachment 10090 [details] dissect_dtls_handshake.pcap Build Information: TShark 1.8.5 (SVN Rev Unknown from unknown) Copyright 1998-2013 Gerald Combs <[email protected]> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with GLib 2.32.3, with libpcap, with libz 1.2.3.4, without POSIX capabilities, without SMI, without c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos, without GeoIP. Running on Linux 3.2.0-30-generic, with locale en_US.UTF-8, with libpcap version 1.1.1, with libz 1.2.3.4. Built using gcc 4.6.3. -- Hi, Here is a PCAP file triggering a SIGSEGV that could enable (at least) a remote party to trigger a denial of service. This file was generated thanks to a fuzz testing campaign. Laurent Butti. -- Program received signal SIGSEGV, Segmentation fault. __memcmp_sse2 () at ../sysdeps/x86_64/multiarch/../memcmp.S:151 151 ../sysdeps/x86_64/multiarch/../memcmp.S: No such file or directory. (gdb) python import exploitable (gdb) exploitable -v 'exploitable' version 1.04 Linux nitro 3.2.0-30-generic #48-Ubuntu SMP Fri Aug 24 16:52:48 UTC 2012 x86_64 Signal si_signo: 11 Signal si_addr: 0x178cfd0 Nearby code: 0x00007ffff2eed767 <+311>: test rsi,0xf 0x00007ffff2eed76e <+318>: je 0x7ffff2eed8d3 <__memcmp_sse2+675> 0x00007ffff2eed774 <+324>: test rdi,0x10 0x00007ffff2eed77b <+331>: je 0x7ffff2eed79a <__memcmp_sse2+362> 0x00007ffff2eed77d <+333>: movdqu xmm0,XMMWORD PTR [rdi+rsi*1] => 0x00007ffff2eed782 <+338>: pcmpeqb xmm0,XMMWORD PTR [rdi] 0x00007ffff2eed786 <+342>: pmovmskb edx,xmm0 0x00007ffff2eed78a <+346>: sub edx,0xffff 0x00007ffff2eed790 <+352>: jne 0x7ffff2eed8c0 <__memcmp_sse2+656> 0x00007ffff2eed796 <+358>: add rdi,0x10 Stack trace: # 0 __memcmp_sse2 at 0x7ffff2eed782 in /lib/x86_64-linux-gnu/libc-2.15.so (BL) # 1 fragment_add_work at 0x7ffff51959f9 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 2 fragment_add_common at 0x7ffff5195edc in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 3 fragment_add at 0x7ffff51964b0 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 4 dissect_dtls_handshake at 0x7ffff537ac0c in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 5 dissect_dtls_record at 0x7ffff537c604 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 6 dissect_dtls at 0x7ffff537c839 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 7 call_dissector_through_handle at 0x7ffff51794b0 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 8 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 9 call_dissector at 0x7ffff517b7e1 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 10 dissect_capwap_control at 0x7ffff52aefdf in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 11 call_dissector_through_handle at 0x7ffff51794eb in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 12 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 13 dissector_try_uint_new at 0x7ffff517a30e in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 14 decode_udp_ports at 0x7ffff5798875 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 15 dissect at 0x7ffff5798e83 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 16 call_dissector_through_handle at 0x7ffff51794b0 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 17 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 18 dissector_try_uint_new at 0x7ffff517a30e in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 19 dissect_ip at 0x7ffff54bd27b in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 20 call_dissector_through_handle at 0x7ffff51794b0 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 21 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 22 dissector_try_uint_new at 0x7ffff517a30e in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 23 ethertype at 0x7ffff53aabba in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 24 dissect_eth_common at 0x7ffff53a95dc in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 25 call_dissector_through_handle at 0x7ffff51794b0 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 26 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 27 dissector_try_uint_new at 0x7ffff517a30e in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 28 dissect_frame at 0x7ffff53dc8cb in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 29 call_dissector_through_handle at 0x7ffff51794b0 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 30 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 31 call_dissector at 0x7ffff517b7e1 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 32 dissect_packet at 0x7ffff517bbf4 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 33 process_packet at 0x41ad5b in /home/laurent/fuzzing/bin/wireshark-1.8.5/bin/tshark # 34 load_cap_file at 0x40dc8f in /home/laurent/fuzzing/bin/wireshark-1.8.5/bin/tshark # 35 main at 0x40dc8f in /home/laurent/fuzzing/bin/wireshark-1.8.5/bin/tshark Faulting frame: # 1 fragment_add_work at 0x7ffff51959f9 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 Description: Access violation on source operand Short description: SourceAv (18/21) Hash: b5c8ed64d962674ede2304d9cbd38f20.bc4e6acaf692b6a6eb2596772b8dbc62 Exploitability Classification: UNKNOWN Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read acces---Type <return> to continue, or q <return> to quit--- s violation. Other tags: AccessViolation (20/21)
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
- Prev by Date: [Wireshark-bugs] [Bug 8379] HPFEEDS protocol : honeypot protocol feeds support added
- Next by Date: [Wireshark-bugs] [Bug 8381] New: MPLS infinite loop
- Previous by thread: [Wireshark-bugs] [Bug 8379] HPFEEDS protocol : honeypot protocol feeds support added
- Next by thread: [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
- Index(es):