Wireshark-bugs: [Wireshark-bugs] [Bug 8934] New: Fuzz failure: seg-fault in tvb_new_proxy()

Date: Mon, 15 Jul 2013 15:53:28 +0000
Bug ID 8934
Summary Fuzz failure: seg-fault in tvb_new_proxy()
Classification Unclassified
Product Wireshark
Version SVN
Hardware All
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Build Information:
TShark 1.11.0 (SVN Rev 50609 from /trunk)

Copyright 1998-2013 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.34.2, with libpcap, with libz 1.2.7, without
POSIX
capabilities, without libnl, without SMI, with c-ares 1.9.1, with Lua 5.1,
without Python, with GnuTLS 2.12.23, with Gcrypt 1.5.0, without Kerberos,
without GeoIP.

Running on Linux 3.9.2-200.fc18.x86_64, with locale C, with libpcap version
1.3.0, with libz 1.2.7.
        Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz

Built using gcc 4.7.2 20121109 (Red Hat 4.7.2-8).

--
Got a fuzz failure:

~~~
 ERROR
Processing failed. Capture info follows:

  Input file: ../caps/menagerie/public/tcfe4_lan_2004_07_23_07_20_04.pcap.gz
  Output file: /tmp/fuzz-2013-07-15-17401.pcap

stderr follows:

Input file: ../caps/menagerie/public/tcfe4_lan_2004_07_23_07_20_04.pcap.gz

Build host information:
Linux mtl-morriss-d1.ulticom.com 3.9.2-200.fc18.x86_64 #1 SMP Mon May 13
13:59:47 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

Return value:  139

Dissector bug:  0

Valgrind error count:  0



Subversion revision
------------------------------------------------------------------------
r50609 | ruengeler | 2013-07-15 04:58:32 -0400 (Mon, 15 Jul 2013) | 3 lines

Do not hide the interface name in capture options.
Fix for bug 8932 reported by tdarnell5.

------------------------------------------------------------------------


Command and args: ./tshark -nVxr
~~~

Backtrace:

~~~
#0  tvb_new_proxy (backing=0x0) at tvbuff_subset.c:229
#1  0x00007fb374a897a9 in tvb_new_chain (parent=parent@entry=0x376e1e0,
backing=<optimized out>) at tvbuff.c:148
#2  0x00007fb374a28ad4 in dissect_dcerpc_cn_stub (tvb=tvb@entry=0x376e320,
offset=offset@entry=24, pinfo=pinfo@entry=0x7fff50bf4dc0,
dcerpc_tree=dcerpc_tree@entry=0x39d6230, tree=tree@entry=0x39d6040, 
    hdr=hdr@entry=0x7fff50bf3b60, di=di@entry=0x7fb3773cf528 <di.15419+648>,
auth_info=auth_info@entry=0x7fff50bf3ba0, frame=56, alloc_hint=<optimized out>)
at packet-dcerpc.c:3437
#3  0x00007fb374c50173 in dissect_dcerpc_cn_rqst (hdr=0x7fff50bf3b60,
tree=0x39d6040, dcerpc_tree=0x39d6230, pinfo=0x7fff50bf4dc0, offset=24,
tvb=0x376e320) at packet-dcerpc.c:3705
#4  dissect_dcerpc_cn (tvb=tvb@entry=0x376e190, offset=1861137832,
pinfo=pinfo@entry=0x7fff50bf4dc0, tree=tree@entry=0x39d6040,
can_desegment=<optimized out>, pkt_len=pkt_len@entry=0x7fff50bf3c60)
    at packet-dcerpc.c:4643
#5  0x00007fb374c50f44 in dissect_dcerpc_cn_bs_body (tvb=0x376e190,
pinfo=0x7fff50bf4dc0, tree=0x39d6040) at packet-dcerpc.c:4733
#6  0x00007fb374a5bb00 in dissector_try_heuristic (sub_dissectors=<optimized
out>, tvb=tvb@entry=0x376e190, pinfo=pinfo@entry=0x7fff50bf4dc0,
tree=tree@entry=0x39d6040, data="" at packet.c:1782
#7  0x00007fb3750c42cf in decode_tcp_ports (tvb=tvb@entry=0x39d7190,
offset=<optimized out>, pinfo=pinfo@entry=0x7fff50bf4dc0,
tree=tree@entry=0x39d6040, src_port=src_port@entry=2014, 
    dst_port=dst_port@entry=135, tcpd=tcpd@entry=0x7fb36eeeb600) at
packet-tcp.c:3876
#8  0x00007fb3750c47e2 in process_tcp_payload (tvb=tvb@entry=0x39d7190,
offset=offset@entry=32, pinfo=pinfo@entry=0x7fff50bf4dc0,
tree=tree@entry=0x39d6040, tcp_tree=tcp_tree@entry=0x39d14a0, 
    src_port=src_port@entry=2014, dst_port=dst_port@entry=135, seq=seq@entry=0,
nxtseq=nxtseq@entry=0, is_tcp_segment=is_tcp_segment@entry=0,
tcpd=tcpd@entry=0x7fb36eeeb600) at packet-tcp.c:3921
#9  0x00007fb3750c4dbd in desegment_tcp (tcpd=0x7fb36eeeb600,
tcp_tree=0x39d14a0, tree=0x39d6040, dport=135, sport=2014, nxtseq=229, seq=73,
offset=32, pinfo=0x7fff50bf4dc0, tvb=0x39d7190)
    at packet-tcp.c:1746
#10 dissect_tcp_payload (tvb=tvb@entry=0x39d7190,
pinfo=pinfo@entry=0x7fff50bf4dc0, offset=offset@entry=32, seq=<optimized out>,
nxtseq=nxtseq@entry=229, sport=2014, dport=135, tree=tree@entry=0x39d6040, 
    tcp_tree=tcp_tree@entry=0x39d14a0, tcpd=tcpd@entry=0x7fb36eeeb600) at
packet-tcp.c:3988
#11 0x00007fb3750c67e5 in dissect_tcp (tvb=0x39d7190, pinfo=0x7fff50bf4dc0,
tree=0x39d6040) at packet-tcp.c:4756
#12 0x00007fb374a59c88 in call_dissector_through_handle (handle=0x3126920,
tvb=0x39d7190, pinfo=0x7fff50bf4dc0, tree=0x39d6040, data="" at packet.c:433
#13 0x00007fb374a5a4bd in call_dissector_work (handle=0x3126920,
tvb=tvb@entry=0x39d7190, pinfo_arg=pinfo_arg@entry=0x7fff50bf4dc0,
tree=tree@entry=0x39d6040, add_proto_name=add_proto_name@entry=1, 
    data="" at packet.c:527
~~~


You are receiving this mail because:
  • You are watching all bug changes.