Wireshark-bugs: [Wireshark-bugs] [Bug 8940] New: Fuzz failure in packet-gsm_a_common.c:elem_telv

Date: Tue, 16 Jul 2013 14:11:54 +0000
Bug ID 8940
Summary Fuzz failure in packet-gsm_a_common.c:elem_telv()
Classification Unclassified
Product Wireshark
Version SVN
Hardware All
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Build Information:

--
Got another fuzz failure:

~~~
 ERROR
Processing failed. Capture info follows:

  Input file: ../caps/menagerie/public/ITC_GB_eqm03s13p2-20120406-162427.pcap
  Output file: /tmp/fuzz-2013-07-15-22842.pcap

stderr follows:

Input file: ../caps/menagerie/public/ITC_GB_eqm03s13p2-20120406-162427.pcap

Build host information:
Linux mtl-morriss-d1.ulticom.com 3.9.2-200.fc18.x86_64 #1 SMP Mon May 13
13:59:47 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

Return value:  139

Dissector bug:  0

Valgrind error count:  0



Subversion revision
------------------------------------------------------------------------
r50634 | darkjames | 2013-07-15 14:59:42 -0400 (Mon, 15 Jul 2013) | 4 lines

Fix bug #8934: Fuzz failure: seg-fault in tvb_new_proxy()

It is possible to have NULL reassembly data, support this case in
tvb_new_proxy().

------------------------------------------------------------------------


Command and args: ./tshark -nVxr
~~~

Backtrace is:

~~~(gdb) bt
#0  0x00007fe991d92949 in _try_val_to_str_ext_init (val=44329440,
a_vse=0x28c2c30) at value_string.c:371
#1  0x00007fe992028b5a in elem_telv (tvb=tvb@entry=0x2a469e0,
tree=tree@entry=0x2914d80, pinfo=pinfo@entry=0x7ffff7ec4050, iei=iei@entry=20
'\024', pdu_type=pdu_type@entry=4, idx=idx@entry=20, 
    offset=offset@entry=1, len=len@entry=107, name_add=0x7fe992b3ca46 "",
name_add@entry=0x0) at packet-gsm_a_common.c:1367
#2  0x00007fe991e881d6 in bssgp_sgsn_invoke_trace (tvb=tvb@entry=0x2a469e0,
tree=tree@entry=0x2914d80, pinfo=pinfo@entry=0x7ffff7ec4050,
offset=offset@entry=1, len=len@entry=107) at packet-bssgp.c:4865
#3  0x00007fe991e82151 in dissect_bssgp (tvb=0x2a469e0, pinfo=0x7ffff7ec4050,
tree=<optimized out>) at packet-bssgp.c:6419
#4  0x00007fe991d5d998 in call_dissector_through_handle (handle=0x124cfd0,
tvb=0x2a469e0, pinfo=0x7ffff7ec4050, tree=0x292cd50, data="" at packet.c:433
#5  0x00007fe991d5e1cd in call_dissector_work (handle=0x124cfd0, tvb=0x2a469e0,
pinfo_arg=0x7ffff7ec4050, tree=0x292cd50, add_proto_name=1, data="" at
packet.c:527
#6  0x00007fe991d5ff71 in call_dissector_with_data (handle=<optimized out>,
tvb=0x2a469e0, pinfo=0x7ffff7ec4050, tree=0x292cd50, data="" at
packet.c:2061
#7  0x00007fe991d60038 in call_dissector (handle=<optimized out>,
tvb=<optimized out>, pinfo=<optimized out>, tree=<optimized out>) at
packet.c:2079
#8  0x00007fe99221b646 in decode_pdu_ns_unitdata (bi=0x7ffff7ec3460) at
packet-nsip.c:752
#9  decode_pdu (bi=0x7ffff7ec3460, pdu_type=<optimized out>) at
packet-nsip.c:924
#10 dissect_nsip (tvb=<optimized out>, pinfo=<optimized out>, tree=<optimized
out>) at packet-nsip.c:1009
#11 0x00007fe991d5d998 in call_dissector_through_handle (handle=0x1ac1f70,
tvb=0x2a238f0, pinfo=0x7ffff7ec4050, tree=0x292cd50, data="" at packet.c:433
#12 0x00007fe991d5e1cd in call_dissector_work (handle=0x1ac1f70,
tvb=tvb@entry=0x2a238f0, pinfo_arg=pinfo_arg@entry=0x7ffff7ec4050,
tree=tree@entry=0x292cd50, add_proto_name=add_proto_name@entry=1, 
    data="" at packet.c:527
#13 0x00007fe991d5ea20 in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=2157, tvb=tvb@entry=0x2a238f0, pinfo=pinfo@entry=0x7ffff7ec4050,
tree=tree@entry=0x292cd50, 
    add_proto_name=add_proto_name@entry=1, data="" at packet.c:944
#14 0x00007fe991d5ea77 in dissector_try_uint (sub_dissectors=<optimized out>,
uint_val=<optimized out>, tvb=tvb@entry=0x2a238f0,
pinfo=pinfo@entry=0x7ffff7ec4050, tree=tree@entry=0x292cd50) at packet.c:970
#15 0x00007fe9923fa075 in decode_udp_ports (tvb=tvb@entry=0x2a38800,
offset=offset@entry=8, pinfo=pinfo@entry=0x7ffff7ec4050,
tree=tree@entry=0x292cd50, uh_sport=2158, uh_dport=2157, uh_ulen=120)
    at packet-udp.c:280
#16 0x00007fe9923fa66f in dissect (tvb=0x2a38800, pinfo=0x7ffff7ec4050,
tree=0x292cd50, ip_proto=<optimized out>) at packet-udp.c:602
#17 0x00007fe991d5d998 in call_dissector_through_handle (handle=0x22b23b0,
tvb=0x2a38800, pinfo=0x7ffff7ec4050, tree=0x292cd50, data="" at packet.c:433
#18 0x00007fe991d5e1cd in call_dissector_work (handle=0x22b23b0,
tvb=tvb@entry=0x2a38800, pinfo_arg=pinfo_arg@entry=0x7ffff7ec4050,
tree=tree@entry=0x292cd50, add_proto_name=add_proto_name@entry=1, 
    data="" at packet.c:527
#19 0x00007fe991d5ea20 in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=uint_val@entry=17, tvb=tvb@entry=0x2a38800,
pinfo=pinfo@entry=0x7ffff7ec4050, tree=tree@entry=0x292cd50, 
    add_proto_name=add_proto_name@entry=1, data="" at packet.c:944
#20 0x00007fe991d5ea77 in dissector_try_uint (sub_dissectors=<optimized out>,
uint_val=uint_val@entry=17, tvb=tvb@entry=0x2a38800,
pinfo=pinfo@entry=0x7ffff7ec4050, tree=tree@entry=0x292cd50)
    at packet.c:970
#21 0x00007fe9920f0e95 in dissect_ip (tvb=0x2917c60, pinfo=<optimized out>,
parent_tree=0x292cd50) at packet-ip.c:2412
#22 0x00007fe991d5d998 in call_dissector_through_handle (handle=0x15f4990,
tvb=0x2917c60, pinfo=0x7ffff7ec4050, tree=0x292cd50, data="" at packet.c:433
#23 0x00007fe991d5e1cd in call_dissector_work (handle=0x15f4990, tvb=0x2917c60,
pinfo_arg=0x7ffff7ec4050, tree=0x292cd50, add_proto_name=1, data="" at
packet.c:527
#24 0x00007fe991d5ff71 in call_dissector_with_data (handle=<optimized out>,
tvb=0x2917c60, pinfo=0x7ffff7ec4050, tree=0x292cd50, data="" out>) at
packet.c:2061
#25 0x00007fe991d5d998 in call_dissector_through_handle (handle=0x28181c0,
tvb=0x2917c60, pinfo=0x7ffff7ec4050, tree=0x292cd50, data="" at packet.c:433
#26 0x00007fe991d5e1cd in call_dissector_work (handle=0x28181c0,
tvb=tvb@entry=0x2917c60, pinfo_arg=pinfo_arg@entry=0x7ffff7ec4050,
tree=tree@entry=0x292cd50, add_proto_name=add_proto_name@entry=1, 
    data="" at packet.c:527
#27 0x00007fe991d5ea20 in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=7, tvb=tvb@entry=0x2917c60, pinfo=pinfo@entry=0x7ffff7ec4050,
tree=tree@entry=0x292cd50, 
    add_proto_name=add_proto_name@entry=1, data="" at packet.c:944
#28 0x00007fe991d5ea77 in dissector_try_uint (sub_dissectors=<optimized out>,
uint_val=<optimized out>, tvb=tvb@entry=0x2917c60,
pinfo=pinfo@entry=0x7ffff7ec4050, tree=tree@entry=0x292cd50) at packet.c:970
#29 0x00007fe991ffa648 in dissect_frame (tvb=0x2917c60, pinfo=0x7ffff7ec4050,
parent_tree=0x292cd50) at packet-frame.c:480
#30 0x00007fe991d5d998 in call_dissector_through_handle (handle=0x1547f20,
tvb=0x2917c60, pinfo=0x7ffff7ec4050, tree=0x292cd50, data="" at packet.c:433
#31 0x00007fe991d5e1cd in call_dissector_work (handle=0x1547f20, tvb=0x2917c60,
pinfo_arg=0x7ffff7ec4050, tree=0x292cd50, add_proto_name=1, data="" at
packet.c:527
#32 0x00007fe991d5ff71 in call_dissector_with_data (handle=<optimized out>,
tvb=0x2917c60, pinfo=pinfo@entry=0x7ffff7ec4050, tree=0x292cd50,
data="" at packet.c:2061
#33 0x00007fe991d60038 in call_dissector (handle=<optimized out>,
tvb=<optimized out>, pinfo=pinfo@entry=0x7ffff7ec4050, tree=<optimized out>) at
packet.c:2079
#34 0x00007fe991d603a0 in dissect_packet (edt=edt@entry=0x7ffff7ec4040,
phdr=phdr@entry=0x28a9ac0, tvb=tvb@entry=0x2917c60, fd=fd@entry=0x7ffff7ec3fc0,
cinfo=0x0) at packet.c:367
#35 0x00007fe991d5455c in epan_dissect_run_with_taps
(edt=edt@entry=0x7ffff7ec4040, phdr=phdr@entry=0x28a9ac0, tvb=0x2917c60,
fd=fd@entry=0x7ffff7ec3fc0, cinfo=cinfo@entry=0x0) at epan.c:219
#36 0x0000000000412e9d in process_packet (cf=cf@entry=0x63ca00 <cfile>,
offset=<optimized out>, whdr=0x28a9ac0, pd=pd@entry=0x28aec80 "E",
filtering_tap_listeners=<optimized out>, 
    filtering_tap_listeners@entry=0, tap_flags=tap_flags@entry=4) at
tshark.c:3251
#37 0x000000000040afd7 in load_cap_file (cf=0x63ca00 <cfile>, max_byte_count=0,
max_packet_count=-7518, out_file_name_res=0, out_file_type=2, save_file=0x0) at
tshark.c:3046
#38 main (argc=<optimized out>, argv=<optimized out>) at tshark.c:1920
(gdb) print vs_num_entries
$1 = 0
(gdb) print vs_p
$2 = (const value_string *) 0x0
(gdb) 
~~~

Looks like 'idx' is out of range for gsm_common_elem_strings[]


~~~
(gdb) up
#1  0x00007fe992028b5a in elem_telv (tvb=tvb@entry=0x2a469e0,
tree=tree@entry=0x2914d80, pinfo=pinfo@entry=0x7ffff7ec4050, iei=iei@entry=20
'\024', pdu_type=pdu_type@entry=4, idx=idx@entry=20, 
    offset=offset@entry=1, len=len@entry=107, name_add=0x7fe992b3ca46 "",
name_add@entry=0x0) at packet-gsm_a_common.c:1367
1367                    consumed =
(gdb) print idx
$3 = 20
(gdb) print elem_names_ext 
$6 = {
  _vs_match2 = 0x7fe991d92ad0 <_try_val_to_str_index>, 
  _vs_first_value = 0, 
  _vs_num_entries = 18, 
  _vs_p = 0x7fe9936e9360 <gsm_common_elem_strings>, 
  _vs_name = 0x7fe992afc100 "gsm_common_elem_strings"
}
~~~


You are receiving this mail because:
  • You are watching all bug changes.