Wireshark-bugs: [Wireshark-bugs] [Bug 8940] New: Fuzz failure in packet-gsm_a_common.c:elem_telv
Date: Tue, 16 Jul 2013 14:11:54 +0000
Bug ID | 8940 |
---|---|
Summary | Fuzz failure in packet-gsm_a_common.c:elem_telv() |
Classification | Unclassified |
Product | Wireshark |
Version | SVN |
Hardware | All |
OS | All |
Status | UNCONFIRMED |
Severity | Major |
Priority | Low |
Component | Dissection engine (libwireshark) |
Assignee | [email protected] |
Reporter | [email protected] |
Build Information: -- Got another fuzz failure: ~~~ ERROR Processing failed. Capture info follows: Input file: ../caps/menagerie/public/ITC_GB_eqm03s13p2-20120406-162427.pcap Output file: /tmp/fuzz-2013-07-15-22842.pcap stderr follows: Input file: ../caps/menagerie/public/ITC_GB_eqm03s13p2-20120406-162427.pcap Build host information: Linux mtl-morriss-d1.ulticom.com 3.9.2-200.fc18.x86_64 #1 SMP Mon May 13 13:59:47 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux Return value: 139 Dissector bug: 0 Valgrind error count: 0 Subversion revision ------------------------------------------------------------------------ r50634 | darkjames | 2013-07-15 14:59:42 -0400 (Mon, 15 Jul 2013) | 4 lines Fix bug #8934: Fuzz failure: seg-fault in tvb_new_proxy() It is possible to have NULL reassembly data, support this case in tvb_new_proxy(). ------------------------------------------------------------------------ Command and args: ./tshark -nVxr ~~~ Backtrace is: ~~~(gdb) bt #0 0x00007fe991d92949 in _try_val_to_str_ext_init (val=44329440, a_vse=0x28c2c30) at value_string.c:371 #1 0x00007fe992028b5a in elem_telv (tvb=tvb@entry=0x2a469e0, tree=tree@entry=0x2914d80, pinfo=pinfo@entry=0x7ffff7ec4050, iei=iei@entry=20 '\024', pdu_type=pdu_type@entry=4, idx=idx@entry=20, offset=offset@entry=1, len=len@entry=107, name_add=0x7fe992b3ca46 "", name_add@entry=0x0) at packet-gsm_a_common.c:1367 #2 0x00007fe991e881d6 in bssgp_sgsn_invoke_trace (tvb=tvb@entry=0x2a469e0, tree=tree@entry=0x2914d80, pinfo=pinfo@entry=0x7ffff7ec4050, offset=offset@entry=1, len=len@entry=107) at packet-bssgp.c:4865 #3 0x00007fe991e82151 in dissect_bssgp (tvb=0x2a469e0, pinfo=0x7ffff7ec4050, tree=<optimized out>) at packet-bssgp.c:6419 #4 0x00007fe991d5d998 in call_dissector_through_handle (handle=0x124cfd0, tvb=0x2a469e0, pinfo=0x7ffff7ec4050, tree=0x292cd50, data="" at packet.c:433 #5 0x00007fe991d5e1cd in call_dissector_work (handle=0x124cfd0, tvb=0x2a469e0, pinfo_arg=0x7ffff7ec4050, tree=0x292cd50, add_proto_name=1, data="" at packet.c:527 #6 0x00007fe991d5ff71 in call_dissector_with_data (handle=<optimized out>, tvb=0x2a469e0, pinfo=0x7ffff7ec4050, tree=0x292cd50, data="" at packet.c:2061 #7 0x00007fe991d60038 in call_dissector (handle=<optimized out>, tvb=<optimized out>, pinfo=<optimized out>, tree=<optimized out>) at packet.c:2079 #8 0x00007fe99221b646 in decode_pdu_ns_unitdata (bi=0x7ffff7ec3460) at packet-nsip.c:752 #9 decode_pdu (bi=0x7ffff7ec3460, pdu_type=<optimized out>) at packet-nsip.c:924 #10 dissect_nsip (tvb=<optimized out>, pinfo=<optimized out>, tree=<optimized out>) at packet-nsip.c:1009 #11 0x00007fe991d5d998 in call_dissector_through_handle (handle=0x1ac1f70, tvb=0x2a238f0, pinfo=0x7ffff7ec4050, tree=0x292cd50, data="" at packet.c:433 #12 0x00007fe991d5e1cd in call_dissector_work (handle=0x1ac1f70, tvb=tvb@entry=0x2a238f0, pinfo_arg=pinfo_arg@entry=0x7ffff7ec4050, tree=tree@entry=0x292cd50, add_proto_name=add_proto_name@entry=1, data="" at packet.c:527 #13 0x00007fe991d5ea20 in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=2157, tvb=tvb@entry=0x2a238f0, pinfo=pinfo@entry=0x7ffff7ec4050, tree=tree@entry=0x292cd50, add_proto_name=add_proto_name@entry=1, data="" at packet.c:944 #14 0x00007fe991d5ea77 in dissector_try_uint (sub_dissectors=<optimized out>, uint_val=<optimized out>, tvb=tvb@entry=0x2a238f0, pinfo=pinfo@entry=0x7ffff7ec4050, tree=tree@entry=0x292cd50) at packet.c:970 #15 0x00007fe9923fa075 in decode_udp_ports (tvb=tvb@entry=0x2a38800, offset=offset@entry=8, pinfo=pinfo@entry=0x7ffff7ec4050, tree=tree@entry=0x292cd50, uh_sport=2158, uh_dport=2157, uh_ulen=120) at packet-udp.c:280 #16 0x00007fe9923fa66f in dissect (tvb=0x2a38800, pinfo=0x7ffff7ec4050, tree=0x292cd50, ip_proto=<optimized out>) at packet-udp.c:602 #17 0x00007fe991d5d998 in call_dissector_through_handle (handle=0x22b23b0, tvb=0x2a38800, pinfo=0x7ffff7ec4050, tree=0x292cd50, data="" at packet.c:433 #18 0x00007fe991d5e1cd in call_dissector_work (handle=0x22b23b0, tvb=tvb@entry=0x2a38800, pinfo_arg=pinfo_arg@entry=0x7ffff7ec4050, tree=tree@entry=0x292cd50, add_proto_name=add_proto_name@entry=1, data="" at packet.c:527 #19 0x00007fe991d5ea20 in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=uint_val@entry=17, tvb=tvb@entry=0x2a38800, pinfo=pinfo@entry=0x7ffff7ec4050, tree=tree@entry=0x292cd50, add_proto_name=add_proto_name@entry=1, data="" at packet.c:944 #20 0x00007fe991d5ea77 in dissector_try_uint (sub_dissectors=<optimized out>, uint_val=uint_val@entry=17, tvb=tvb@entry=0x2a38800, pinfo=pinfo@entry=0x7ffff7ec4050, tree=tree@entry=0x292cd50) at packet.c:970 #21 0x00007fe9920f0e95 in dissect_ip (tvb=0x2917c60, pinfo=<optimized out>, parent_tree=0x292cd50) at packet-ip.c:2412 #22 0x00007fe991d5d998 in call_dissector_through_handle (handle=0x15f4990, tvb=0x2917c60, pinfo=0x7ffff7ec4050, tree=0x292cd50, data="" at packet.c:433 #23 0x00007fe991d5e1cd in call_dissector_work (handle=0x15f4990, tvb=0x2917c60, pinfo_arg=0x7ffff7ec4050, tree=0x292cd50, add_proto_name=1, data="" at packet.c:527 #24 0x00007fe991d5ff71 in call_dissector_with_data (handle=<optimized out>, tvb=0x2917c60, pinfo=0x7ffff7ec4050, tree=0x292cd50, data="" out>) at packet.c:2061 #25 0x00007fe991d5d998 in call_dissector_through_handle (handle=0x28181c0, tvb=0x2917c60, pinfo=0x7ffff7ec4050, tree=0x292cd50, data="" at packet.c:433 #26 0x00007fe991d5e1cd in call_dissector_work (handle=0x28181c0, tvb=tvb@entry=0x2917c60, pinfo_arg=pinfo_arg@entry=0x7ffff7ec4050, tree=tree@entry=0x292cd50, add_proto_name=add_proto_name@entry=1, data="" at packet.c:527 #27 0x00007fe991d5ea20 in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=7, tvb=tvb@entry=0x2917c60, pinfo=pinfo@entry=0x7ffff7ec4050, tree=tree@entry=0x292cd50, add_proto_name=add_proto_name@entry=1, data="" at packet.c:944 #28 0x00007fe991d5ea77 in dissector_try_uint (sub_dissectors=<optimized out>, uint_val=<optimized out>, tvb=tvb@entry=0x2917c60, pinfo=pinfo@entry=0x7ffff7ec4050, tree=tree@entry=0x292cd50) at packet.c:970 #29 0x00007fe991ffa648 in dissect_frame (tvb=0x2917c60, pinfo=0x7ffff7ec4050, parent_tree=0x292cd50) at packet-frame.c:480 #30 0x00007fe991d5d998 in call_dissector_through_handle (handle=0x1547f20, tvb=0x2917c60, pinfo=0x7ffff7ec4050, tree=0x292cd50, data="" at packet.c:433 #31 0x00007fe991d5e1cd in call_dissector_work (handle=0x1547f20, tvb=0x2917c60, pinfo_arg=0x7ffff7ec4050, tree=0x292cd50, add_proto_name=1, data="" at packet.c:527 #32 0x00007fe991d5ff71 in call_dissector_with_data (handle=<optimized out>, tvb=0x2917c60, pinfo=pinfo@entry=0x7ffff7ec4050, tree=0x292cd50, data="" at packet.c:2061 #33 0x00007fe991d60038 in call_dissector (handle=<optimized out>, tvb=<optimized out>, pinfo=pinfo@entry=0x7ffff7ec4050, tree=<optimized out>) at packet.c:2079 #34 0x00007fe991d603a0 in dissect_packet (edt=edt@entry=0x7ffff7ec4040, phdr=phdr@entry=0x28a9ac0, tvb=tvb@entry=0x2917c60, fd=fd@entry=0x7ffff7ec3fc0, cinfo=0x0) at packet.c:367 #35 0x00007fe991d5455c in epan_dissect_run_with_taps (edt=edt@entry=0x7ffff7ec4040, phdr=phdr@entry=0x28a9ac0, tvb=0x2917c60, fd=fd@entry=0x7ffff7ec3fc0, cinfo=cinfo@entry=0x0) at epan.c:219 #36 0x0000000000412e9d in process_packet (cf=cf@entry=0x63ca00 <cfile>, offset=<optimized out>, whdr=0x28a9ac0, pd=pd@entry=0x28aec80 "E", filtering_tap_listeners=<optimized out>, filtering_tap_listeners@entry=0, tap_flags=tap_flags@entry=4) at tshark.c:3251 #37 0x000000000040afd7 in load_cap_file (cf=0x63ca00 <cfile>, max_byte_count=0, max_packet_count=-7518, out_file_name_res=0, out_file_type=2, save_file=0x0) at tshark.c:3046 #38 main (argc=<optimized out>, argv=<optimized out>) at tshark.c:1920 (gdb) print vs_num_entries $1 = 0 (gdb) print vs_p $2 = (const value_string *) 0x0 (gdb) ~~~ Looks like 'idx' is out of range for gsm_common_elem_strings[] ~~~ (gdb) up #1 0x00007fe992028b5a in elem_telv (tvb=tvb@entry=0x2a469e0, tree=tree@entry=0x2914d80, pinfo=pinfo@entry=0x7ffff7ec4050, iei=iei@entry=20 '\024', pdu_type=pdu_type@entry=4, idx=idx@entry=20, offset=offset@entry=1, len=len@entry=107, name_add=0x7fe992b3ca46 "", name_add@entry=0x0) at packet-gsm_a_common.c:1367 1367 consumed = (gdb) print idx $3 = 20 (gdb) print elem_names_ext $6 = { _vs_match2 = 0x7fe991d92ad0 <_try_val_to_str_index>, _vs_first_value = 0, _vs_num_entries = 18, _vs_p = 0x7fe9936e9360 <gsm_common_elem_strings>, _vs_name = 0x7fe992afc100 "gsm_common_elem_strings" } ~~~
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 8940] Fuzz failure in packet-gsm_a_common.c:elem_telv()
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8940] Fuzz failure in packet-gsm_a_common.c:elem_telv()
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8940] Fuzz failure in packet-gsm_a_common.c:elem_telv()
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8940] Fuzz failure in packet-gsm_a_common.c:elem_telv()
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8940] Fuzz failure in packet-gsm_a_common.c:elem_telv()
- Prev by Date: [Wireshark-bugs] [Bug 8849] Buggy IEC104 dissector caused by commit r48958
- Next by Date: [Wireshark-bugs] [Bug 8941] New: Fuzz failure:
- Previous by thread: [Wireshark-bugs] [Bug 8939] The interpretation of Max Power Constraint in VHT TPE is incorrect
- Next by thread: [Wireshark-bugs] [Bug 8940] Fuzz failure in packet-gsm_a_common.c:elem_telv()
- Index(es):