Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 8941] New: Fuzz failure:

Wireshark-bugs: [Wireshark-bugs] [Bug 8941] New: Fuzz failure:

Date: Tue, 16 Jul 2013 14:36:38 +0000

Bug ID	8941
Summary	Fuzz failure:
Classification	Unclassified
Product	Wireshark
Version	SVN
Hardware	All
OS	All
Status	UNCONFIRMED
Severity	Major
Priority	Low
Component	Dissection engine (libwireshark)
Assignee	[email protected]
Reporter	[email protected]

Build Information:

--
Got another fuzz failure last night:

~~~
 ERROR
Processing failed. Capture info follows:

  Input file: ../caps/menagerie/public/10129-trc_00004_20130227111552
  Output file: /tmp/fuzz-2013-07-15-23661.pcap

stderr follows:

Input file: ../caps/menagerie/public/10129-trc_00004_20130227111552

Build host information:
Linux mtl-morriss-d1.ulticom.com 3.9.2-200.fc18.x86_64 #1 SMP Mon May 13
13:59:47 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

Return value:  139

Dissector bug:  0

Valgrind error count:  0



Subversion revision
------------------------------------------------------------------------
r50634 | darkjames | 2013-07-15 14:59:42 -0400 (Mon, 15 Jul 2013) | 4 lines

Fix bug #8934: Fuzz failure: seg-fault in tvb_new_proxy()

It is possible to have NULL reassembly data, support this case in
tvb_new_proxy().

------------------------------------------------------------------------


Command and args: ./tshark -nVxr


** (process:19795): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet
10736: packet-dcerpc.c:2279: failed assertion "id <= ((guint32) 0xffffffff)"

** (process:19795): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet
10812: packet-dcerpc.c:2279: failed assertion "id <= ((guint32) 0xffffffff)"

** (process:19795): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet
12498: packet-dcerpc.c:2279: failed assertion "id <= ((guint32) 0xffffffff)"
~~~

Backtrace is:

~~~
#0  print_hex_data_buffer (stream=stream@entry=0x1f7e010, cp=0x1e2898235
<Address 0x1e2898235 out of bounds>, length=length@entry=8,
encoding=PACKET_CHAR_ENC_CHAR_ASCII) at print.c:1005
#1  0x00007f15279f8659 in print_hex_data (stream=0x1f7e010,
edt=edt@entry=0x7fff0bb89200) at print.c:922
#2  0x0000000000411807 in print_packet (cf=cf@entry=0x63ca00 <cfile>,
edt=edt@entry=0x7fff0bb89200) at tshark.c:3663
#3  0x0000000000413048 in process_packet (cf=cf@entry=0x63ca00 <cfile>,
offset=<optimized out>, whdr=<optimized out>, pd=pd@entry=0x205e000 "",
filtering_tap_listeners=<optimized out>, 
    filtering_tap_listeners@entry=0, tap_flags=tap_flags@entry=4) at
tshark.c:3268
#4  0x000000000040afd7 in load_cap_file (cf=0x63ca00 <cfile>, max_byte_count=0,
max_packet_count=-13200, out_file_name_res=0, out_file_type=2, save_file=0x0)
at tshark.c:3046
#5  main (argc=<optimized out>, argv=<optimized out>) at tshark.c:1920
~~~

Interestingly, Valgrind shows a different kind of errors:

~~~
==29870== Conditional jump or move depends on uninitialised value(s)
==29870==    at 0x67E11D8: get_unicode_or_ascii_string
(packet-smb-common.c:240)
==29870==    by 0x680172F: dissect_get_dfs_request_data (packet-smb.c:10949)
==29870==    by 0x6812E75: dissect_smb2_ioctl_data (packet-smb2.c:4625)
==29870==    by 0x6811A3C: dissect_smb2_ioctl_request (packet-smb2.c:4737)
==29870==    by 0x68104BC: dissect_smb2 (packet-smb2.c:6637)
==29870==    by 0x6810C66: dissect_smb2_heur (packet-smb2.c:7074)
==29870==    by 0x61EA80F: dissector_try_heuristic (packet.c:1782)
==29870==    by 0x667F5F3: dissect_netbios_payload (packet-netbios.c:1055)
==29870==    by 0x664A8ED: dissect_nbss_packet (packet-nbns.c:1612)
==29870==    by 0x664AACA: dissect_nbss (packet-nbns.c:1816)
==29870==    by 0x61E8997: call_dissector_through_handle (packet.c:433)
==29870==    by 0x61E91CC: call_dissector_work (packet.c:527)
==29870== 
==29870== Conditional jump or move depends on uninitialised value(s)
==29870==    at 0x66A9631: decrypt_data_payload.isra.1 (packet-ntlmssp.c:2027)
==29870==    by 0x66A99E6: dissect_ntlmssp_payload_only (packet-ntlmssp.c:2417)
==29870==    by 0x66A9A19: wrap_dissect_ntlmssp_payload_only
(packet-ntlmssp.c:2512)
==29870==    by 0x61B75A7: dissect_dcerpc_cn_stub.isra.5 (packet-dcerpc.c:886)
==29870==    by 0x63DEBB2: dissect_dcerpc_cn (packet-dcerpc.c:3705)
==29870==    by 0x63DF983: dissect_dcerpc_cn_bs_body (packet-dcerpc.c:4733)
==29870==    by 0x61EA80F: dissector_try_heuristic (packet.c:1782)
==29870==    by 0x6852D6E: decode_tcp_ports (packet-tcp.c:3877)
==29870==    by 0x6853281: process_tcp_payload (packet-tcp.c:3922)
==29870==    by 0x685385C: dissect_tcp_payload (packet-tcp.c:1747)
==29870==    by 0x6855284: dissect_tcp (packet-tcp.c:4757)
==29870==    by 0x61E8997: call_dissector_through_handle (packet.c:433)
==29870== 
==29870== Conditional jump or move depends on uninitialised value(s)
==29870==    at 0x66A83C9: decrypt_verifier (packet-ntlmssp.c:2255)
==29870==    by 0x66A88FF: dissect_ntlmssp_verf (packet-ntlmssp.c:2488)
==29870==    by 0x61B6237: dissect_auth_verf.isra.2 (packet-dcerpc.c:858)
==29870==    by 0x61B6390: dissect_dcerpc_verifier (packet-dcerpc.c:2776)
==29870==    by 0x63DE96F: dissect_dcerpc_cn (packet-dcerpc.c:3857)
==29870==    by 0x63DF983: dissect_dcerpc_cn_bs_body (packet-dcerpc.c:4733)
==29870==    by 0x61EA80F: dissector_try_heuristic (packet.c:1782)
==29870==    by 0x6852D6E: decode_tcp_ports (packet-tcp.c:3877)
==29870==    by 0x6853281: process_tcp_payload (packet-tcp.c:3922)
==29870==    by 0x685385C: dissect_tcp_payload (packet-tcp.c:1747)
==29870==    by 0x6855284: dissect_tcp (packet-tcp.c:4757)
==29870==    by 0x61E8997: call_dissector_through_handle (packet.c:433)
==29870== 

** (process:29870): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet
10736: packet-dcerpc.c:2279: failed assertion "id <= ((guint32) 0xffffffff)"

** (process:29870): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet
10812: packet-dcerpc.c:2279: failed assertion "id <= ((guint32) 0xffffffff)"

** (process:29870): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet
12498: packet-dcerpc.c:2279: failed assertion "id <= ((guint32) 0xffffffff)"
==29870== Conditional jump or move depends on uninitialised value(s)
==29870==    at 0x66A95D3: decrypt_data_payload.isra.1 (packet-ntlmssp.c:2008)
==29870==    by 0x66A9C98: dissect_ntlmssp_payload (packet-ntlmssp.c:1976)
==29870==    by 0x61E89DE: call_dissector_through_handle (packet.c:429)
==29870==    by 0x61E91CC: call_dissector_work (packet.c:527)
==29870==    by 0x61EAF70: call_dissector_with_data (packet.c:2061)
==29870==    by 0x64FCCE0: dissect_gssapi_work (packet-gssapi.c:319)
==29870==    by 0x61E8997: call_dissector_through_handle (packet.c:433)
==29870==    by 0x61E91CC: call_dissector_work (packet.c:527)
==29870==    by 0x61EAF70: call_dissector_with_data (packet.c:2061)
==29870==    by 0x680F338: dissect_smb2_negotiate_protocol_response
(packet-smb2.c:3471)
==29870==    by 0x68104BC: dissect_smb2 (packet-smb2.c:6637)
==29870==    by 0x6810247: dissect_smb2 (packet-smb2.c:7053)
==29870== 
==29870== Use of uninitialised value of size 8
==29870==    at 0x8FD3AC6: crc32c_calculate (crc32.c:245)
==29870==    by 0x66A9562: header_hash (packet-ntlmssp.c:2616)
==29870==    by 0x3DE1C37C98: g_hash_table_lookup (in
/usr/lib64/libglib-2.0.so.0.3400.2)
==29870==    by 0x66A83A2: decrypt_verifier (packet-ntlmssp.c:2246)
==29870==    by 0x66A9CBA: dissect_ntlmssp_payload (packet-ntlmssp.c:1977)
==29870==    by 0x61E89DE: call_dissector_through_handle (packet.c:429)
==29870==    by 0x61E91CC: call_dissector_work (packet.c:527)
==29870==    by 0x61EAF70: call_dissector_with_data (packet.c:2061)
==29870==    by 0x64FCCE0: dissect_gssapi_work (packet-gssapi.c:319)
==29870==    by 0x61E8997: call_dissector_through_handle (packet.c:433)
==29870==    by 0x61E91CC: call_dissector_work (packet.c:527)
==29870==    by 0x61EAF70: call_dissector_with_data (packet.c:2061)
==29870== 
==29870== Conditional jump or move depends on uninitialised value(s)
==29870==    at 0x66A83BB: decrypt_verifier (packet-ntlmssp.c:2254)
==29870==    by 0x66A9CBA: dissect_ntlmssp_payload (packet-ntlmssp.c:1977)
==29870==    by 0x61E89DE: call_dissector_through_handle (packet.c:429)
==29870==    by 0x61E91CC: call_dissector_work (packet.c:527)
==29870==    by 0x61EAF70: call_dissector_with_data (packet.c:2061)
==29870==    by 0x64FCCE0: dissect_gssapi_work (packet-gssapi.c:319)
==29870==    by 0x61E8997: call_dissector_through_handle (packet.c:433)
==29870==    by 0x61E91CC: call_dissector_work (packet.c:527)
==29870==    by 0x61EAF70: call_dissector_with_data (packet.c:2061)
==29870==    by 0x680F338: dissect_smb2_negotiate_protocol_response
(packet-smb2.c:3471)
==29870==    by 0x68104BC: dissect_smb2 (packet-smb2.c:6637)
==29870==    by 0x6810247: dissect_smb2 (packet-smb2.c:7053)
~~~

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 8941] Fuzz failure: crash in print_hex_data_buffer()
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8941] Fuzz failure: crash in print_hex_data_buffer()
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8941] Fuzz failure: crash in print_hex_data_buffer()
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8941] Fuzz failure: crash in print_hex_data_buffer()
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8941] Fuzz failure: NTLMSSP caused crash in print_hex_data_buffer()
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8941] Fuzz failure: NTLMSSP caused crash in print_hex_data_buffer()
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8941] Fuzz failure: NTLMSSP caused crash in print_hex_data_buffer()
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8941] Fuzz failure: NTLMSSP caused crash in print_hex_data_buffer()
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 8940] New: Fuzz failure in packet-gsm_a_common.c:elem_telv()
Next by Date: [Wireshark-bugs] [Bug 8941] Fuzz failure: crash in print_hex_data_buffer()
Previous by thread: [Wireshark-bugs] [Bug 8940] Fuzz failure in packet-gsm_a_common.c:elem_telv()
Next by thread: [Wireshark-bugs] [Bug 8941] Fuzz failure: crash in print_hex_data_buffer()
Index(es):
- Date
- Thread