Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 9573] New: Global Variable in x509af dissector causing problems

Wireshark-bugs: [Wireshark-bugs] [Bug 9573] New: Global Variable in x509af dissector causing pro

Date: Tue, 17 Dec 2013 19:31:46 +0000

Bug ID	9573
Summary	Global Variable in x509af dissector causing problems
Classification	Unclassified
Product	Wireshark
Version	SVN
Hardware	All
OS	All
Status	UNCONFIRMED
Severity	Major
Priority	Low
Component	Dissection engine (libwireshark)
Assignee	[email protected]
Reporter	[email protected]

Build Information:
TShark 1.11.3 (SVN Rev 54189 from /trunk)

Copyright 1998-2013 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.38.1, with libpcap, with libz 1.2.8, with POSIX
capabilities (Linux), without libnl, with SMI 0.4.8, with c-ares 1.10.0, with
Lua 5.2, without Python, with GnuTLS 2.12.23, with Gcrypt 1.5.0, with MIT
Kerberos, with GeoIP.

Running on Linux 3.11.0-14-generic, with locale en_CA.UTF-8, with libpcap
version 1.4.0, with libz 1.2.8.
Intel(R) Core(TM)2 Quad CPU    Q6600  @ 2.40GHz

Built using gcc 4.8.1.
--
I have an attachment from fuzzing which causes the following valgrind errors:

==13166== Invalid read of size 1
==13166==    at 0x96109D0: g_str_hash (ghash.c:1732)
==13166==    by 0x9610058: g_hash_table_lookup (ghash.c:365)
==13166==    by 0x65E6D5E: call_ber_oid_callback (packet-ber.c:518)
==13166==    by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285)
==13166==    by 0x6DBEAEF: dissect_x509af_AlgorithmIdentifier (x509af.cnf:98)
==13166==    by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285)
==13166==    by 0x6DBEC2F: dissect_x509af_T_signedCertificate (x509af.cnf:159)
==13166==    by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285)
==13166==    by 0x6DBEBEF: dissect_x509af_Certificate (x509af.cnf:175)
==13166==    by 0x6B59235: dissect_ssl3_handshake (packet-ssl.c:3131)
==13166==    by 0x6B5AD5A: dissect_ssl3_record (packet-ssl.c:1791)
==13166==    by 0x6B5B724: dissect_ssl (packet-ssl.c:909)
==13166==  Address 0x12f93350 is 0 bytes inside a block of size 68 free'd
==13166==    at 0x4C2B60C: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13166==    by 0x64EA51C: emem_free_all (emem.c:1242)
==13166==    by 0x64EC3CA: epan_dissect_run_with_taps (epan.c:333)
==13166==    by 0x4134FD: process_packet (tshark.c:3453)
==13166==    by 0x40BAA3: main (tshark.c:3256)
==13166== 
==13166== Invalid read of size 1
==13166==    at 0x96109ED: g_str_hash (ghash.c:1732)
==13166==    by 0x9610058: g_hash_table_lookup (ghash.c:365)
==13166==    by 0x65E6D5E: call_ber_oid_callback (packet-ber.c:518)
==13166==    by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285)
==13166==    by 0x6DBEAEF: dissect_x509af_AlgorithmIdentifier (x509af.cnf:98)
==13166==    by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285)
==13166==    by 0x6DBEC2F: dissect_x509af_T_signedCertificate (x509af.cnf:159)
==13166==    by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285)
==13166==    by 0x6DBEBEF: dissect_x509af_Certificate (x509af.cnf:175)
==13166==    by 0x6B59235: dissect_ssl3_handshake (packet-ssl.c:3131)
==13166==    by 0x6B5AD5A: dissect_ssl3_record (packet-ssl.c:1791)
==13166==    by 0x6B5B724: dissect_ssl (packet-ssl.c:909)
==13166==  Address 0x12f93351 is 1 bytes inside a block of size 68 free'd
==13166==    at 0x4C2B60C: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13166==    by 0x64EA51C: emem_free_all (emem.c:1242)
==13166==    by 0x64EC3CA: epan_dissect_run_with_taps (epan.c:333)
==13166==    by 0x4134FD: process_packet (tshark.c:3453)
==13166==    by 0x40BAA3: main (tshark.c:3256)
==13166== 
==13166== Invalid read of size 1
==13166==    at 0x96109D0: g_str_hash (ghash.c:1732)
==13166==    by 0x9610058: g_hash_table_lookup (ghash.c:365)
==13166==    by 0x64F719F: dissector_try_string (packet.c:1280)
==13166==    by 0x65E6DC6: call_ber_oid_callback (packet-ber.c:1078)
==13166==    by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285)
==13166==    by 0x6DBEAEF: dissect_x509af_AlgorithmIdentifier (x509af.cnf:98)
==13166==    by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285)
==13166==    by 0x6DBEC2F: dissect_x509af_T_signedCertificate (x509af.cnf:159)
==13166==    by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285)
==13166==    by 0x6DBEBEF: dissect_x509af_Certificate (x509af.cnf:175)
==13166==    by 0x6B59235: dissect_ssl3_handshake (packet-ssl.c:3131)
==13166==    by 0x6B5AD5A: dissect_ssl3_record (packet-ssl.c:1791)
==13166==  Address 0x12f93350 is 0 bytes inside a block of size 68 free'd
==13166==    at 0x4C2B60C: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13166==    by 0x64EA51C: emem_free_all (emem.c:1242)
==13166==    by 0x64EC3CA: epan_dissect_run_with_taps (epan.c:333)
==13166==    by 0x4134FD: process_packet (tshark.c:3453)
==13166==    by 0x40BAA3: main (tshark.c:3256)
==13166== 
==13166== Invalid read of size 1
==13166==    at 0x96109ED: g_str_hash (ghash.c:1732)
==13166==    by 0x9610058: g_hash_table_lookup (ghash.c:365)
==13166==    by 0x64F719F: dissector_try_string (packet.c:1280)
==13166==    by 0x65E6DC6: call_ber_oid_callback (packet-ber.c:1078)
==13166==    by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285)
==13166==    by 0x6DBEAEF: dissect_x509af_AlgorithmIdentifier (x509af.cnf:98)
==13166==    by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285)
==13166==    by 0x6DBEC2F: dissect_x509af_T_signedCertificate (x509af.cnf:159)
==13166==    by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285)
==13166==    by 0x6DBEBEF: dissect_x509af_Certificate (x509af.cnf:175)
==13166==    by 0x6B59235: dissect_ssl3_handshake (packet-ssl.c:3131)
==13166==    by 0x6B5AD5A: dissect_ssl3_record (packet-ssl.c:1791)
==13166==  Address 0x12f93351 is 1 bytes inside a block of size 68 free'd
==13166==    at 0x4C2B60C: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13166==    by 0x64EA51C: emem_free_all (emem.c:1242)
==13166==    by 0x64EC3CA: epan_dissect_run_with_taps (epan.c:333)
==13166==    by 0x4134FD: process_packet (tshark.c:3453)
==13166==    by 0x40BAA3: main (tshark.c:3256)
==13166== 


In frame 2, memory is ep-allocated and assigned to the algorithm_id global in
packet-x509af-template.c:
#0  ep_alloc (size=size@entry=68) at emem.c:935
#1  0x00007ffff4c62b19 in ep_alloc0 (size=68) at emem.c:953
#2  0x00007ffff4c6b486 in rel_oid_subid2string (subids=0x7fffed5f88c0, len=6,
is_absolute=1) at oids.c:848
#3  0x00007ffff4c6c1a5 in oid_encoded2string (encoded=<optimized out>,
len=len@entry=6) at oids.c:1111
#4  0x00007ffff4d628b9 in dissect_ber_any_oid_str (implicit_tag=<optimized
out>, actx=<optimized out>, tree=tree@entry=0x7fffebbd24e0, 
    tvb=<optimized out>, offset=8, hf_id=<optimized out>,
value_stringx=value_stringx@entry=0x7ffff7adf3b0 <algorithm_id>, 
    is_absolute=is_absolute@entry=1) at packet-ber.c:3978
#5  0x00007ffff4d6294a in dissect_ber_object_identifier_str
(implicit_tag=<optimized out>, actx=<optimized out>,
tree=tree@entry=0x7fffebbd24e0, 
    tvb=<optimized out>, offset=<optimized out>, hf_id=<optimized out>,
value_stringx=value_stringx@entry=0x7ffff7adf3b0 <algorithm_id>)
    at packet-ber.c:4012
#6  0x00007ffff5536e8f in dissect_x509af_T_algorithmId (implicit_tag=<optimized
out>, tvb=<optimized out>, offset=<optimized out>, 
    actx=<optimized out>, tree=0x7fffebbd24e0, hf_index=<optimized out>) at
../../asn1/x509af/x509af.cnf:73
#7  0x00007ffff4d5faae in dissect_ber_sequence (implicit_tag=<optimized out>,
actx=0x7fffffffca00, parent_tree=<optimized out>, tvb=0x1760450, 
    offset=4, seq=seq@entry=0x7ffff6ac3600 <AlgorithmIdentifier_sequence>,
hf_id=133724, ett_id=33761) at packet-ber.c:2285
#8  0x00007ffff5536af0 in dissect_x509af_AlgorithmIdentifier
(implicit_tag=<optimized out>, tvb=<optimized out>, offset=<optimized out>, 
    actx=<optimized out>, tree=<optimized out>, hf_index=<optimized out>) at
../../asn1/x509af/x509af.cnf:98
#9  0x00007ffff4d5faae in dissect_ber_sequence (implicit_tag=<optimized out>,
actx=0x7fffffffca00, parent_tree=<optimized out>, tvb=0x1760630, 
    offset=23, seq=0x7ffff6bdace0 <T_signedCertificate_sequence+64>,
seq@entry=0x7ffff6bdaca0 <T_signedCertificate_sequence>, hf_id=133721, 
    ett_id=33759) at packet-ber.c:2285
#10 0x00007ffff5536c30 in dissect_x509af_T_signedCertificate
(implicit_tag=<optimized out>, tvb=<optimized out>, offset=<optimized out>, 
    actx=<optimized out>, tree=<optimized out>, hf_index=<optimized out>) at
../../asn1/x509af/x509af.cnf:159
#11 0x00007ffff4d5faae in dissect_ber_sequence
(implicit_tag=implicit_tag@entry=0, actx=actx@entry=0x7fffffffca00, 
    parent_tree=parent_tree@entry=0x7fffebbd1e40, tvb=tvb@entry=0x17605e0,
offset=109, seq=seq@entry=0x7ffff6bdac20 <Certificate_sequence>, 
    hf_id=107353, ett_id=33758) at packet-ber.c:2285
#12 0x00007ffff5536bf0 in dissect_x509af_Certificate
(implicit_tag=implicit_tag@entry=0, tvb=tvb@entry=0x17605e0, offset=<optimized
out>, 
    actx=actx@entry=0x7fffffffca00, tree=tree@entry=0x7fffebbd1e40,
hf_index=<optimized out>) at ../../asn1/x509af/x509af.cnf:175
#13 0x00007ffff52d1236 in dissect_ssl3_hnd_cert (pinfo=0x197dcb8,
offset=<optimized out>, tree=0x7fffebbd1a30, tvb=0x17605e0) at
packet-ssl.c:3131
#14 dissect_ssl3_handshake (tvb=tvb@entry=0x17605e0,
pinfo=pinfo@entry=0x197dcb8, tree=tree@entry=0x7fffebbd1620, offset=95,
offset@entry=91, 
    record_length=1453, record_length@entry=1362,
conv_version=conv_version@entry=0x7fffeabc86f8,
conv_cipher=conv_cipher@entry=0, 
    ssl=ssl@entry=0x7fffeabc8480, content_type=content_type@entry=22 '\026') at
packet-ssl.c:2110
#15 0x00007ffff52d2d5b in dissect_ssl3_record (tvb=tvb@entry=0x17605e0,
pinfo=pinfo@entry=0x197dcb8, tree=tree@entry=0x7fffebbd0050, offset=91, 
    offset@entry=86, conv_version=conv_version@entry=0x7fffeabc86f8,
conv_cipher=conv_cipher@entry=0, 
    need_desegmentation=need_desegmentation@entry=0x7fffffffcc2c,
ssl=ssl@entry=0x7fffeabc8480,
first_record_in_frame=first_record_in_frame@entry=0)
    at packet-ssl.c:1791
#16 0x00007ffff52d3725 in dissect_ssl (tvb=0x17605e0, pinfo=0x197dcb8,
tree=<optimized out>) at packet-ssl.c:909

Then in frame 7, that global is used (I believe through a call to
dissect_x509af_T_parameters which is optimized out of the backtrace). At this
point it still points to the old ep-allocated value from frame 2, which has
been freed and is garbage.

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 9568] Compilation failure: packet-pdcp-lte.c:1211:12: error: variable 'key' set but not used [-Werror=unused-but-set-variable]
Next by Date: [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
Previous by thread: [Wireshark-bugs] [Bug 8511] allow editcap to ignore certain bytes during duplicate detection
Next by thread: [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
Index(es):
- Date
- Thread