Wireshark-bugs: [Wireshark-bugs] [Bug 10849] New: Buffer overrun in encryption code

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 12 Jan 2015 15:27:37 +0000
Bug ID 10849
Summary Buffer overrun in encryption code
Product Wireshark
Version Git
Hardware All
OS All
Status UNCONFIRMED
Severity Major
Priority High
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected] 

Created attachment 13384 [details]
Patch to help trigger crash easily

Build Information:
Version 1.99.2 (v1.99.2rc0-621-g27061d8 from unknown)

Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.24.23, with Cairo 1.10.2, with Pango 1.34.0, with
WinPcap (4_1_3), with libz 1.2.5, with GLib 2.38.0, with SMI 0.4.8, with c-ares
1.9.1, with Lua 5.2, with GnuTLS 3.2.15, with Gcrypt 1.6.2, with MIT Kerberos,
with GeoIP, with PortAudio V19-devel (built Jan 11 2015), with AirPcap.

Running on Windows XP Service Pack 3, build 2600, with locale English_United
States.1252, with WinPcap version 4.1.2 (packet.dll version 4.1.0.2001), based
on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.2.15, with
Gcrypt 1.6.2, without AirPcap.
Intel(R) Core(TM) i7-4700MQ CPU @ 2.40GHz (with SSE4.2), with 2047MB of
physical
memory.


Built using Microsoft Visual C++ 10.0 build 40219

--
Someone more familiar with the code can probably come up with a better summary,
but I'll just explain what I'm seeing.

I was trying to clean up the remaining se_alloc calls (patch attached).  While
testing, I noticed a buffer overrun in AirPDcapRsnaPrfX().  The calling
function, AirPDcapRsna4WHandshake, passes sa->wpa.ptk as the last parameter
into AirPDcapRsnaPrfX.  sa->wpa.ptk has a size of 64 bytes.

At the end of AirPDcapRsnaPrfX, it's "computing the PTK"? with the ptk buffer
being incremented by 20 bytes each time the loop executes.  With my test
capture, the loop executes 4 times, so that will occupy 80 bytes, corrupting
the next sa element in the array.

The test file is from "Wireshark 101" files, attached here for convenience.

I believe my patch is correct, but I wasn't going to submit it to Gerrit until
this issue is resolved.  The patch triggers a crash because it identifies a
pointer to be freed (because it's not NULL), when it fact its just the memory 
corruption caused by AirPDcapRsnaPrfX.

You are receiving this mail because:
  • You are watching all bug changes.