Wireshark-bugs: [Wireshark-bugs] [Bug 11518] New: Possible problems with fragment_add and zero-l
Date: Thu, 10 Sep 2015 15:38:09 +0000
| Bug ID | 11518 |
|---|---|
| Summary | Possible problems with fragment_add and zero-lengths fragment data lengths |
| Product | Wireshark |
| Version | Git |
| Hardware | All |
| OS | All |
| Status | UNCONFIRMED |
| Severity | Major |
| Priority | Low |
| Component | Dissection engine (libwireshark) |
| Assignee | [email protected] |
| Reporter | [email protected] |
Build Information: TShark (Wireshark) 1.99.10 (v1.99.10rc0-78-g61f07f1 from master) Copyright 1998-2015 Gerald Combs <[email protected]> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3, with libz 1.2.8, with GLib 2.44.1, without SMI, without c-ares, without ADNS, with Lua 5.2, with GnuTLS 3.4.4, with Gcrypt 1.6.3, with MIT Kerberos, with GeoIP. Running on Linux 4.1.6-1-ARCH, with locale en_GB.UTF-8, with libpcap version 1.7.4, with libz 1.2.8, with GnuTLS 3.4.4, with Gcrypt 1.6.3. Intel(R) Core(TM) i5 CPU M 560 @ 2.67GHz (with SSE4.2) Built using gcc 5.2.0. -- Frame 7488 from bug 10605 triggers addition of a zero-length of a fragment in the IP dissector (because iph->ip_len - hlen is zero in the IP dissector): if (ip_defragment && (iph->ip_off & (IP_MF|IP_OFFSET)) && tvb_bytes_exist(tvb, offset, iph->ip_len - hlen) && ipsum == 0) { ipfd_head = fragment_add_check(&ip_reassembly_table, tvb, offset, pinfo, iph->ip_p ^ iph->ip_id ^ src32 ^ dst32, NULL, (iph->ip_off & IP_OFFSET) * 8, iph->ip_len - hlen, iph->ip_off & IP_MF); next_tvb = process_reassembled_data(tvb, offset, pinfo, "Reassembled IPv4", ipfd_head, &ip_frag_items, &update_col_info, ip_tree); A backtrace can be found on the end of this description. This report looks like https://code.wireshark.org/review/9689 and it probably occurs at other places as well. At a quick glance, I am not sure how this situation should be handled. What should this API do for zero-length packets? Ignore it, DISSECTOR_ASSERT or something else? The documentation is not clear on this. epan/tvbuff.c:783:10: runtime error: null pointer passed as argument 1, which is declared to never be null #0 0x7f87436d4108 in tvb_memcpy epan/tvbuff.c:783 #1 0x7f87436d432d in tvb_generic_clone_offset_len epan/tvbuff.c:392 #2 0x7f87436d443e in tvb_clone_offset_len epan/tvbuff.c:411 #3 0x7f87436ddabb in subset_clone epan/tvbuff_subset.c:94 #4 0x7f87436d442b in tvb_clone_offset_len epan/tvbuff.c:406 #5 0x7f87436ddabb in subset_clone epan/tvbuff_subset.c:94 #6 0x7f87436d442b in tvb_clone_offset_len epan/tvbuff.c:406 #7 0x7f87436ddabb in subset_clone epan/tvbuff_subset.c:94 #8 0x7f87436d442b in tvb_clone_offset_len epan/tvbuff.c:406 #9 0x7f87436ddabb in subset_clone epan/tvbuff_subset.c:94 #10 0x7f87436d442b in tvb_clone_offset_len epan/tvbuff.c:406 #11 0x7f87436ddabb in subset_clone epan/tvbuff_subset.c:94 #12 0x7f87436d442b in tvb_clone_offset_len epan/tvbuff.c:406 #13 0x7f87436ddabb in subset_clone epan/tvbuff_subset.c:94 #14 0x7f87436d442b in tvb_clone_offset_len epan/tvbuff.c:406 #15 0x7f87436a36df in fragment_add_work epan/reassemble.c:1022 #16 0x7f87436a60dd in fragment_add_check epan/reassemble.c:1457 #17 0x7f8743de367b in dissect_ip_v4 epan/dissectors/packet-ip.c:2397 #18 0x7f8743de3dab in dissect_ip epan/dissectors/packet-ip.c:2481 #19 0x7f874363fc6f in call_dissector_through_handle epan/packet.c:620 #20 0x7f8743640e0c in call_dissector_work epan/packet.c:706 #21 0x7f87436467af in call_dissector_only epan/packet.c:2570 #22 0x7f87436467ca in call_dissector_with_data epan/packet.c:2583 #23 0x7f874364871b in call_dissector epan/packet.c:2600 #24 0x7f87443d18e4 in dissect_sndcp epan/dissectors/packet-sndcp.c:310 #25 0x7f874363fc6f in call_dissector_through_handle epan/packet.c:620 #26 0x7f8743640e0c in call_dissector_work epan/packet.c:706 #27 0x7f87436424de in dissector_try_uint_new epan/packet.c:1163 #28 0x7f8743642566 in dissector_try_uint epan/packet.c:1189 #29 0x7f8743c75b4b in dissect_llcgprs epan/dissectors/packet-gprs-llc.c:996 #30 0x7f874363fc6f in call_dissector_through_handle epan/packet.c:620 #31 0x7f8743640e0c in call_dissector_work epan/packet.c:706 #32 0x7f87436467af in call_dissector_only epan/packet.c:2570 #33 0x7f87436467ca in call_dissector_with_data epan/packet.c:2583 #34 0x7f874364871b in call_dissector epan/packet.c:2600 #35 0x7f8743927ccb in de_bssgp_llc_pdu epan/dissectors/packet-bssgp.c:943 #36 0x7f8743c8e8de in elem_telv epan/dissectors/packet-gsm_a_common.c:1399 #37 0x7f87439318ec in bssgp_ul_unitdata epan/dissectors/packet-bssgp.c:4047 #38 0x7f8743930fff in dissect_bssgp epan/dissectors/packet-bssgp.c:6444 #39 0x7f874363fc6f in call_dissector_through_handle epan/packet.c:620 #40 0x7f8743640e0c in call_dissector_work epan/packet.c:706 #41 0x7f87436467af in call_dissector_only epan/packet.c:2570 #42 0x7f87436467ca in call_dissector_with_data epan/packet.c:2583 #43 0x7f874364871b in call_dissector epan/packet.c:2600 #44 0x7f87440afa67 in decode_pdu_ns_unitdata epan/dissectors/packet-nsip.c:700 #45 0x7f87440b04f8 in decode_pdu epan/dissectors/packet-nsip.c:872 #46 0x7f87440b089a in dissect_nsip epan/dissectors/packet-nsip.c:959 #47 0x7f874363fc6f in call_dissector_through_handle epan/packet.c:620 #48 0x7f8743640e0c in call_dissector_work epan/packet.c:706 #49 0x7f87436424de in dissector_try_uint_new epan/packet.c:1163 #50 0x7f8743642566 in dissector_try_uint epan/packet.c:1189 #51 0x7f874449bf97 in decode_udp_ports epan/dissectors/packet-udp.c:542 #52 0x7f87444a079d in dissect epan/dissectors/packet-udp.c:1018 #53 0x7f87444a0845 in dissect_udp epan/dissectors/packet-udp.c:1025 #54 0x7f874363fc6f in call_dissector_through_handle epan/packet.c:620 #55 0x7f8743640e0c in call_dissector_work epan/packet.c:706 #56 0x7f87436424de in dissector_try_uint_new epan/packet.c:1163 #57 0x7f8743ddfb14 in ip_try_dissect epan/dissectors/packet-ip.c:1972 #58 0x7f8743de3bc4 in dissect_ip_v4 epan/dissectors/packet-ip.c:2459 #59 0x7f8743de3dab in dissect_ip epan/dissectors/packet-ip.c:2481 #60 0x7f874363fc6f in call_dissector_through_handle epan/packet.c:620 #61 0x7f8743640e0c in call_dissector_work epan/packet.c:706 #62 0x7f87436467af in call_dissector_only epan/packet.c:2570 #63 0x7f87436467ca in call_dissector_with_data epan/packet.c:2583 #64 0x7f874364871b in call_dissector epan/packet.c:2600 #65 0x7f87441ab426 in dissect_raw epan/dissectors/packet-raw.c:149 #66 0x7f874363fc6f in call_dissector_through_handle epan/packet.c:620 #67 0x7f8743640e0c in call_dissector_work epan/packet.c:706 #68 0x7f87436424de in dissector_try_uint_new epan/packet.c:1163 #69 0x7f8743c42044 in dissect_frame epan/dissectors/packet-frame.c:499 #70 0x7f874363fc2c in call_dissector_through_handle epan/packet.c:618 #71 0x7f8743640e0c in call_dissector_work epan/packet.c:706 #72 0x7f87436467af in call_dissector_only epan/packet.c:2570 #73 0x7f87436467ca in call_dissector_with_data epan/packet.c:2583 #74 0x7f8743647520 in dissect_record epan/packet.c:498 #75 0x7f8743617a63 in epan_dissect_run_with_taps epan/epan.c:345 #76 0x4168a9 in process_packet tshark.c:3719 #77 0x418484 in load_cap_file tshark.c:3475 #78 0x41d337 in main tshark.c:2200 #79 0x7f873a91d60f in __libc_start_main (/usr/lib/libc.so.6+0x2060f) #80 0x40a9b8 in _start (/tmp/wsbuild/run/tshark+0x40a9b8)
You are receiving this mail because:
- You are watching all bug changes.
- Prev by Date: [Wireshark-bugs] [Bug 11517] New: Status bar doesn't show displayed packet percentage
- Next by Date: [Wireshark-bugs] [Bug 10605] Buildbot crash output: fuzz-2014-10-22-28529.pcap
- Previous by thread: [Wireshark-bugs] [Bug 11517] QT Status bar doesn't show displayed packet percentage
- Next by thread: [Wireshark-bugs] [Bug 10605] Buildbot crash output: fuzz-2014-10-22-28529.pcap
- Index(es):