Bug ID |
12268
|
Summary |
Stack exhaustion in xml GUI display
|
Product |
Wireshark
|
Version |
2.0.2
|
Hardware |
x86-64
|
OS |
Windows 7
|
Status |
UNCONFIRMED
|
Severity |
Major
|
Priority |
Low
|
Component |
Dissection engine (libwireshark)
|
Assignee |
[email protected]
|
Reporter |
[email protected]
|
Created attachment 14423 [details]
poc file and windbg dmp file
Build Information:
Wireshark 2.0.1 (v2.0.1-0-g59ea380 from master-2.0)
Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>;
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.3.2, with WinPcap (4_1_3), with libz 1.2.8, with
GLib 2.42.0, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.2, with GnuTLS
3.2.15, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, with QtMultimedia,
with AirPcap.
Running on 64-bit Windows 7 Service Pack 1, build 7601, with locale C, with
WinPcap version 4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version
1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.2.15, with Gcrypt 1.6.2, without
AirPcap.
Intel(R) Xeon(R) CPU E5-2690 v2 @ 3.00GHz (with SSE4.2), with 6135MB of
physical memory.
Built using Microsoft Visual C++ 12.0 build 31101
--
There exist a stack exhaustion vulnerability in libwireshark.dll, which is
caused by deep recursive call in proto_tree_traverse_post_order function.
gboolean proto_tree_traverse_post_order(proto_tree *tree,
proto_tree_traverse_func func, gpointer data)
{
proto_node *pnode = tree;
proto_node *child;
proto_node *current;
child = pnode->first_child;
while (child != NULL) {
/*
* The routine we call might modify the child, e.g. by
* freeing it, so we get the child's successor before
* calling that routine.
*/
current = child;
child = current->next;
if (proto_tree_traverse_post_order((proto_tree *)current, func, data))
return TRUE;
}
if (func(pnode, data))
return TRUE;
return FALSE;
}
When open the crafted poc file, and click the final http 200 packet the
vulnerability will be trigered. The application will crash.
I have tested this problem in 2.0.1 and 2.0.2.
But the legency version seems not be affected.
You are receiving this mail because:
- You are watching all bug changes.