Wireshark-bugs: [Wireshark-bugs] [Bug 12662] New: Fuzzed PCAP causing segmentation fault in diss

Date: Mon, 25 Jul 2016 07:33:34 +0000
Bug ID 12662
Summary Fuzzed PCAP causing segmentation fault in dissect_ldss_transfer
Product Wireshark
Version 2.0.2
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Created attachment 14760 [details]
Sample PCAP

Build Information:
TShark (Wireshark) 2.0.2 (SVN Rev Unknown from unknown)

Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with libz 1.2.8, with GLib 2.48.0, with SMI 0.4.8, with c-ares 1.10.0, with Lua
5.2, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with MIT Kerberos, with GeoIP.

Running on Linux 4.4.0-22-generic, with locale en_GB.UTF-8, with libpcap
version
1.7.4, with libz 1.2.8, with GnuTLS 3.4.10, with Gcrypt 1.6.5.
Intel Core Processor (Haswell) (with SSE4.2)

Built using gcc 5.3.1 20160407.
--
Fuzzed PCAP causes segmentation fault on tshark 2.0.2 and a recent build from
repository ( commit 688d055acd523e645c1e87267dcf4a0a9867adbd ).

ASAN output from 'tshark -2 -V -r <pcap>':

ASAN:SIGSEGV
=================================================================
==14033==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc
0x7f7a7ba93fec bp 0x7fff425eab60 sp 0x7fff425ea200 T0)
    #0 0x7f7a7ba93feb in dissect_ldss_transfer
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ldss.c:507
    #1 0x7f7a7b3ac92e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #2 0x7f7a7b3ac92e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #3 0x7f7a7b38e764 in try_conversation_dissector
/workarea/fuzz/victimlibs2/wireshark/epan/conversation.c:1323
    #4 0x7f7a7bef5025 in decode_tcp_ports
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-tcp.c:4994
    #5 0x7f7a7bef5934 in process_tcp_payload
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-tcp.c:5098
    #6 0x7f7a7bef63d0 in dissect_tcp_payload
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-tcp.c:5179
    #7 0x7f7a7befaa60 in dissect_tcp
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-tcp.c:6036
    #8 0x7f7a7b3ac92e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #9 0x7f7a7b3ac92e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #10 0x7f7a7b3ad707 in dissector_try_uint_new
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1187
    #11 0x7f7a7b9b5ec3 in ip_try_dissect
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ip.c:1976
    #12 0x7f7a7b9b8038 in dissect_ip_v4
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ip.c:2439
    #13 0x7f7a7b3ac92e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #14 0x7f7a7b3ac92e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #15 0x7f7a7b3ad707 in dissector_try_uint_new
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1187
    #16 0x7f7a7b3ad7a0 in dissector_try_uint
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1213
    #17 0x7f7a7b811978 in dissect_ethertype
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ethertype.c:262
    #18 0x7f7a7b3ac92e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #19 0x7f7a7b3ac92e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #20 0x7f7a7b3afd41 in call_dissector_with_data
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:2792
    #21 0x7f7a7b80f772 in dissect_eth_common
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-eth.c:539
    #22 0x7f7a7b810822 in dissect_eth
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-eth.c:803
    #23 0x7f7a7b3ac92e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #24 0x7f7a7b3ac92e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #25 0x7f7a7b3ad707 in dissector_try_uint_new
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1187
    #26 0x7f7a7b85b185 in dissect_frame
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-frame.c:507
    #27 0x7f7a7b3ac92e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #28 0x7f7a7b3ac92e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #29 0x7f7a7b3afd41 in call_dissector_with_data
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:2792
    #30 0x7f7a7b3b0cb3 in dissect_record
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:531
    #31 0x7f7a7b397f83 in epan_dissect_run_with_taps
/workarea/fuzz/victimlibs2/wireshark/epan/epan.c:378
    #32 0x41129f in process_packet_second_pass
/workarea/fuzz/victimlibs2/wireshark/tshark.c:2777
    #33 0x41129f in load_cap_file
/workarea/fuzz/victimlibs2/wireshark/tshark.c:3044
    #34 0x41129f in main /workarea/fuzz/victimlibs2/wireshark/tshark.c:1873
    #35 0x7f7a744fa82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #36 0x412608 in _start (/workarea/fuzz/bin/shark/tshark+0x412608)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ldss.c:507
dissect_ldss_transfer
==14033==ABORTING


You are receiving this mail because:
  • You are watching all bug changes.