Wireshark-bugs: [Wireshark-bugs] [Bug 12665] New: Fuzzed PCAP causing segmentation fault in ssl_

Date: Mon, 25 Jul 2016 07:46:57 +0000
Bug ID 12665
Summary Fuzzed PCAP causing segmentation fault in ssl_decrypt_record
Product Wireshark
Version Git
Hardware x86
OS Ubuntu
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Created attachment 14763 [details]
Sample PCAP

Build Information:
commit 688d055acd523e645c1e87267dcf4a0a9867adbd
Author: Martin Kaiser <[email protected]>
Date:   Sun Jul 24 18:43:14 2016 +0200

--
Fuzzed PCAP causes segmentation fault on a recent build from repository.

ASAN output from 'tshark -2 -V -r <pcap>':
ASAN:SIGSEGV
=================================================================
==22261==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000004f (pc
0x7f9c60be7b80 bp 0x61d00015411a sp 0x7ffdb87c5688 T0)
    #0 0x7f9c60be7b7f  (/lib/x86_64-linux-gnu/libgcrypt.so.20+0x14b7f)
    #1 0x7f9c60bdc9c5 in gcry_cipher_setiv
(/lib/x86_64-linux-gnu/libgcrypt.so.20+0x99c5)
    #2 0x7f9c68eb48d2 in ssl_decrypt_record
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ssl-utils.c:3505
    #3 0x7f9c687b54ab in decrypt_dtls_record
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-dtls.c:597
    #4 0x7f9c687b6c6c in dissect_dtls_record
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-dtls.c:805
    #5 0x7f9c687b7bdb in dissect_dtls
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-dtls.c:428
    #6 0x7f9c683a492e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #7 0x7f9c683a492e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #8 0x7f9c683a7d41 in call_dissector_with_data
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:2792
    #9 0x7f9c686409a3 in dissect_capwap_control
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-capwap.c:3237
    #10 0x7f9c683a492e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #11 0x7f9c683a492e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #12 0x7f9c683a5707 in dissector_try_uint_new
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1187
    #13 0x7f9c683a57a0 in dissector_try_uint
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1213
    #14 0x7f9c68f4046e in decode_udp_ports
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-udp.c:578
    #15 0x7f9c68f41936 in dissect
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-udp.c:1028
    #16 0x7f9c68f42aad in dissect_udp
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-udp.c:1034
    #17 0x7f9c683a492e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #18 0x7f9c683a492e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #19 0x7f9c683a5707 in dissector_try_uint_new
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1187
    #20 0x7f9c689adec3 in ip_try_dissect
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ip.c:1976
    #21 0x7f9c689b0038 in dissect_ip_v4
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ip.c:2439
    #22 0x7f9c683a492e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #23 0x7f9c683a492e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #24 0x7f9c683a5707 in dissector_try_uint_new
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1187
    #25 0x7f9c683a57a0 in dissector_try_uint
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1213
    #26 0x7f9c68809978 in dissect_ethertype
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ethertype.c:262
    #27 0x7f9c683a492e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #28 0x7f9c683a492e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #29 0x7f9c683a7d41 in call_dissector_with_data
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:2792
    #30 0x7f9c68807772 in dissect_eth_common
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-eth.c:539
    #31 0x7f9c68808822 in dissect_eth
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-eth.c:803
    #32 0x7f9c683a492e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #33 0x7f9c683a492e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #34 0x7f9c683a5707 in dissector_try_uint_new
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1187
    #35 0x7f9c68853185 in dissect_frame
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-frame.c:507
    #36 0x7f9c683a492e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #37 0x7f9c683a492e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #38 0x7f9c683a7d41 in call_dissector_with_data
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:2792
    #39 0x7f9c683a8cb3 in dissect_record
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:531
    #40 0x7f9c6838ff2b in epan_dissect_run
/workarea/fuzz/victimlibs2/wireshark/epan/epan.c:365
    #41 0x410ea3 in process_packet_first_pass
/workarea/fuzz/victimlibs2/wireshark/tshark.c:2694
    #42 0x410ea3 in load_cap_file
/workarea/fuzz/victimlibs2/wireshark/tshark.c:2987
    #43 0x410ea3 in main /workarea/fuzz/victimlibs2/wireshark/tshark.c:1873
    #44 0x7f9c614f282f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #45 0x412608 in _start (/workarea/fuzz/bin/shark/tshark+0x412608)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==22261==ABORTING


You are receiving this mail because:
  • You are watching all bug changes.