Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark
Wireshark-bugs: [Wireshark-bugs] [Bug 1823] New: crash on fuzzed capture in RTSE dissector

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Wed, 5 Sep 2007 01:09:52 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1823

           Summary: crash on fuzzed capture in RTSE dissector
           Product: Wireshark
           Version: SVN
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Critical
          Priority: High
         Component: TShark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: jeff.morriss@xxxxxxxxxxx


Build Information:
TShark 0.99.7 (SVN Rev 22791)

Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.12.9, with libpcap 0.9.4, with libz 1.2.3, without
libpcre,
without SMI, without ADNS, without Lua, with GnuTLS 1.4.1, with Gcrypt 1.2.3,
with MIT Kerberos.
NOTE: this build doesn't support the "matches" operator for Wireshark filter
syntax.

Running on Linux 2.6.22.2-42.fc6, with libpcap version 0.9.4.

Built using gcc 4.1.2 20070626 (Red Hat 4.1.2-13).

--
I got a crash on a fuzz'd file from the Wiki SampleCaptures:

    ../caps/SampleCaptures/p772-transfer-success.pcap.gz: tools/fuzz-test.sh:
line 108:  1870 Segmentation fault      (core dumped) "$TSHARK" $TSHARK_ARGS
$TMP_DIR/$TMP_FILE >/dev/null 2>$TMP_DIR/$ERR_FILE

backtrace is:

#0  0x0117c5ce in dissect_indirect_reference (tree=0xa4ba750, tvb=0xa3d5ea8,
offset=0, 
    actx=0xbfdd8fc0) at rtse.cnf:125
#1  0x00b484b0 in dissect_ber_old_sequence (implicit_tag=1, actx=0xbfdd8fc0, 
    parent_tree=0xa4ba750, tvb=0xa4bc5a8, offset=dwarf2_read_address: Corrupted
DWARF expression.
) at packet-ber.c:1914
#2  0x0117b93a in dissect_rtse_EXTERNALt (implicit_tag=0, tvb=0xa4bc5a8,
offset=0, 
    actx=0xbfdd8fc0, tree=0xa4ba750, hf_index=-1) at rtse.cnf:111
#3  0x0117bb97 in dissect_rtse (tvb=0xa4bc570, pinfo=0xa4b15e0,
parent_tree=0xa4b18d0)
    at packet-rtse-template.c:257
#4  0x00a74a68 in call_dissector_through_handle (handle=0xa2db768,
tvb=0xa4bc570, pinfo=0xa4b15e0, 
    tree=0xa4b18d0) at packet.c:396
#5  0x00a74d37 in call_dissector_work (handle=0xa2db768, tvb=0xa4bc570, 
    pinfo_arg=<value optimized out>, tree=dwarf2_read_address: Corrupted DWARF
expression.
) at packet.c:574
#6  0x00a754e3 in dissector_try_string (sub_dissectors=0x9f9ece8,
string=0xb5e8b2e8 "2.6.0.2.12", 
    tvb=0xa4bc570, pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:1093
#7  0x00b4a7b7 in call_ber_oid_callback (oid=0xb5e8b2e8 "2.6.0.2.12",
tvb=0xa4bc6a8, offset=0, 
    pinfo=0xa4b15e0, tree=0xa4b18d0) at packet-ber.c:579
#8  0x010c31a2 in dissect_pres (tvb=0xa4bc6a8, pinfo=0xa4b15e0,
parent_tree=0xa4b18d0)
    at packet-pres-template.c:275
#9  0x00a74a68 in call_dissector_through_handle (handle=0xa1b2ae8,
tvb=0xa4bc6a8, pinfo=0xa4b15e0, 
    tree=0xa4b18d0) at packet.c:396
#10 0x00a74d37 in call_dissector_work (handle=0xa1b2ae8, tvb=0xa4bc6a8, 
    pinfo_arg=<value optimized out>, tree=dwarf2_read_address: Corrupted DWARF
expression.
) at packet.c:574
#11 0x00a751f4 in call_dissector (handle=0x0, tvb=0xa4bc6a8, pinfo=0xa4b15e0,
tree=0xa4b18d0)
    at packet.c:1750
#12 0x00e9aeec in dissect_spdu (tvb=0xa4bc670, offset=<value optimized out>,
pinfo=0xa4b15e0, 
    tree=0xa4b18d0, tokens=0) at packet-ses.c:1072
#13 0x00e9b120 in dissect_ses (tvb=0xa4bc670, pinfo=0xa4b15e0, tree=0xa4b18d0)
at packet-ses.c:1118
#14 0x00e9b283 in dissect_ses_heur (tvb=0xa4bc670, pinfo=0xa4b15e0,
parent_tree=0xa4b18d0)
    at packet-ses.c:1853
#15 0x00a74b46 in dissector_try_heuristic (sub_dissectors=0xa3fd860,
tvb=0xa4bc670, 
    pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:1571
#16 0x00b97b2d in ositp_decode_DT (tvb=0xa4bc638, offset=<value optimized out>, 
    li=<value optimized out>, tpdu=15 '\017', pinfo=0xa4b15e0, tree=0xa4b18d0, 
    uses_inactive_subset=0, subdissector_found=0xbfdd978c) at
packet-clnp.c:1095
#17 0x00b985dc in dissect_ositp_internal (tvb=0xa4bc638, pinfo=0xa4b15e0,
tree=0xa4b18d0, 
    uses_inactive_subset=0) at packet-clnp.c:1775
#18 0x00b9a003 in dissect_ositp (tvb=0xa4bc638, pinfo=0xa4b15e0,
tree=0xa4b18d0)
    at packet-clnp.c:1830
#19 0x00a74a68 in call_dissector_through_handle (handle=0x9fc96e8,
tvb=0xa4bc638, pinfo=0xa4b15e0, 
    tree=0xa4b18d0) at packet.c:396
#20 0x00a74d37 in call_dissector_work (handle=0x9fc96e8, tvb=0xa4bc638, 
    pinfo_arg=<value optimized out>, tree=dwarf2_read_address: Corrupted DWARF
expression.
) at packet.c:574
#21 0x00a751f4 in call_dissector (handle=0x0, tvb=0xa4bc638, pinfo=0xa4b15e0,
tree=0xa4b18d0)
    at packet.c:1750
#22 0x00f35629 in dissect_tpkt_encap (tvb=0xa4bc840, pinfo=0xa4b15e0,
tree=0xa4b18d0, desegment=1, 
    subdissector_handle=0x9fc96e8) at packet-tpkt.c:302
#23 0x00f357af in dissect_tpkt (tvb=0xa4bc840, pinfo=0xa4b15e0, tree=0xa4b18d0)
    at packet-tpkt.c:327
#24 0x00a74a68 in call_dissector_through_handle (handle=0xa43f838,
tvb=0xa4bc840, pinfo=0xa4b15e0, 
    tree=0xa4b18d0) at packet.c:396
---Type <return> to continue, or q <return> to quit---[A
#25 0x00a74d37 in call_dissector_work (handle=0xa43f838, tvb=0xa4bc840, 
    pinfo_arg=<value optimized out>, tree=dwarf2_read_address: Corrupted DWARF
expression.
) at packet.c:574
#26 0x00a755e3 in dissector_try_port (sub_dissectors=0xa3114a8, port=102,
tvb=0xa4bc840, 
    pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:850
#27 0x00f22830 in decode_tcp_ports (tvb=0xa4bc808, offset=20, pinfo=0xa4b15e0,
tree=0xa4b18d0, 
    src_port=2289, dst_port=102, tcpd=0xb5e8af28) at packet-tcp.c:2270
#28 0x00f22ae6 in process_tcp_payload (tvb=0xa4bc808, offset=20,
pinfo=0xa4b15e0, tree=0xa4b18d0, 
    tcp_tree=0xa4b1d98, src_port=2289, dst_port=102, seq=250, nxtseq=1092,
is_tcp_segment=1, 
    tcpd=0xb5e8af28) at packet-tcp.c:2329
#29 0x00f231a3 in dissect_tcp_payload (tvb=0xa4bc808, pinfo=0xa4b15e0,
offset=20, seq=250, 
    nxtseq=1092, sport=2289, dport=102, tree=0xa4b18d0, tcp_tree=0xa4b1d98,
tcpd=0xb5e8af28)
    at packet-tcp.c:2405
#30 0x00f2538d in dissect_tcp (tvb=0xa4bc808, pinfo=0xa4b15e0, tree=0xa4b18d0)
at packet-tcp.c:2999
#31 0x00a74a68 in call_dissector_through_handle (handle=0xa43eeb0,
tvb=0xa4bc808, pinfo=0xa4b15e0, 
    tree=0xa4b18d0) at packet.c:396
#32 0x00a74d37 in call_dissector_work (handle=0xa43eeb0, tvb=0xa4bc808, 
    pinfo_arg=<value optimized out>, tree=dwarf2_read_address: Corrupted DWARF
expression.
) at packet.c:574
#33 0x00a755e3 in dissector_try_port (sub_dissectors=0xa0ffce8, port=6,
tvb=0xa4bc808, 
    pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:850
#34 0x00cff657 in dissect_ip (tvb=0xa4bc788, pinfo=0xa4b15e0,
parent_tree=0xa4b18d0)
    at packet-ip.c:1547
#35 0x00a74a68 in call_dissector_through_handle (handle=0xa107d30,
tvb=0xa4bc788, pinfo=0xa4b15e0, 
    tree=0xa4b18d0) at packet.c:396
#36 0x00a74d37 in call_dissector_work (handle=0xa107d30, tvb=0xa4bc788, 
    pinfo_arg=<value optimized out>, tree=dwarf2_read_address: Corrupted DWARF
expression.
) at packet.c:574
#37 0x00a755e3 in dissector_try_port (sub_dissectors=0xa0a0a60, port=2048,
tvb=0xa4bc788, 
    pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:850
#38 0x00c4e122 in ethertype (etype=2048, tvb=0xa3d5f18, offset_after_etype=14,
pinfo=0xa4b15e0, 
    tree=0xa4b18d0, fh_tree=0xa4b1840, etype_id=12717, trailer_id=12719,
fcs_len=-1)
    at packet-ethertype.c:211
#39 0x00c4aef2 in dissect_eth_common (tvb=0xa3d5f18, pinfo=0xa4b15e0,
parent_tree=0xa4b18d0, 
    fcs_len=-1) at packet-eth.c:344
#40 0x00a74a68 in call_dissector_through_handle (handle=0xa3fa280,
tvb=0xa3d5f18, pinfo=0xa4b15e0, 
    tree=0xa4b18d0) at packet.c:396
#41 0x00a74d37 in call_dissector_work (handle=0xa3fa280, tvb=0xa3d5f18, 
    pinfo_arg=<value optimized out>, tree=dwarf2_read_address: Corrupted DWARF
expression.
) at packet.c:574
#42 0x00a755e3 in dissector_try_port (sub_dissectors=0xa0c3b90, port=1,
tvb=0xa3d5f18, 
    pinfo=0xa4b15e0, tree=0xa4b18d0) at packet.c:850
#43 0x00c7cd40 in dissect_frame (tvb=0xa3d5f18, pinfo=0xa4b15e0,
parent_tree=0xa4b18d0)
    at packet-frame.c:299
#44 0x00a74a68 in call_dissector_through_handle (handle=0xa0c4638,
tvb=0xa3d5f18, pinfo=0xa4b15e0, 
    tree=0xa4b18d0) at packet.c:396
#45 0x00a74d37 in call_dissector_work (handle=0xa0c4638, tvb=0xa3d5f18, 
    pinfo_arg=<value optimized out>, tree=dwarf2_read_address: Corrupted DWARF
expression.
) at packet.c:574
#46 0x00a751f4 in call_dissector (handle=0x0, tvb=0xa3d5f18, pinfo=0xa4b15e0,
tree=0xa4b18d0)
    at packet.c:1750
#47 0x00a76de7 in dissect_packet (edt=0xa4b15d8, pseudo_header=0xa48bb44,
pd=0xa4923a8 "", 
    fd=0xbfddabec, cinfo=0x0) at packet.c:332
#48 0x00a6e18e in epan_dissect_run (edt=0xa4b15d8, pseudo_header=0xa48bb44,
data=0xa4923a8 "", 
    fd=0xbfddabec, cinfo=0x0) at epan.c:158
#49 0x08063267 in process_packet (cf=0x8073480, offset=<value optimized out>,
whdr=0xa48bb30, 
    pseudo_header=0xa48bb44, pd=0xa4923a8 "") at tshark.c:2403
#50 0x08065e6c in main (argc=3, argv=0xbfddadf4) at tshark.c:2202


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Follow-Ups:
- [Wireshark-bugs] [Bug 1823] crash on fuzzed capture in RTSE dissector
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 1823] crash on fuzzed capture in RTSE dissector
  - From: bugzilla-daemon
Prev by Date: [Wireshark-bugs] [Bug 1822] UNISTIM Tap interface plus call grapher
Next by Date: [Wireshark-bugs] [Bug 1823] crash on fuzzed capture in RTSE dissector
Previous by thread: [Wireshark-bugs] [Bug 1822] UNISTIM Tap interface plus call grapher
Next by thread: [Wireshark-bugs] [Bug 1823] crash on fuzzed capture in RTSE dissector
Index(es):
- Date
- Thread