Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 7666] New: Endless loop in dissect_drda()

[bugzilla-daemon@xxxxxxxxxxxxx]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7666

           Summary: Endless loop in dissect_drda()
           Product: Wireshark
           Version: 1.8.2
          Platform: x86
        OS/Version: Fedora
            Status: NEW
          Severity: Major
          Priority: High
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: jsafrane@xxxxxxxxxx


Created attachment 9007
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9007
problematic capture file

Build Information:
TShark 1.8.2 (SVN Rev Unknown from unknown)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.33.6, with libpcap, with libz 1.2.7, with POSIX
capabilities (Linux), with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.1, with
Python 2.7.3, with GnuTLS 2.12.20, with Gcrypt 1.5.0, with MIT Kerberos, with
GeoIP.

Running on Linux 3.5.0-1.fc18.x86_64, with locale en_US.UTF-8, with libpcap
version 1.3.0, with libz 1.2.7.

Built using gcc 4.7.1 20120813 (Red Hat 4.7.1-7).

--
Please give credit to Martin Wilck as reported of this bug, I just transfer it
from our Fedora Bugzilla to Wireshark's.

When opening attached capture file with Wireshark or tshark -r, it enters
endless loop in dissect_drda() function.

#2  0x00007ffff4d2cfe2 in col_append_str (cinfo=0x661f30, el=38,
str=0x7ffff5e4b321 "DATA") at column-utils.c:593
#3  0x00007ffff4ffe780 in dissect_drda (tvb=0x171c800, pinfo=0x7fffffffd370,
tree=0x0) at packet-drda.c:704
#4  0x00007ffff4ffee38 in dissect_drda_heur (tvb=0x171c800,
pinfo=0x7fffffffd370, tree=0x0) at packet-drda.c:819
#5  0x00007ffff4d456f0 in dissector_try_heuristic (sub_dissectors=0x14686c0,
tvb=0x171c800, pinfo=0x7fffffffd370, tree=0x0) at packet.c:1727
#6  0x00007ffff553ef74 in decode_tcp_ports (tvb=0x171c860, offset=32,
pinfo=0x7fffffffd370, tree=0x0, src_port=2049, dst_port=676,
tcpd=0x7fffefa41a18) at packet-tcp.c:3890
#7  0x00007ffff553f1ea in process_tcp_payload (tvb=0x171c860, offset=32,
pinfo=0x7fffffffd370, tree=0x0, tcp_tree=0x0, src_port=2049, dst_port=676,
seq=0, nxtseq=0, is_tcp_segment=0, tcpd=
    0x7fffefa41a18) at packet-tcp.c:3935
#8  0x00007ffff553aa07 in desegment_tcp (tvb=0x171c860, pinfo=0x7fffffffd370,
offset=32, seq=128380023, nxtseq=128380061, sport=2049, dport=676, tree=0x0,
tcp_tree=0x0, tcpd=0x7fffefa41a18)
    at packet-tcp.c:1799
#9  0x00007ffff553f403 in dissect_tcp_payload (tvb=0x171c860,
pinfo=0x7fffffffd370, offset=32, seq=128380023, nxtseq=128380061, sport=2049,
dport=676, tree=0x0, tcp_tree=0x0, tcpd=0x7fffefa41a18)
    at packet-tcp.c:4002
#10 0x00007ffff554278b in dissect_tcp (tvb=0x171c860, pinfo=0x7fffffffd370,
tree=0x0) at packet-tcp.c:4750
#11 0x00007ffff4d43a24 in call_dissector_through_handle (handle=0x1019670,
tvb=0x171c860, pinfo=0x7fffffffd370, tree=0x0) at packet.c:419
#12 0x00007ffff4d43bf0 in call_dissector_work (handle=0x1019670, tvb=0x171c860,
pinfo_arg=0x7fffffffd370, tree=0x0, add_proto_name=1) at packet.c:510
#13 0x00007ffff4d4456f in dissector_try_uint_new (sub_dissectors=0xb87d90,
uint_val=6, tvb=0x171c860, pinfo=0x7fffffffd370, tree=0x0, add_proto_name=1) at
packet.c:935
#14 0x00007ffff4d445d1 in dissector_try_uint (sub_dissectors=0xb87d90,
uint_val=6, tvb=0x171c860, pinfo=0x7fffffffd370, tree=0x0) at packet.c:961
#15 0x00007ffff51ab218 in dissect_ip (tvb=0x171c8c0, pinfo=0x7fffffffd370,
parent_tree=0x0) at packet-ip.c:2370
#16 0x00007ffff4d43a24 in call_dissector_through_handle (handle=0xba3700,
tvb=0x171c8c0, pinfo=0x7fffffffd370, tree=0x0) at packet.c:419
#17 0x00007ffff4d43bf0 in call_dissector_work (handle=0xba3700, tvb=0x171c8c0,
pinfo_arg=0x7fffffffd370, tree=0x0, add_proto_name=1) at packet.c:510
#18 0x00007ffff4d4456f in dissector_try_uint_new (sub_dissectors=0x9ec760,
uint_val=2048, tvb=0x171c8c0, pinfo=0x7fffffffd370, tree=0x0, add_proto_name=1)
at packet.c:935
#19 0x00007ffff4d445d1 in dissector_try_uint (sub_dissectors=0x9ec760,
uint_val=2048, tvb=0x171c8c0, pinfo=0x7fffffffd370, tree=0x0) at packet.c:961
#20 0x00007ffff50424ab in ethertype (etype=2048, tvb=0x171c920,
offset_after_etype=14, pinfo=0x7fffffffd370, tree=0x0, fh_tree=0x0,
etype_id=21620, trailer_id=21624, fcs_len=-1)
    at packet-ethertype.c:270
#21 0x00007ffff50412d1 in dissect_eth_common (tvb=0x171c920,
pinfo=0x7fffffffd370, parent_tree=0x0, fcs_len=-1) at packet-eth.c:403
#22 0x00007ffff5041c2a in dissect_eth_maybefcs (tvb=0x171c920,
pinfo=0x7fffffffd370, tree=0x0) at packet-eth.c:662
#23 0x00007ffff4d43a24 in call_dissector_through_handle (handle=0x9ec670,
tvb=0x171c920, pinfo=0x7fffffffd370, tree=0x0) at packet.c:419
#24 0x00007ffff4d43bf0 in call_dissector_work (handle=0x9ec670, tvb=0x171c920,
pinfo_arg=0x7fffffffd370, tree=0x0, add_proto_name=1) at packet.c:510
#25 0x00007ffff4d4456f in dissector_try_uint_new (sub_dissectors=0xa33a20,
uint_val=1, tvb=0x171c920, pinfo=0x7fffffffd370, tree=0x0, add_proto_name=1) at
packet.c:935
#26 0x00007ffff4d445d1 in dissector_try_uint (sub_dissectors=0xa33a20,
uint_val=1, tvb=0x171c920, pinfo=0x7fffffffd370, tree=0x0) at packet.c:961
#27 0x00007ffff508a48f in dissect_frame (tvb=0x171c920, pinfo=0x7fffffffd370,
parent_tree=0x0) at packet-frame.c:383
#28 0x00007ffff4d43a24 in call_dissector_through_handle (handle=0xa33b90,
tvb=0x171c920, pinfo=0x7fffffffd370, tree=0x0) at packet.c:419
#29 0x00007ffff4d43bf0 in call_dissector_work (handle=0xa33b90, tvb=0x171c920,
pinfo_arg=0x7fffffffd370, tree=0x0, add_proto_name=1) at packet.c:510
#30 0x00007ffff4d45db7 in call_dissector_only (handle=0xa33b90, tvb=0x171c920,
pinfo=0x7fffffffd370, tree=0x0) at packet.c:1983
#31 0x00007ffff4d45def in call_dissector (handle=0xa33b90, tvb=0x171c920,
pinfo=0x7fffffffd370, tree=0x0) at packet.c:1996
#32 0x00007ffff4d43807 in dissect_packet (edt=0x7fffffffd360,
pseudo_header=0x15ee558, pd=0x15f3580 "", fd=0x7fffffffd500, cinfo=0x661f30) at
packet.c:350
#33 0x00007ffff4d36905 in epan_dissect_run (edt=0x7fffffffd360,
pseudo_header=0x15ee558, data=0x15f3580 "", fd=0x7fffffffd500, cinfo=0x661f30)
at epan.c:210
#34 0x000000000041e28e in process_packet (cf=0x651dc0, offset=3178909,
whdr=0x15ee4e0, pseudo_header=0x15ee558, pd=0x15f3580 "",
filtering_tap_listeners=0, tap_flags=4) at tshark.c:3074
#35 0x000000000041dc42 in load_cap_file (cf=0x651dc0, save_file=0x0,
out_file_type=2, out_file_name_res=0, max_packet_count=-28880,
max_byte_count=0) at tshark.c:2867
#36 0x000000000041c2eb in main (argc=3, argv=0x7fffffffdb78) at tshark.c:1759



Frame #3 is interesting:

#3  0x00007ffff4ffe780 in dissect_drda (tvb=0x171c800, pinfo=0x7fffffffd370,
tree=0x0) at packet-drda.c:704
        offset = 6
        iCommand = 0
        iLength = 0
        iCommandEnd = 6
        iFormatFlags = 0 '\000'
        iDSSType = 0 '\000'
        iDSSFlags = 127 '\177'
        iParameterCP = 0
        iLengthParam = 2

Since the iLength = 0 and tree = NULL, the loop never ends:

    while ((guint) (offset + 10) <= tvb_length(tvb))
    {
...
        if (tree)

...
        else
        {
            /* No tree, advance directly to next command */
            offset += iLength;
        }
    }

With tree != NULL, i.e. tshark -VV -r test.cap, the packet is parsed OK.

Malformed packet can be used as DOS attack.

Please give credit to Martin Wilck as reported of this bug, I just transfer it
from our Fedora Bugzilla to Wireshark's.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.