Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 8380] New: dissect

Wireshark-bugs: [Wireshark-bugs] [Bug 8380] New: dissect_dtls dissector crash

Date: Fri, 22 Feb 2013 14:17:17 +0000

Bug ID	8380
Summary	dissect_dtls dissector crash
Classification	Unclassified
Product	Wireshark
Version	1.8.5
Hardware	x86-64
OS	Linux (other)
Status	UNCONFIRMED
Severity	Major
Priority	Low
Component	TShark
Assignee	[email protected]
Reporter	[email protected]

Created attachment 10090 [details]
dissect_dtls_handshake.pcap

Build Information:
TShark 1.8.5 (SVN Rev Unknown from unknown)

Copyright 1998-2013 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.32.3, with libpcap, with libz 1.2.3.4, without
POSIX capabilities, without SMI, without c-ares, without ADNS, with Lua 5.1,
without Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos,
without GeoIP.

Running on Linux 3.2.0-30-generic, with locale en_US.UTF-8, with libpcap
version
1.1.1, with libz 1.2.3.4.

Built using gcc 4.6.3.
--
Hi,

Here is a PCAP file triggering a SIGSEGV that could enable (at least) a remote
party to trigger a denial of service.

This file was generated thanks to a fuzz testing campaign.

Laurent Butti.

--

Program received signal SIGSEGV, Segmentation fault.
__memcmp_sse2 () at ../sysdeps/x86_64/multiarch/../memcmp.S:151
151 ../sysdeps/x86_64/multiarch/../memcmp.S: No such file or directory.
(gdb) python import exploitable
(gdb) exploitable -v
'exploitable' version 1.04
Linux nitro 3.2.0-30-generic #48-Ubuntu SMP Fri Aug 24 16:52:48 UTC 2012 x86_64
Signal si_signo: 11 Signal si_addr: 0x178cfd0
Nearby code:
   0x00007ffff2eed767 <+311>:   test   rsi,0xf
   0x00007ffff2eed76e <+318>:   je     0x7ffff2eed8d3 <__memcmp_sse2+675>
   0x00007ffff2eed774 <+324>:   test   rdi,0x10
   0x00007ffff2eed77b <+331>:   je     0x7ffff2eed79a <__memcmp_sse2+362>
   0x00007ffff2eed77d <+333>:   movdqu xmm0,XMMWORD PTR [rdi+rsi*1]
=> 0x00007ffff2eed782 <+338>:   pcmpeqb xmm0,XMMWORD PTR [rdi]
   0x00007ffff2eed786 <+342>:   pmovmskb edx,xmm0
   0x00007ffff2eed78a <+346>:   sub    edx,0xffff
   0x00007ffff2eed790 <+352>:   jne    0x7ffff2eed8c0 <__memcmp_sse2+656>
   0x00007ffff2eed796 <+358>:   add    rdi,0x10
Stack trace:
#  0 __memcmp_sse2 at 0x7ffff2eed782 in /lib/x86_64-linux-gnu/libc-2.15.so (BL)
#  1 fragment_add_work at 0x7ffff51959f9 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  2 fragment_add_common at 0x7ffff5195edc in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  3 fragment_add at 0x7ffff51964b0 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  4 dissect_dtls_handshake at 0x7ffff537ac0c in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  5 dissect_dtls_record at 0x7ffff537c604 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  6 dissect_dtls at 0x7ffff537c839 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  7 call_dissector_through_handle at 0x7ffff51794b0 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  8 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  9 call_dissector at 0x7ffff517b7e1 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 10 dissect_capwap_control at 0x7ffff52aefdf in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 11 call_dissector_through_handle at 0x7ffff51794eb in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 12 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 13 dissector_try_uint_new at 0x7ffff517a30e in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 14 decode_udp_ports at 0x7ffff5798875 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 15 dissect at 0x7ffff5798e83 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 16 call_dissector_through_handle at 0x7ffff51794b0 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 17 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 18 dissector_try_uint_new at 0x7ffff517a30e in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 19 dissect_ip at 0x7ffff54bd27b in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 20 call_dissector_through_handle at 0x7ffff51794b0 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 21 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 22 dissector_try_uint_new at 0x7ffff517a30e in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 23 ethertype at 0x7ffff53aabba in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 24 dissect_eth_common at 0x7ffff53a95dc in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 25 call_dissector_through_handle at 0x7ffff51794b0 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 26 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 27 dissector_try_uint_new at 0x7ffff517a30e in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 28 dissect_frame at 0x7ffff53dc8cb in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 29 call_dissector_through_handle at 0x7ffff51794b0 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 30 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 31 call_dissector at 0x7ffff517b7e1 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 32 dissect_packet at 0x7ffff517bbf4 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 33 process_packet at 0x41ad5b in
/home/laurent/fuzzing/bin/wireshark-1.8.5/bin/tshark
# 34 load_cap_file at 0x40dc8f in
/home/laurent/fuzzing/bin/wireshark-1.8.5/bin/tshark
# 35 main at 0x40dc8f in /home/laurent/fuzzing/bin/wireshark-1.8.5/bin/tshark
Faulting frame: #  1 fragment_add_work at 0x7ffff51959f9 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
Description: Access violation on source operand
Short description: SourceAv (18/21)
Hash: b5c8ed64d962674ede2304d9cbd38f20.bc4e6acaf692b6a6eb2596772b8dbc62
Exploitability Classification: UNKNOWN
Explanation: The target crashed on an access violation at an address matching
the source operand of the current instruction. This likely indicates a read
acces---Type <return> to continue, or q <return> to quit---
s violation.
Other tags: AccessViolation (20/21)

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 8379] HPFEEDS protocol : honeypot protocol feeds support added
Next by Date: [Wireshark-bugs] [Bug 8381] New: MPLS infinite loop
Previous by thread: [Wireshark-bugs] [Bug 8379] HPFEEDS protocol : honeypot protocol feeds support added
Next by thread: [Wireshark-bugs] [Bug 8380] dissect_dtls dissector crash
Index(es):
- Date
- Thread