Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 8383] New: csnStreamDissector dissector crash

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Fri, 22 Feb 2013 14:20:28 +0000
Bug ID 8383
Summary csnStreamDissector dissector crash
Classification Unclassified
Product Wireshark
Version 1.8.5
Hardware x86-64
OS Linux (other)
Status UNCONFIRMED
Severity Major
Priority Low
Component TShark
Assignee [email protected]
Reporter [email protected] 

Created attachment 10093 [details]
csnStreamDissector.pcap

Build Information:
TShark 1.8.5 (SVN Rev Unknown from unknown)

Copyright 1998-2013 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.32.3, with libpcap, with libz 1.2.3.4, without
POSIX capabilities, without SMI, without c-ares, without ADNS, with Lua 5.1,
without Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos,
without GeoIP.

Running on Linux 3.2.0-30-generic, with locale en_US.UTF-8, with libpcap
version
1.1.1, with libz 1.2.3.4.

Built using gcc 4.6.3.
--
Hi,

Here is a PCAP file triggering a SIGSEGV that could enable (at least) a remote
party to trigger a denial of service.

This file was generated thanks to a fuzz testing campaign.

Laurent Butti.

--

Signal si_signo: 11 Signal si_addr: 0x1
Nearby code:
   0x00007ffff2ead39c <+10716>: jmp    0x7ffff2eace88
<_IO_vfprintf_internal+9416>
   0x00007ffff2ead3a1 <+10721>: mov    rdi,QWORD PTR [rbp-0x558]
   0x00007ffff2ead3a8 <+10728>: xor    eax,eax
   0x00007ffff2ead3aa <+10730>: or     rcx,0xffffffffffffffff
   0x00007ffff2ead3ae <+10734>: xor    r9d,r9d
=> 0x00007ffff2ead3b1 <+10737>: repnz scas al,BYTE PTR es:[rdi]
   0x00007ffff2ead3b3 <+10739>: not    rcx
   0x00007ffff2ead3b6 <+10742>: lea    r8,[rcx-0x1]
   0x00007ffff2ead3ba <+10746>: jmp    0x7ffff2eace88
<_IO_vfprintf_internal+9416>
   0x00007ffff2ead3bf <+10751>: mov    r14d,eax
Stack trace:
#  0 _IO_vfprintf_internal at 0x7ffff2ead3b1 in
/lib/x86_64-linux-gnu/libc-2.15.so (BL)
#  1 ___vsnprintf_chk at 0x7ffff2f6ad80 in /lib/x86_64-linux-gnu/libc-2.15.so
(BL)
#  2 proto_tree_set_representation at 0x7ffff5184fff in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  3 proto_tree_add_text at 0x7ffff51883e8 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  4 ProcessError at 0x7ffff52ea51f in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  5 csnStreamDissector at 0x7ffff52eac38 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  6 csnStreamDissector at 0x7ffff52ec553 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  7 csnStreamDissector at 0x7ffff52ead3e in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  8 csnStreamDissector at 0x7ffff52ec553 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  9 dissect_gsm_rlcmac_downlink at 0x7ffff5439cb1 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 10 call_dissector_through_handle at 0x7ffff51794b0 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 11 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 12 call_dissector at 0x7ffff517b7e1 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 13 call_dissector_through_handle at 0x7ffff51794b0 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 14 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 15 dissector_try_uint_new at 0x7ffff517a30e in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 16 decode_udp_ports at 0x7ffff5798875 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 17 dissect at 0x7ffff5798e83 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 18 call_dissector_through_handle at 0x7ffff51794b0 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 19 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 20 dissector_try_uint_new at 0x7ffff517a30e in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 21 dissect_ip at 0x7ffff54bd27b in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 22 call_dissector_through_handle at 0x7ffff51794b0 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 23 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 24 dissector_try_uint_new at 0x7ffff517a30e in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 25 ethertype at 0x7ffff53aabba in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 26 dissect_eth_common at 0x7ffff53a95dc in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 27 call_dissector_through_handle at 0x7ffff51794b0 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 28 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 29 dissector_try_uint_new at 0x7ffff517a30e in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 30 dissect_frame at 0x7ffff53dc8cb in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 31 call_dissector_through_handle at 0x7ffff51794b0 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 32 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 33 call_dissector at 0x7ffff517b7e1 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 34 dissect_packet at 0x7ffff517bbf4 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 35 process_packet at 0x41ad5b in
/home/laurent/fuzzing/bin/wireshark-1.8.5/bin/tshark
# 36 load_cap_file at 0x40dc8f in
/home/laurent/fuzzing/bin/wireshark-1.8.5/bin/tshark
# 37 main at 0x40dc8f in /home/laurent/fuzzing/bin/wireshark-1.8.5/bin/tshark
Faulting frame: #  2 proto_tree_set_representation at 0x7ffff5184fff in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
Description: Access violation near NULL on source operand
Short description: SourceAvNearNull (15/21)
Hash: d25e723ec6c54309eb3d7e1dc02f1095.4d0b0322228c581d797b9798b4c883a5
---Type <return> to continue, or q <return> to quit---
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching
the source operand of the current instruction. This likely indicates a read
access violation, which may mean the application crashed on a simple NULL
dereference to data structure that has no immediate effect on control of the
processor.
Other tags: AccessViolation (20/21)

You are receiving this mail because:
  • You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube