Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 1054] New: crash on fuzzed LDAP capture

Date: Fri, 25 Aug 2006 14:35:45 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1054

           Summary: crash on fuzzed LDAP capture
           Product: Wireshark
           Version: SVN
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Critical
          Priority: High
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: thomas.anders@xxxxxxxxxxxxx


The attached capture file (a single fuzzed LDAP packet) crashes
Wireshark/tshark (current SVN).

Version
-------
wireshark 0.99.3 (SVN Rev 19011)
Compiled with GTK+ 2.8.10, with GLib 2.8.5, with libpcap 0.9.4, with libz
1.2.3,
with libpcre 6.4, with Net-SNMP 5.3.1, without ADNS, without Lua.
Running with libpcap version 0.9.4 on Linux 2.6.16.13-4-smp.

Backtrace
---------
*** glibc detected *** /bc/bin/tshark: free(): invalid pointer: 0x0845f800 ***
======= Backtrace: =========
/lib/libc.so.6[0xb6842911]
/lib/libc.so.6(__libc_free+0x84)[0xb6843f84]
/opt/gnome/lib/libglib-2.0.so.0(g_free+0x22)[0xb6a80782]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb73724ba]
/bc/wireshark-svn/lib/libwireshark.so.0(dissect_ber_sequence+0x64a)[0xb70e132a]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb7370620]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb7372c8a]
/bc/wireshark-svn/lib/libwireshark.so.0(dissect_ber_choice+0x1b0)[0xb70e0340]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb73711ea]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb7373017]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb70df8a0]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb7372f95]
/bc/wireshark-svn/lib/libwireshark.so.0(dissect_ber_choice+0x1b0)[0xb70e0340]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb73711ea]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb7371260]
/bc/wireshark-svn/lib/libwireshark.so.0(dissect_ber_sequence+0x64a)[0xb70e132a]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb73705c8]
/bc/wireshark-svn/lib/libwireshark.so.0(dissect_ber_choice+0x1b0)[0xb70e0340]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb7373152]
/bc/wireshark-svn/lib/libwireshark.so.0(dissect_ber_sequence+0x64a)[0xb70e132a]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb736f73d]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb736f931]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb700eab8]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb700ed97]
/bc/wireshark-svn/lib/libwireshark.so.0(dissector_try_port+0x43)[0xb700f583]
/bc/wireshark-svn/lib/libwireshark.so.0(decode_udp_ports+0x1aa)[0xb75abd0a]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb75ac31b]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb700eab8]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb700ed97]
/bc/wireshark-svn/lib/libwireshark.so.0(dissector_try_port+0x43)[0xb700f583]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb7321d9c]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb700eab8]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb700ed97]
/bc/wireshark-svn/lib/libwireshark.so.0(dissector_try_port+0x43)[0xb700f583]
/bc/wireshark-svn/lib/libwireshark.so.0(ethertype+0x39b)[0xb723ac7b]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb7237ac9]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb700eab8]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb700ed97]
/bc/wireshark-svn/lib/libwireshark.so.0(dissector_try_port+0x43)[0xb700f583]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb7263ed3]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb700eab8]
/bc/wireshark-svn/lib/libwireshark.so.0[0xb700ed97]
/bc/wireshark-svn/lib/libwireshark.so.0(call_dissector+0x34)[0xb700f1f4]
/bc/wireshark-svn/lib/libwireshark.so.0(dissect_packet+0x376)[0xb7010c66]
/bc/wireshark-svn/lib/libwireshark.so.0(epan_dissect_run+0x3e)[0xb700adae]
/bc/bin/tshark[0x8060e28]
/bc/bin/tshark(main+0x1082)[0x8062f32]
/lib/libc.so.6(__libc_start_main+0xdc)[0xb67f487c]
/bc/bin/tshark(register_all_protocol_handoffs+0x409)[0x804ea91]
======= Memory map: ========
08048000-0806c000 r-xp 00000000 08:02 570940     /bc/wireshark-svn/bin/tshark
0806c000-0806d000 rw-p 00024000 08:02 570940     /bc/wireshark-svn/bin/tshark
0806d000-08480000 rw-p 0806d000 00:00 0          [heap]
b4f00000-b4f21000 rw-p b4f00000 00:00 0
b4f21000-b5000000 ---p b4f21000 00:00 0
b504b000-b504c000 rw-p b504b000 00:00 0
b504c000-b504d000 ---p b504c000 00:00 0
b504d000-b5a4a000 rw-p b504d000 00:00 0
b5a4a000-b5a4b000 ---p b5a4a000 00:00 0
b5a4b000-b5a4c000 rw-p b5a4b000 00:00 0
b5a4c000-b5a4d000 ---p b5a4c000 00:00 0
b5a4d000-b644a000 rw-p b5a4d000 00:00 0
b644a000-b644b000 ---p b644a000 00:00 0
b644b000-b6486000 r--p 00000000 08:02 16114     
/usr/lib/locale/de_DE.utf8/LC_CTYPE
b6486000-b655d000 r--p 00000000 08:02 16244     
/usr/lib/locale/de_DE.utf8/LC_COLLATE
b655d000-b658f000 rw-p b6759000 00:00 0
b658f000-b6599000 r-xp 00000000 08:02 467234    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/irda.so
b6599000-b659b000 rw-p 0000a000 08:02 467234    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/irda.so
b659b000-b659d000 rw-p b659b000 00:00 0
b659d000-b65a3000 r-xp 00000000 08:02 467231    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/h223.so
b65a3000-b65a4000 rw-p 00006000 08:02 467231    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/h223.so
b65a4000-b65ad000 r-xp 00000000 08:02 467249    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/megaco.so
b65ad000-b65ae000 rw-p 00009000 08:02 467249    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/megaco.so
b65ae000-b65b1000 r-xp 00000000 08:02 467056    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/enttec.so
b65b1000-b65b2000 rw-p 00002000 08:02 467056    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/enttec.so
b65b2000-b65b6000 r-xp 00000000 08:02 467253    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/opsi.so
b65b6000-b65b8000 rw-p 00003000 08:02 467253    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/opsi.so
b65b8000-b65ed000 r--s 00000000 08:02 61758      /var/run/nscd/passwd
b65ed000-b65fd000 r-xp 00000000 08:02 467034    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/asn1.so
b65fd000-b65fe000 rw-p 00010000 08:02 467034    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/asn1.so
b65fe000-b6602000 rw-p b65fe000 00:00 0
b6602000-b6603000 r-xp 00000000 08:02 467256    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/pcli.so
b6603000-b6604000 rw-p 00001000 08:02 467256    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/pcli.so
b6604000-b6606000 r-xp 00000000 08:02 467051    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/ciscosm.so
b6606000-b6607000 rw-p 00001000 08:02 467051    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/ciscosm.so
b6607000-b6612000 r-xp 00000000 08:02 467216    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/tango.so
b6612000-b6613000 rw-p 0000a000 08:02 467216    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/tango.so
b6613000-b6615000 r-xp 00000000 08:02 532265    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/rlm.so
b6615000-b6616000 rw-p 00001000 08:02 532265    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/rlm.so
b6616000-b662f000 r-xp 00000000 08:02 467257    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/profinet.so
b662f000-b6636000 rw-p 00018000 08:02 467257    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/profinet.so
b6636000-b6651000 r-xp 00000000 08:02 467055    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/docsis.so
b6651000-b6659000 rw-p 0001a000 08:02 467055    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/docsis.so
b6659000-b666d000 r-xp 00000000 08:02 467248    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/mate.so
b666d000-b666e000 rw-p 00014000 08:02 467248    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/mate.so
b666e000-b6680000 rw-p b666e000 00:00 0
b6680000-b6733000 r-xp 00000000 08:02 467227    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/parlay.so
b6733000-b6735000 rw-p 000b3000 08:02 467227    
/bc/wireshark-svn/lib/wireshark/plugins/0.99.3/parlay.so
b673f000-b6749000 r-xp 00000000 08:02 13282      /lib/libgcc_s.so.1
b6749000
Program received signal SIGABRT, Aborted.
[Switching to Thread -1233261920 (LWP 9185)]
0xffffe410 in __kernel_vsyscall ()

(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb68077d0 in raise () from /lib/libc.so.6
#2  0xb6808ea3 in abort () from /lib/libc.so.6
#3  0xb683cf8b in __libc_message () from /lib/libc.so.6
#4  0xb6842911 in malloc_printerr () from /lib/libc.so.6
#5  0xb6843f84 in free () from /lib/libc.so.6
#6  0xb6a80782 in g_free () from /opt/gnome/lib/libglib-2.0.so.0
#7  0xb73724ba in dissect_ldap_AssertionValue (
    implicit_tag=<value optimized out>, tvb=0x845f800,
    offset=<value optimized out>, pinfo=0x8457358, tree=0x84574e0,
    hf_index=19426) at packet-ldap-template.c:309
#8  0xb70e132a in dissect_ber_sequence (implicit_tag=1, pinfo=0x8457358,
    parent_tree=0x84574f8, tvb=0x845f7a0, offset=<value optimized out>,
    seq=0xb7b301f0, hf_id=19461, ett_id=6254) at packet-ber.c:1205
#9  0xb7370620 in dissect_ldap_AttributeValueAssertion (implicit_tag=0,
    tvb=<value optimized out>, offset=9185, pinfo=0x8457358, tree=0x84574f8,
    hf_index=19461) at ldap.cnf:572
#10 0xb7372c8a in dissect_equalityMatch_impl (pinfo=0x8457358, tree=0x84574f8,
    tvb=0x845f7a0, offset=0) at ldap.cnf:585
#11 0xb70e0340 in dissect_ber_choice (pinfo=0x8457358, parent_tree=0x84574f8,
    tvb=0x84580dc, offset=<value optimized out>, choice=0xb7b304e0, hf_id=-1,
    ett_id=6266, branch_taken=0x0) at packet-ber.c:1659
#12 0xb73711ea in dissect_ldap_Filter (implicit_tag=<value optimized out>,
    tvb=0x84580dc, offset=134, pinfo=0x8457358, tree=0x8457750, hf_index=19457)
    at ldap.cnf:594
#13 0xb7373017 in dissect_and_item (pinfo=0x8457358, tree=0x8457750,
    tvb=0x84580dc, offset=134) at ldap.cnf:558
#14 0xb70df8a0 in dissect_ber_sq_of (implicit_tag=<value optimized out>,
    type=17, pinfo=0x8457358, parent_tree=0x8457750, tvb=0x84580dc,
    offset=<value optimized out>, seq=0xb7b306c0, hf_id=-1, ett_id=6267)
    at packet-ber.c:2074
#15 0xb7372f95 in dissect_and_impl (pinfo=0x8457358, tree=0x8457768,
    tvb=0x84580dc, offset=0) at ldap.cnf:488
#16 0xb70e0340 in dissect_ber_choice (pinfo=0x8457358, parent_tree=0x8457768,
    tvb=0x84580a8, offset=<value optimized out>, choice=0xb7b304e0, hf_id=-1,
    ett_id=6266, branch_taken=0x0) at packet-ber.c:1659
#17 0xb73711ea in dissect_ldap_Filter (implicit_tag=<value optimized out>,
    tvb=0x84580a8, offset=0, pinfo=0x8457358, tree=0x84577f8, hf_index=19454)
    at ldap.cnf:594
#18 0xb7371260 in dissect_filter (pinfo=0x8457358, tree=0x84577f8,
    tvb=0x84580a8, offset=0) at ldap.cnf:451
#19 0xb70e132a in dissect_ber_sequence (implicit_tag=0, pinfo=0x8457358,
    parent_tree=0x8457810, tvb=0x8457f3c, offset=<value optimized out>,
    seq=0xb7b304a0, hf_id=19407, ett_id=6265) at packet-ber.c:1205
#20 0xb73705c8 in dissect_searchRequest (pinfo=0x8457358, tree=0x8457810,
    tvb=0x8457f3c, offset=0) at ldap.cnf:492
#21 0xb70e0340 in dissect_ber_choice (pinfo=0x8457358, parent_tree=0x8457840,
    tvb=0x8457f08, offset=<value optimized out>, choice=0xb7b2fcc0,
    hf_id=19402, ett_id=6252, branch_taken=0xb7d38eb4) at packet-ber.c:1659
#22 0xb7373152 in dissect_protocolOp (pinfo=0x8457358, tree=0x8457840,
    tvb=0x8457f08, offset=0) at ldap.cnf:67
#23 0xb70e132a in dissect_ber_sequence (implicit_tag=0, pinfo=0x8457358,
    parent_tree=0x8457858, tvb=0x8457ea0, offset=<value optimized out>,
    seq=0xb7b2fc30, hf_id=19400, ett_id=6251) at packet-ber.c:1205
#24 0xb736f73d in dissect_ldap_payload (tvb=0x8457e6c, pinfo=0x8457358,
    tree=0x8457858, ldap_info=0xb505d878, rest_is_pad=0, is_mscldap=1)
    at ldap.cnf:166
#25 0xb736f931 in dissect_ldap_pdu (tvb=0x8457e6c, pinfo=0x8457358,
    tree=0x8457d98, is_mscldap=1) at packet-ldap-template.c:893
#26 0xb700eab8 in call_dissector_through_handle (handle=0x8320d98,
    tvb=0x8457e6c, pinfo=0x8457358, tree=0x8457d98) at packet.c:387
#27 0xb700ed97 in call_dissector_work (handle=0x8320d98, tvb=0x8457e6c,
    pinfo_arg=<value optimized out>, tree=0x8457d98) at packet.c:562
#28 0xb700f583 in dissector_try_port (sub_dissectors=0x82847b0, port=389,
    tvb=0x8457e6c, pinfo=0x8457358, tree=0x8457d98) at packet.c:837
#29 0xb75abd0a in decode_udp_ports (tvb=0x8457e38, offset=8, pinfo=0x8457358,
    tree=0x8457d98, uh_sport=1033, uh_dport=389, uh_ulen=251)
    at packet-udp.c:140
#30 0xb75ac31b in dissect (tvb=0x8457e38, pinfo=0x8457358, tree=0x8457d98,
    ip_proto=1114112) at packet-udp.c:347
#31 0xb700eab8 in call_dissector_through_handle (handle=0x833d080,
    tvb=0x8457e38, pinfo=0x8457358, tree=0x8457d98) at packet.c:387
#32 0xb700ed97 in call_dissector_work (handle=0x833d080, tvb=0x8457e38,
    pinfo_arg=<value optimized out>, tree=0x8457d98) at packet.c:562
#33 0xb700f583 in dissector_try_port (sub_dissectors=0x812c938, port=17,
    tvb=0x8457e38, pinfo=0x8457358, tree=0x8457d98) at packet.c:837
#34 0xb7321d9c in dissect_ip (tvb=0x8457e04, pinfo=0x8457358,
    parent_tree=0x8457d98) at packet-ip.c:1187
#35 0xb700eab8 in call_dissector_through_handle (handle=0x812ca88,
    tvb=0x8457e04, pinfo=0x8457358, tree=0x8457d98) at packet.c:387
#36 0xb700ed97 in call_dissector_work (handle=0x812ca88, tvb=0x8457e04,
    pinfo_arg=<value optimized out>, tree=0x8457d98) at packet.c:562
#37 0xb700f583 in dissector_try_port (sub_dissectors=0x80eff78, port=2048,
    tvb=0x8457e04, pinfo=0x8457358, tree=0x8457d98) at packet.c:837
#38 0xb723ac7b in ethertype (etype=2048, tvb=0x8457dd0, offset_after_etype=14,
    pinfo=0x8457358, tree=0x8457d98, fh_tree=0x8457ca8, etype_id=9082,
    trailer_id=9084, fcs_len=-1) at packet-ethertype.c:195
#39 0xb7237ac9 in dissect_eth_common (tvb=0x8457dd0, pinfo=0x8457358,
    parent_tree=0x8457d98, fcs_len=-1) at packet-eth.c:344
#40 0xb700eab8 in call_dissector_through_handle (handle=0x830d598,
    tvb=0x8457dd0, pinfo=0x8457358, tree=0x8457d98) at packet.c:387
#41 0xb700ed97 in call_dissector_work (handle=0x830d598, tvb=0x8457dd0,
    pinfo_arg=<value optimized out>, tree=0x8457d98) at packet.c:562
#42 0xb700f583 in dissector_try_port (sub_dissectors=0x8108508, port=1,
    tvb=0x8457dd0, pinfo=0x8457358, tree=0x8457d98) at packet.c:837
#43 0xb7263ed3 in dissect_frame (tvb=0x8457dd0, pinfo=0x8457358,
    parent_tree=0x8457d98) at packet-frame.c:286
#44 0xb700eab8 in call_dissector_through_handle (handle=0x8108598,
    tvb=0x8457dd0, pinfo=0x8457358, tree=0x8457d98) at packet.c:387
#45 0xb700ed97 in call_dissector_work (handle=0x8108598, tvb=0x8457dd0,
    pinfo_arg=<value optimized out>, tree=0x8457d98) at packet.c:562
#46 0xb700f1f4 in call_dissector (handle=0x0, tvb=0x8457dd0, pinfo=0x8457358,
    tree=0x8457d98) at packet.c:1706
#47 0xb7010c66 in dissect_packet (edt=0x8457350, pseudo_header=0x841c2cc,
    pd=0x8422a28 "", fd=0xbfcde928, cinfo=0x0) at packet.c:326
#48 0xb700adae in epan_dissect_run (edt=0x8457350, pseudo_header=0x841c2cc,
    data=0x8422a28 "", fd=0xbfcde928, cinfo=0x0) at epan.c:187
#49 0x08060e28 in process_packet (cf=0x806ee60, offset=<value optimized out>,
    whdr=<value optimized out>, pseudo_header=0x841c2cc, pd=0x8422a28 "")
    at tshark.c:2316
#50 0x08062f32 in main (argc=3, argv=0xbfcdeae4) at tshark.c:2131


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.