https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2922
Summary: USB URB dissector denial of service
Product: Wireshark
Version: 1.0.3
Platform: PC
OS/Version: Linux (other)
Status: NEW
Severity: Normal
Priority: Medium
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: david.maciejak@xxxxxxxxx
Created an attachment (id=2286)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=2286)
poc_usb_urb_segfault
Build Information:
wireshark 1.0.3
Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GTK+ 2.12.9, with GLib 2.16.4, with libpcap 0.9.5, with libz
1.2.3.3, with POSIX capabilities (Linux), with libpcre 7.4, with SMI 0.4.5,
with
ADNS, without Lua, with GnuTLS 2.0.4, with Gcrypt 1.2.4, with MIT Kerberos,
without PortAudio, without AirPcap.
Running on Linux 2.6.24-19-generic, with libpcap version 0.9.5.
Built using gcc 4.2.3 (Ubuntu 4.2.3-2ubuntu7).
--
Got a segfault on my linux when I tried to open the malformed traffic
poc_usb_urb_segfault attached. Below the gdb trace:
Frame 32 (8 bytes on wire, 8 bytes captured)
Arrival Time: Feb 6, 2007 09:05:45.914788000
[Time delta from previous captured frame: 0.000006000 seconds]
[Time delta from previous displayed frame: 0.000006000 seconds]
[Time since reference or first frame: 0.319855000 seconds]
Frame Number: 32
Frame Length: 8 bytes
Capture Length: 8 bytes
[Frame is marked: False]
[Protocols in frame: usb]
USB URB
URB id: 4097246784
URB type: URB_COMPLETE (67)
URB transfer type: URB_CONTROL (2)
Endpoint: 0x00
Device: 1
URB bus id: 1
Setup flag: 45
Data flag: 62
[Request in: 31]
[Time from request: 0.000006000 seconds]
[bInterfaceClass: Unknown (0xffff)]
[Malformed Packet: USB]
0000 00 00 00 00 00 00 00 00 ........
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb6040b60 (LWP 23958)]
0x00000018 in ?? ()
(gdb) backtrace
#0 0x00000018 in ?? ()
#1 0xb6e7fead in dissect_linux_usb (tvb=0x8366fa0, pinfo=0x21,
parent=0x8461d18) at packet-usb.c:1061
#2 0xb6925304 in call_dissector_through_handle (handle=0x83eada8,
tvb=0x8366fa0, pinfo=0x8461458, tree=0x8461d18) at packet.c:396
#3 0xb6925a87 in call_dissector_work (handle=0x83eada8, tvb=0x8366fa0,
pinfo_arg=0x8461458, tree=0x8461d18) at packet.c:485
#4 0xb6926d59 in dissector_try_port (sub_dissectors=0x8166bc0, port=95,
tvb=0x8366fa0, pinfo=0x8461458, tree=0x8461d18) at packet.c:870
#5 0xb6b755a9 in dissect_frame (tvb=0x8366fa0, pinfo=0x8461458,
parent_tree=0x8461d18) at packet-frame.c:305
#6 0xb6925304 in call_dissector_through_handle (handle=0x817bf30,
tvb=0x8366fa0, pinfo=0x8461458, tree=0x8461d18) at packet.c:396
#7 0xb6925a87 in call_dissector_work (handle=0x817bf30, tvb=0x8366fa0,
pinfo_arg=0x8461458, tree=0x8461d18) at packet.c:485
#8 0xb6925c30 in call_dissector (handle=0x817bf30, tvb=0x8366fa0,
pinfo=0x8461458, tree=0x8461d18) at packet.c:1787
#9 0xb69278ab in dissect_packet (edt=0x8461450, pseudo_header=0x84440c4,
pd=0x844a9d0 "", fd=0xbfac77d4, cinfo=0x0) at packet.c:332
#10 0xb691c954 in epan_dissect_run (edt=0x8461450, pseudo_header=0x84440c4,
data=0x844a9d0 "", fd=0xbfac77d4, cinfo=0x0) at epan.c:161
#11 0x08063abc in process_packet (cf=0x80743e0, offset=2130, whdr=0x84440b0,
pseudo_header=0x84440c4, pd=0x844a9d0 "") at tshark.c:2452
#12 0x080666f8 in main (argc=3, argv=0xbfac7af4) at tshark.c:2248
seems the problem occurs in epan/dissectors/packet-usb.c at line 1061 when
calling "se_tree_insert32(usb_conv_info->transactions, pinfo->fd->num,
usb_trans_info);"
Regards,
David Maciejak
Fortinet's FortiGuard Global Security Research Team
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
