Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 2924] New: Bluetooth HCI memory corruption

Wireshark-bugs: [Wireshark-bugs] [Bug 2924] New: Bluetooth HCI memory corruption

Date: Wed, 1 Oct 2008 01:38:14 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2924

           Summary: Bluetooth HCI memory corruption
           Product: Wireshark
           Version: 1.0.3
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: david.maciejak@xxxxxxxxx


Created an attachment (id=2289)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=2289)
poc_bthci_pcap

Build Information:
wireshark 1.0.3

Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.12.9, with GLib 2.16.4, with libpcap 0.9.5, with libz
1.2.3.3, with POSIX capabilities (Linux), with libpcre 7.4, with SMI 0.4.5,
with
ADNS, without Lua, with GnuTLS 2.0.4, with Gcrypt 1.2.4, with MIT Kerberos,
without PortAudio, without AirPcap.

Running on Linux 2.6.24-19-generic, with libpcap version 0.9.5.

Built using gcc 4.2.3 (Ubuntu 4.2.3-2ubuntu7).

--
Got a segfault when trying to open the malformed traffic poc attached.
Below the gdb trace:

[Thread debugging using libthread_db enabled]
[New Thread 0xb581e740 (LWP 8082)]
10:24:27          Warn radius: Could not find the radius directory
*** glibc detected *** /home/koma/Desktop/wireshark-1.0.3/.libs/lt-wireshark:
malloc(): memory corruption: 0x086fdd70 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb5c4b356]
/lib/tls/i686/cmov/libc.so.6(__libc_malloc+0x8d)[0xb5c4ccad]
/usr/lib/libglib-2.0.so.0(g_malloc+0x2d)[0xb5f75dcd]
/home/koma/Desktop/wireshark-1.0.3/epan/.libs/libwireshark.so.0(se_alloc+0x2f)[0xb698cb4f]
/home/koma/Desktop/wireshark-1.0.3/epan/.libs/libwireshark.so.0(emem_tree_insert32+0x76)[0xb698db56]
/home/koma/Desktop/wireshark-1.0.3/epan/.libs/libwireshark.so.0[0xb6aa3538]
/home/koma/Desktop/wireshark-1.0.3/epan/.libs/libwireshark.so.0[0xb6997304]
/home/koma/Desktop/wireshark-1.0.3/epan/.libs/libwireshark.so.0[0xb6997a87]
/home/koma/Desktop/wireshark-1.0.3/epan/.libs/libwireshark.so.0(dissector_try_port+0x69)[0xb6998d59]
/home/koma/Desktop/wireshark-1.0.3/epan/.libs/libwireshark.so.0[0xb6c3cb36]
/home/koma/Desktop/wireshark-1.0.3/epan/.libs/libwireshark.so.0[0xb6997304]
/home/koma/Desktop/wireshark-1.0.3/epan/.libs/libwireshark.so.0[0xb6997a87]
/home/koma/Desktop/wireshark-1.0.3/epan/.libs/libwireshark.so.0(dissector_try_port+0x69)[0xb6998d59]
/home/koma/Desktop/wireshark-1.0.3/epan/.libs/libwireshark.so.0[0xb6be75a9]
/home/koma/Desktop/wireshark-1.0.3/epan/.libs/libwireshark.so.0[0xb6997304]
/home/koma/Desktop/wireshark-1.0.3/epan/.libs/libwireshark.so.0[0xb6997a87]
/home/koma/Desktop/wireshark-1.0.3/epan/.libs/libwireshark.so.0(call_dissector+0x40)[0xb6997c30]
/home/koma/Desktop/wireshark-1.0.3/epan/.libs/libwireshark.so.0(dissect_packet+0x40b)[0xb69998ab]
/home/koma/Desktop/wireshark-1.0.3/epan/.libs/libwireshark.so.0(epan_dissect_run+0x44)[0xb698e954]
/home/koma/Desktop/wireshark-1.0.3/.libs/lt-wireshark[0x807488f]
/home/koma/Desktop/wireshark-1.0.3/.libs/lt-wireshark[0x8075ea1]
/home/koma/Desktop/wireshark-1.0.3/.libs/lt-wireshark(cf_read+0x658)[0x80767d8]
/home/koma/Desktop/wireshark-1.0.3/.libs/lt-wireshark(main+0xdfe)[0x808c56e]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb5bf5450]
/home/koma/Desktop/wireshark-1.0.3/.libs/lt-wireshark(register_all_protocols+0x5c9)[0x8066151]
======= Memory map: ========
08048000-08184000 r-xp 00000000 08:03 344797    
/home/koma/Desktop/wireshark-1.0.3/.libs/lt-wireshark
08184000-08195000 rw-p 0013c000 08:03 344797    
/home/koma/Desktop/wireshark-1.0.3/.libs/lt-wireshark
08195000-08931000 rw-p 08195000 00:00 0          [heap]
b4000000-b4021000 rw-p b4000000 00:00 0 
b4021000-b4100000 ---p b4021000 00:00 0 
b4122000-b4731000 r--p 00000000 08:03 2474068   
/usr/share/icons/hicolor/icon-theme.cache
b4731000-b4ea1000 r--p 00000000 08:03 2474155   
/usr/share/icons/gnome/icon-theme.cache
b4ea1000-b4f4c000 r--p 00000000 08:03 2474850   
/usr/share/icons/Tangerine/icon-theme.cache
b4f4c000-b50b2000 r--p 00000000 08:03 2474878   
/usr/share/icons/Human/icon-theme.cache
b50b2000-b5134000 rw-p b50b2000 00:00 0 
b5134000-b5180000 r--p 00000000 08:03 2375708   
/usr/share/fonts/truetype/ttf-dejavu/DejaVuSansMono.ttf
b5180000-b51bb000 rw-p b51a4000 00:00 0 
b51c7000-b52cb000 rw-p b51c7000 00:00 0 
b52cb000-b535c000 r--p 00000000 08:03 2375706   
/usr/share/fonts/truetype/ttf-dejavu/DejaVuSans.ttf
b535c000-b5460000 rw-p b535c000 00:00 0 
b5460000-b54e7000 r--p 00000000 08:03 2375707   
/usr/share/fonts/truetype/ttf-dejavu/DejaVuSans-Bold.ttf
b54e7000-b54e9000 r-xp 00000000 08:03 2294667   
/usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b54e9000-b54ea000 rw-p 00001000 08:03 2294667   
/usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b54ea000-b54f0000 r--s 00000000 08:03 984029    
/var/cache/fontconfig/945677eb7aeaf62f1d50efc3fb3ec7d8-x86.cache-2
b54f0000-b54f3000 r--s 00000000 08:03 984171    
/var/cache/fontconfig/e383d7ea5fbe662a33d9b44caf393297-x86.cache-2
b54f3000-b54f4000 r--s 00000000 08:03 984170    
/var/cache/fontconfig/fd9505950c048a77dc4b710eb6a628ed-x86.cache-2
b54f4000-b54f6000 r--s 00000000 08:03 984169    
/var/cache/fontconfig/ddc79d3ea06a7c6ffa86ede85f3bb5df-x86.cache-2
b54f6000-b54f7000 r--s 00000000 08:03 984168    
/var/cache/fontconfig/e3fa16a14183b06aa45b3e009278fd14-x86.cache-2
b54f7000-b54f8000 r--s 00000000 08:03 984167    
/var/cache/fontconfig/e7071f4a29fa870f4323321c154eba04-x86.cache-2
b54f8000-b54f9000 r--s 00000000 08:03 984166    
/var/cache/fontconfig/a2ab74764b07279e7c36ddb1d302cf26-x86.cache-2
b54f9000-b54fd000 r--s 00000000 08:03 984165    
/var/cache/fontconfig/921a30a17f0be15c70ac14043cb7a739-x86.cache-2
b54fd000-b54fe000 r--s 00000000 08:03 984164    
/var/cache/fontconfig/c69f04ab05004e31a6d5e715764f16d8-x86.cache-2
b54fe000-b54ff000 r--s 00000000 08:03 984163    
/var/cache/fontconfig/4c73fe0c47614734b17d736dbde7580a-x86.cache-2
b54ff000-b5501000 r--s 00000000 08:03 984162    
/var/cache/fontconfig/646addb8444faa74ee138aa00ab0b6a0-x86.cache-2
b5501000-b5504000 r--s 00000000 08:03 984161    
/var/cache/fontconfig/a755afe4a08bf5b97852ceb7400b47bc-x86.cache-2
b5504000-b5506000 r--s 00000000 08:03 984160    
/var/cache/fontconfig/20bd79ad97094406f7d1b9654bfbd926-x86.cache-2
b5506000-b5508000 r--s 00000000 08:03 984159    
/var/cache/fontconfig/9c0624108b9a2ae8552f664125be8356-x86.cache-2
b5508000-b550f000 r--s 00000000 08:03 984158    
/var/cache/fontconfig/6d41288fd70b0be22e8c3a91e032eec0-x86.cache-2
b550f000-b5512000 r--s 00000000 08:03 984157    
/var/cache/fontconfig/de156ccd2eddbdc19d37a45b8b2aac9c-x86.cache-2
b5512000-b5514000 r--s 00000000 08:03 984156    
/var/cache/fontconfig/da1bd5ca8443ffe22927a23ce431d198-x86.cache-2
b5514000-b551c000 r--s 00000000 08:03 984155    
/var/cache/fontconfig/e3de0de479f42330eadf588a55fb5bf4-x86.cache-2
b551c000-b5524000 r--s 00000000 08:03 984149    
/var/cache/fontconfig/0f34bcd4b6ee430af32735b75db7f02b-x86.cache-2
b5524000-b5525000 r--s 00000000 08:03 984148    
/var/cache/fontconfig/4794a0821666d79190d59a36cb4f44b5-x86.cache-2
b5525000-b5528000 r--s 00000000 08:03 984048    
/var/cache/fontconfig/de9486f0b47a4d768a594cb4198cb1c6-x86.cache-2
b5528000-b552f000 r--s 00000000 08:03 984046    
/var/cache/fontconfig/d52a8644073d54c13679302ca1180695-x86.cache-2
b552f000-b5532000 r--s 00000000 08:03 984006    
/var/cache/fontconfig/6386b86020ecc1ef9690bb720a13964f-x86.cache-2
b5532000-b553b000 r--s 00000000 08:03 983534    
/var/cache/fontconfig/089dead882dea3570ffc31a9898cfb69-x86.cache-2
b553b000-b559b000 rw-s 00000000 00:09 120553493  /SYSV00000000 (deleted)
b559b000-b55a4000 r-xp 00000000 08:03 6471841   
/lib/tls/i686/cmov/libnss_files-2.7.so
b55a4000-b55a6000 rw-p 00008000 08:03 6471841   
/lib/tls/i686/cmov/libnss_files-2.7.so
b55a6000-b55ae000 r-xp 00000000 08:03 6471843   
/lib/tls/i686/cmov/libnss_nis-2.7.so
b55ae000-b55b0000 rw-p 00007000 08:03 6471843   
/lib/tls/i686/cmov/libnss_nis-2.7.so
b55b0000-b55c4000 r-xp 00000000 08:03 6471838   
/lib/tls/i686/cmov/libnsl-2.7.so
b55c4000-b55c6000 rw-p 00013000 08:03 6471838   
/lib/tls/i686/cmov/libnsl-2.7.so
b55c6000-b55c8000 rw-p b55c6000 00:00 0 
b55c8000-b55cf000 r-xp 00000000 08:03 6471839   
/lib/tls/i686/cmov/libnss_compat-2.7.so
b55cf000-b55d1000 rw-p 00006000 08:03 6471839   
/lib/tls/i686/cmov/libnss_compat-2.7.so
b55d3000-b55d4000 rw-p b55d3000 00:00 0 
b55d4000-b55d6000 r--s 00000000 08:03 983594    
/var/cache/fontconfig/e13b20fdb08344e0e664864cc2ede53d-x86.cache-2
b55d6000-b55e7000 r-xp 00000000 08:03 2195708   
/usr/lib/gtk-2.0/2.10.0/engines/libubuntulooks.so
b55e7000-b55e8000 rw-p 00011000 08:03 2195708   
/usr/lib/gtk-2.0/2.10.0/engines/libubuntulooks.so
b55e8000-b5627000 r--p 00000000 08:03 1949697   
/usr/lib/locale/en_US.utf8/LC_CTYPE
b5627000-b5628000 r--p 00000000 08:03 2212776   
/usr/lib/locale/en_US.utf8/LC_NUMERIC
b5628000-b5629000 r--p 00000000 08:03 2211921   
/usr/lib/locale/en_US.utf8/LC_TIME
b5629000-b570a000 r--p 00000000 08:03 1949698   
/usr/lib/locale/en_US.utf8/LC_COLLATE
b570a000-b5821000 rw-p b570a000 00:00 0 
b5821000-b5825000 r-xp 00000000 08:03 2147173    /usr/lib/libXdmcp.so.6.0.0
b5825000-b5826000 rw-p 00003000 08:03 2147173    /usr/lib/libXdmcp.so.6.0.0
b5826000-b5827000 rw-p b5826000 00:00 0 
b5827000-b5829000 r-xp 00000000 08:03 2146327    /usr/lib/libXau.so.6.0.0
b5829000-b582a000 rw-p 00001000 08:03 2146327    /usr/lib/libXau.so.6.0.0
b582a000-b5849000 r-xp 00000000 08:03 2147435    /usr/lib/
Program received signal SIGABRT, Aborted.
[Switching to Thread 0xb581e740 (LWP 8082)]
0xb7f61410 in __kernel_vsyscall ()
(gdb) backtrace
#0  0xb7f61410 in __kernel_vsyscall ()
#1  0xb5c0a085 in raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xb5c0ba01 in abort () from /lib/tls/i686/cmov/libc.so.6
#3  0xb5c42b7c in ?? () from /lib/tls/i686/cmov/libc.so.6
#4  0xb5c4b356 in ?? () from /lib/tls/i686/cmov/libc.so.6
#5  0xb5c4ccad in malloc () from /lib/tls/i686/cmov/libc.so.6
#6  0xb5f75dcd in g_malloc () from /usr/lib/libglib-2.0.so.0
#7  0xb698cb4f in se_alloc (size=24) at emem.c:484
#8  0xb698db56 in emem_tree_insert32 (se_tree=0x8859230, key=15,
data=0x86fde30) at emem.c:1222
#9  0xb6aa3538 in dissect_btacl (tvb=0x8874248, pinfo=0x884c4d0,
tree=0x89116d8) at packet-bthci_acl.c:175
#10 0xb6997304 in call_dissector_through_handle (handle=0x83c5070,
tvb=0x8874248, pinfo=0x884c4d0, tree=0x89116d8) at packet.c:396
#11 0xb6997a87 in call_dissector_work (handle=0x83c5070, tvb=0x8874248,
pinfo_arg=0x884c4d0, tree=0x89116d8) at packet.c:485
#12 0xb6998d59 in dissector_try_port (sub_dissectors=0x84bcac8, port=2,
tvb=0x8874248, pinfo=0x884c4d0, tree=0x89116d8) at packet.c:870
#13 0xb6c3cb36 in dissect_hci_h4 (tvb=0x8874210, pinfo=0x884c4d0,
tree=0x89116d8) at packet-hci_h4.c:95
#14 0xb6997304 in call_dissector_through_handle (handle=0x84bcab0,
tvb=0x8874210, pinfo=0x884c4d0, tree=0x89116d8) at packet.c:396
#15 0xb6997a87 in call_dissector_work (handle=0x84bcab0, tvb=0x8874210,
pinfo_arg=0x884c4d0, tree=0x89116d8) at packet.c:485
#16 0xb6998d59 in dissector_try_port (sub_dissectors=0x845a620, port=41,
tvb=0x8874210, pinfo=0x884c4d0, tree=0x89116d8) at packet.c:870
#17 0xb6be75a9 in dissect_frame (tvb=0x8874210, pinfo=0x884c4d0,
parent_tree=0x89116d8) at packet-frame.c:305
#18 0xb6997304 in call_dissector_through_handle (handle=0x845a690,
tvb=0x8874210, pinfo=0x884c4d0, tree=0x89116d8) at packet.c:396
#19 0xb6997a87 in call_dissector_work (handle=0x845a690, tvb=0x8874210,
pinfo_arg=0x884c4d0, tree=0x89116d8) at packet.c:485
#20 0xb6997c30 in call_dissector (handle=0x845a690, tvb=0x8874210,
pinfo=0x884c4d0, tree=0x89116d8) at packet.c:1787
#21 0xb69998ab in dissect_packet (edt=0x884c4c8, pseudo_header=0x888c274,
pd=0x88fd188 "\002) %s\027", fd=0x891a9c0, cinfo=0x81b96bc)
    at packet.c:332
#22 0xb698e954 in epan_dissect_run (edt=0x884c4c8, pseudo_header=0x888c274,
data=0x88fd188 "\002) %s\027", fd=0x891a9c0, cinfo=0x81b96bc)
    at epan.c:161
#23 0x0807488f in add_packet_to_packet_list (fdata=0x891a9c0, cf=0x81a95a0,
dfcode=0x0, pseudo_header=0x888c274, 
    buf=0x88fd188 "\002) %s\027", refilter=1) at file.c:966
#24 0x08075ea1 in read_packet (cf=0x81a95a0, dfcode=0x0, offset=487) at
file.c:1103
#25 0x080767d8 in cf_read (cf=0x81a95a0) at file.c:497
#26 0x0808c56e in main (argc=Cannot access memory at address 0x0
) at main.c:3123

Seems the problem ocurs in epan/dissectors/packet-bthci_acl.c line 175 when
calling "se_tree_insert32(chandle_data->start_fragments, pinfo->fd->num, mfp);"
which called a malloc in emem.c

Regards,

David Maciejak
Fortinet's FortiGuard Global Security Research Team


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Follow-Ups:
- [Wireshark-bugs] [Bug 2924] Bluetooth HCI memory corruption
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 2924] Bluetooth HCI memory corruption
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 2924] Bluetooth HCI memory corruption
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 2924] Bluetooth HCI memory corruption
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 2924] Bluetooth HCI memory corruption
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 2924] Bluetooth HCI memory corruption
  - From: bugzilla-daemon
Prev by Date: [Wireshark-bugs] [Bug 2923] LeCroy VICP protocol dissector
Next by Date: [Wireshark-bugs] [Bug 2567] WiMAX ASN CP Show transaction ID direction bit fails to display the WiMAX ASN CP messages
Previous by thread: [Wireshark-bugs] [Bug 2923] LeCroy VICP protocol dissector
Next by thread: [Wireshark-bugs] [Bug 2924] Bluetooth HCI memory corruption
Index(es):
- Date
- Thread