Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 7803] New: Invalid memory accesses when loading radius cap

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sat, 6 Oct 2012 13:00:29 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7803

           Summary: Invalid memory accesses when loading radius captures
           Product: Wireshark
           Version: SVN
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Dissection engine (libwireshark)
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: eapache@xxxxxxxxx


Build Information:
wireshark 1.9.0 (SVN Rev 45350 from /trunk)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.13, with Cairo 1.12.2, with Pango 1.30.1, with
GLib 2.34.0, with libpcap, with libz 1.2.7, with POSIX capabilities (Linux),
with libnl 1, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.2, without Python,
with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP, with
PortAudio V19-devel (built Dec 10 2011 11:43:10), without AirPcap.

Running on Linux 3.5.0-17-generic, with locale en_CA.UTF-8, with libpcap
version
1.3.0, with libz 1.2.7, GnuTLS 2.12.14, Gcrypt 1.5.0.

Built using gcc 4.7.2.
--
As discovered with Valgrind during investigation of bug 7801, there are invalid
memory accesses occurring when loading radius captures. The capture file from
that bug can be used to reproduce:

http://www.wireshark.org/download/automated/captures/fuzz-2012-10-05-27746.pcap

The Valgrind output looks like this:

==3867== Invalid read of size 1
==3867==    at 0x4C2C831: strcmp (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3867==    by 0x973C348: g_str_equal (ghash.c:1704)
==3867==    by 0x973B51F: g_hash_table_insert_internal (ghash.c:422)
==3867==    by 0x609A821: Radiuslex (radius_dict.l:231)
==3867==    by 0x609B37C: radius_load_dictionary (radius_dict.l:596)
==3867==    by 0x656797F: register_radius_fields (packet-radius.c:2016)
==3867==    by 0x606CADD: proto_registrar_get_byname (proto.c:802)
==3867==    by 0x6566DB1: dissect_radius (packet-radius.c:1401)
==3867==    by 0x605F2DE: call_dissector_through_handle (packet.c:413)
==3867==    by 0x605FB2C: call_dissector_work (packet.c:508)
==3867==    by 0x606031F: dissector_try_uint_new (packet.c:928)
==3867==    by 0x6060376: dissector_try_uint (packet.c:954)
==3867==  Address 0x10279820 is 0 bytes inside a block of size 19 free'd
==3867==    at 0x4C2A739: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3867==    by 0x6099470: add_attribute (radius_dict.l:382)
==3867==    by 0x609A821: Radiuslex (radius_dict.l:231)
==3867==    by 0x609B37C: radius_load_dictionary (radius_dict.l:596)
==3867==    by 0x656797F: register_radius_fields (packet-radius.c:2016)
==3867==    by 0x606CADD: proto_registrar_get_byname (proto.c:802)
==3867==    by 0x6566DB1: dissect_radius (packet-radius.c:1401)
==3867==    by 0x605F2DE: call_dissector_through_handle (packet.c:413)
==3867==    by 0x605FB2C: call_dissector_work (packet.c:508)
==3867==    by 0x606031F: dissector_try_uint_new (packet.c:928)
==3867==    by 0x6060376: dissector_try_uint (packet.c:954)
==3867==    by 0x66BBEE4: decode_udp_ports (packet-udp.c:271)
==3867== 
==3867== Invalid read of size 1
==3867==    at 0x4C2C848: strcmp (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3867==    by 0x973C348: g_str_equal (ghash.c:1704)
==3867==    by 0x973B51F: g_hash_table_insert_internal (ghash.c:422)
==3867==    by 0x609A821: Radiuslex (radius_dict.l:231)
==3867==    by 0x609B37C: radius_load_dictionary (radius_dict.l:596)
==3867==    by 0x656797F: register_radius_fields (packet-radius.c:2016)
==3867==    by 0x606CADD: proto_registrar_get_byname (proto.c:802)
==3867==    by 0x6566DB1: dissect_radius (packet-radius.c:1401)
==3867==    by 0x605F2DE: call_dissector_through_handle (packet.c:413)
==3867==    by 0x605FB2C: call_dissector_work (packet.c:508)
==3867==    by 0x606031F: dissector_try_uint_new (packet.c:928)
==3867==    by 0x6060376: dissector_try_uint (packet.c:954)
==3867==  Address 0x10279821 is 1 bytes inside a block of size 19 free'd
==3867==    at 0x4C2A739: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3867==    by 0x6099470: add_attribute (radius_dict.l:382)
==3867==    by 0x609A821: Radiuslex (radius_dict.l:231)
==3867==    by 0x609B37C: radius_load_dictionary (radius_dict.l:596)
==3867==    by 0x656797F: register_radius_fields (packet-radius.c:2016)
==3867==    by 0x606CADD: proto_registrar_get_byname (proto.c:802)
==3867==    by 0x6566DB1: dissect_radius (packet-radius.c:1401)
==3867==    by 0x605F2DE: call_dissector_through_handle (packet.c:413)
==3867==    by 0x605FB2C: call_dissector_work (packet.c:508)
==3867==    by 0x606031F: dissector_try_uint_new (packet.c:928)
==3867==    by 0x6060376: dissector_try_uint (packet.c:954)
==3867==    by 0x66BBEE4: decode_udp_ports (packet-udp.c:271)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube