Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 10028] Buildbot crash output: fuzz-2014-04-22-17437.pcap

Wireshark-bugs: [Wireshark-bugs] [Bug 10028] Buildbot crash output: fuzz-2014-04-22-17437.pcap

Date: Wed, 23 Apr 2014 20:27:00 +0000

What	Removed	Added
CC		[email protected], [email protected]

Comment # 1 on bug 10028 from Evan Huus

In kerberos.cnf:344, the dissector assumes that actx->value_ptr is a pointer to
a kerberos_key_t. In this particular case, it's a pointer to a guint32 instead
and we read uninitialized memory. I do not know enough about the
protocol/dissector to take this much further, but I see different functions
using value_ptr as different types all over, which doesn't seem safe?

==7631== Invalid read of size 8
==7631==    at 0x6FAE01A: dissect_kerberos_EncryptionKey (kerberos.cnf:352)
==7631==    by 0x66A3E9D: dissect_ber_sequence (packet-ber.c:2351)
==7631==    by 0x6FABDBF: dissect_kerberos_EncKDCRepPart (kerberos.cnf:434)
==7631==    by 0x66A13CB: dissect_ber_tagged_type (packet-ber.c:676)
==7631==    by 0x6FACB5D: dissect_kerberos_EncASRepPart (kerberos.cnf:444)
==7631==    by 0x66A2164: dissect_ber_choice (packet-ber.c:2862)
==7631==    by 0x6FAC97F: dissect_kerberos_Applications (kerberos.cnf:185)
==7631==    by 0x66A3B1B: dissect_ber_octet_string_wcb (packet-ber.c:1734)
==7631==    by 0x6FAD1E7: dissect_kerberos_T_padata_value (kerberos.cnf:178)
==7631==    by 0x66A3E9D: dissect_ber_sequence (packet-ber.c:2351)
==7631==    by 0x6FABAFF: dissect_kerberos_PA_DATA (kerberos.cnf:195)
==7631==    by 0x66A5B4E: dissect_ber_sq_of (packet-ber.c:3437)
==7631==  Address 0x128daa08 is 4 bytes after a block of size 4 alloc'd
==7631==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7631==    by 0x9879610: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==7631==    by 0x70913CF: wmem_simple_alloc (wmem_allocator_simple.c:50)
==7631==    by 0x6FAD621: dissect_kerberos_PADATA_TYPE (kerberos.cnf:123)
==7631==    by 0x66A3E9D: dissect_ber_sequence (packet-ber.c:2351)
==7631==    by 0x6FABAFF: dissect_kerberos_PA_DATA (kerberos.cnf:195)
==7631==    by 0x66A5B4E: dissect_ber_sq_of (packet-ber.c:3437)
==7631==    by 0x66A62CD: dissect_ber_sequence_of (packet-ber.c:3468)
==7631==    by 0x6FAC3CF: dissect_kerberos_SEQUENCE_OF_PA_DATA
(kerberos.cnf:208)
==7631==    by 0x66A3E9D: dissect_ber_sequence (packet-ber.c:2351)
==7631==    by 0x6FAC13F: dissect_kerberos_KDC_REQ (kerberos.cnf:422)
==7631==    by 0x66A13CB: dissect_ber_tagged_type (packet-ber.c:676)

You are receiving this mail because:

You are watching all bug changes.

References:
- [Wireshark-bugs] [Bug 10028] New: Buildbot crash output: fuzz-2014-04-22-17437.pcap
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 10018] Buildbot crash output: fuzz-2014-04-20-18407.pcap
Next by Date: [Wireshark-bugs] [Bug 9914] Wireshark GUI memory leak
Previous by thread: [Wireshark-bugs] [Bug 10028] New: Buildbot crash output: fuzz-2014-04-22-17437.pcap
Next by thread: [Wireshark-bugs] [Bug 10028] Buildbot crash output: fuzz-2014-04-22-17437.pcap
Index(es):
- Date
- Thread