Wireshark · Ethereal-dev: Re: [ethereal-dev] SMB crashed

[Guy Harris <gharris@xxxxxxxxxxxx>]

> Here is another trace with a tcp/SMB connection.
> Packet 151 causes a segmentaion fault.
> Whats the problem with this packet in WIN2001.TR1?

I don't know - the current version of Ethereal in CVS doesn't seem to
have a problem with that packet on my machine, at least, so perhaps a
bug was fixed, or perhaps it's just a difference between the OSes or
machines - but I *do* know that if I select packet 48 (a NetShareEnum
response), Ethereal gets a bus error on my machine, with the stack
trace:

#0  0x283e4e72 in vfprintf () from /usr/lib/libc.so.3
#1  0x2839e322 in vsnprintf () from /usr/lib/libc.so.3
#2  0x805f72c in proto_tree_add_item_value (tree=0x81b6868, hfindex=828, 
    start=137, length=4, include_format=1, visible=1, 
    ap=0xbfbfc5ac "#B\017\b"w\201v6o\036\b\200F??\034F??") at proto.c:405
#3  0x805f4e7 in proto_tree_add_text (tree=0x81b6868, start=137, length=4)
    at proto.c:277
#4  0x80a06dc in dissect_pipe_lanman (pd=0x811f828 "", offset=114, 
    fd=0x81d7800, parent=0x81b6818, tree=0x81b6cc8, si={tid = 55298, uid = 0, 
      mid = 44, pid = 65279, conversation = 0x81ce030, 
      request_val = 0x81cf090, unicode = 0}, max_data=116, SMB_offset=58, 
    errcode=0, dirn=0, command=0x81eef36 "LANMAN", DataOffset=64, 
    DataCount=52, ParameterOffset=55, ParameterCount=8) at packet-smb.c:10081
#5  0x80a0a9d in dissect_pipe_smb (pd=0x811f828 "", offset=114, fd=0x81d7800, 
    parent=0x81b6818, tree=0x81b6cc8, si={tid = 55298, uid = 0, mid = 44, 
      pid = 65279, conversation = 0x81ce030, request_val = 0x81cf090, 
      unicode = 0}, max_data=116, SMB_offset=58, errcode=0, dirn=0, 
    command=0x81eef36 "LANMAN", DataOffset=64, DataCount=52, 
    ParameterOffset=55, ParameterCount=8) at packet-smb.c:10259
#6  0x809f095 in dissect_transact_params (pd=0x811f828 "", offset=114, 
    fd=0x81d7800, parent=0x81b6818, tree=0x81b6cc8, si={tid = 55298, uid = 0, 
      mid = 44, pid = 65279, conversation = 0x81ce030, 
      request_val = 0x81cf090, unicode = 0}, max_data=116, SMB_offset=58, 
    errcode=0, dirn=0, DataOffset=64, DataCount=52, ParameterOffset=55, 
    ParameterCount=8, TransactName=0x81d8170 "\\PIPE\\LANMAN")
    at packet-smb.c:9086
#7  0x809fba5 in dissect_transact_smb (pd=0x811f828 "", offset=114, 
    fd=0x81d7800, parent=0x81b6818, tree=0x81b6cc8, si={tid = 55298, uid = 0, 
      mid = 44, pid = 65279, conversation = 0x81ce030, 
      request_val = 0x81cf090, unicode = 0}, max_data=116, SMB_offset=58, 
    errcode=0, dirn=0) at packet-smb.c:9710
#8  0x80a1f8b in dissect_smb (pd=0x811f828 "", offset=90, fd=0x81d7800, 
    tree=0x81b6818, max_data=116) at packet-smb.c:11439

Line 10081 of "packet-smb.c" is:

	proto_tree_add_text(share, loc_offset, 4, "Share Comment: %s", Comment);

and Comment is:

	(gdb) print Comment
	$1 = 0xf681f7a2 <Address 0xf681f7a2 out of bounds>

"Comment" is set by

	Comment = pd + SMB_offset + DataOffset + GWORD(pd, loc_offset);

and "GWORD(pd, loc_offset)" is -294650112 at that point, so either
"loc_offset" is past the end of the packet, "loc_offset" is pointing to
a bogus location inside the packet, or the packet is corrupt.