Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 2922] New: USB URB dissector denial of service

Wireshark-bugs: [Wireshark-bugs] [Bug 2922] New: USB URB dissector denial of service

Date: Wed, 1 Oct 2008 01:00:21 -0700 (PDT)

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2922

           Summary: USB URB dissector denial of service
           Product: Wireshark
           Version: 1.0.3
          Platform: PC
        OS/Version: Linux (other)
            Status: NEW
          Severity: Normal
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: david.maciejak@xxxxxxxxx


Created an attachment (id=2286)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=2286)
poc_usb_urb_segfault

Build Information:
wireshark 1.0.3

Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.12.9, with GLib 2.16.4, with libpcap 0.9.5, with libz
1.2.3.3, with POSIX capabilities (Linux), with libpcre 7.4, with SMI 0.4.5,
with
ADNS, without Lua, with GnuTLS 2.0.4, with Gcrypt 1.2.4, with MIT Kerberos,
without PortAudio, without AirPcap.

Running on Linux 2.6.24-19-generic, with libpcap version 0.9.5.

Built using gcc 4.2.3 (Ubuntu 4.2.3-2ubuntu7).

--
Got a segfault on my linux when I tried to open the malformed traffic
poc_usb_urb_segfault attached. Below the gdb trace:

Frame 32 (8 bytes on wire, 8 bytes captured)
    Arrival Time: Feb  6, 2007 09:05:45.914788000
    [Time delta from previous captured frame: 0.000006000 seconds]
    [Time delta from previous displayed frame: 0.000006000 seconds]
    [Time since reference or first frame: 0.319855000 seconds]
    Frame Number: 32
    Frame Length: 8 bytes
    Capture Length: 8 bytes
    [Frame is marked: False]
    [Protocols in frame: usb]
USB URB
    URB id: 4097246784
    URB type: URB_COMPLETE (67)
    URB transfer type: URB_CONTROL (2)
    Endpoint: 0x00
    Device: 1
    URB bus id: 1
    Setup flag: 45
    Data flag: 62
    [Request in: 31]
    [Time from request: 0.000006000 seconds]
    [bInterfaceClass: Unknown (0xffff)]
[Malformed Packet: USB]

0000  00 00 00 00 00 00 00 00                           ........


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb6040b60 (LWP 23958)]
0x00000018 in ?? ()
(gdb) backtrace
#0  0x00000018 in ?? ()
#1  0xb6e7fead in dissect_linux_usb (tvb=0x8366fa0, pinfo=0x21,
parent=0x8461d18) at packet-usb.c:1061
#2  0xb6925304 in call_dissector_through_handle (handle=0x83eada8,
tvb=0x8366fa0, pinfo=0x8461458, tree=0x8461d18) at packet.c:396
#3  0xb6925a87 in call_dissector_work (handle=0x83eada8, tvb=0x8366fa0,
pinfo_arg=0x8461458, tree=0x8461d18) at packet.c:485
#4  0xb6926d59 in dissector_try_port (sub_dissectors=0x8166bc0, port=95,
tvb=0x8366fa0, pinfo=0x8461458, tree=0x8461d18) at packet.c:870
#5  0xb6b755a9 in dissect_frame (tvb=0x8366fa0, pinfo=0x8461458,
parent_tree=0x8461d18) at packet-frame.c:305
#6  0xb6925304 in call_dissector_through_handle (handle=0x817bf30,
tvb=0x8366fa0, pinfo=0x8461458, tree=0x8461d18) at packet.c:396
#7  0xb6925a87 in call_dissector_work (handle=0x817bf30, tvb=0x8366fa0,
pinfo_arg=0x8461458, tree=0x8461d18) at packet.c:485
#8  0xb6925c30 in call_dissector (handle=0x817bf30, tvb=0x8366fa0,
pinfo=0x8461458, tree=0x8461d18) at packet.c:1787
#9  0xb69278ab in dissect_packet (edt=0x8461450, pseudo_header=0x84440c4,
pd=0x844a9d0 "", fd=0xbfac77d4, cinfo=0x0) at packet.c:332
#10 0xb691c954 in epan_dissect_run (edt=0x8461450, pseudo_header=0x84440c4,
data=0x844a9d0 "", fd=0xbfac77d4, cinfo=0x0) at epan.c:161
#11 0x08063abc in process_packet (cf=0x80743e0, offset=2130, whdr=0x84440b0,
pseudo_header=0x84440c4, pd=0x844a9d0 "") at tshark.c:2452
#12 0x080666f8 in main (argc=3, argv=0xbfac7af4) at tshark.c:2248

seems the problem occurs in epan/dissectors/packet-usb.c at line 1061 when
calling "se_tree_insert32(usb_conv_info->transactions, pinfo->fd->num,
usb_trans_info);"

Regards,

David Maciejak
Fortinet's FortiGuard Global Security Research Team


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Follow-Ups:
- [Wireshark-bugs] [Bug 2922] USB URB dissector denial of service
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 2922] USB URB dissector denial of service
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 2922] USB URB dissector denial of service
  - From: bugzilla-daemon

Next by Date: [Wireshark-bugs] [Bug 2923] New: LeCroy VICP protocol dissector
Next by thread: [Wireshark-bugs] [Bug 2922] USB URB dissector denial of service
Index(es):
- Date
- Thread