Wireshark-bugs: [Wireshark-bugs] [Bug 6519] CIP dissector: Buildbot crash output: fuzz-2011-10-3
Date: Wed, 2 Nov 2011 07:56:41 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6519

--- Comment #9 from Roland Knall <rknall@xxxxxxxxx> 2011-11-02 07:56:39 PDT ---
Ok, found it. But this took a while to step through. What basically happens is
the following:

1. dissect_cip_data get's called the first time
2. (!!) p_add_proto_data get's called, at the beginning of the first run
through dissect_cip_data, and stores a reference to cia_data
3. using a heuristic dissector lookup table 'dissect_cip_generic_service_rsp'
get's called
4. using the case, it call's dissect_cip_multiple_service_packet_rsp

Here the error occurs, by accessing mr_mult_req_info->requests. The problem
with that access is, that the method relies on the fact, that p_get_proto_data
does in fact return a cip_req_info where pData is NULL, which would case a
se_alloc for mr_mult_req_info->requests.

But this does not happen, as this specific memory has already been written with
a call to p_add_proto_data during the first call to dissect_cip_data.

It seems, that dissect_cip_multiple_service_packet_rsp is not prepared to be
called during a heuristic call, if the memory has been pre-written with
0xbaddcafe.

So, I can not provide a solution directly here. This part of the code needs a
deeper background knowledge for CIP, to be handled correctly. In principal the
initialization for mr_mult_req_info->requests has to be handled more securely,
as it is done at the moment.

But I can say, that disabling the complete dissector seems to be unnecessary.
Disabling the method itself suffices for avoiding the fuzz-test crash. The
patch I will provide will add a malformed information to the relevant packages,
and disable the function itself.

regards,
Roland

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.