Wireshark-bugs: [Wireshark-bugs] [Bug 6519] CIP dissector: Buildbot crash output: fuzz-2011-10-3
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6519
--- Comment #9 from Roland Knall <rknall@xxxxxxxxx> 2011-11-02 07:56:39 PDT ---
Ok, found it. But this took a while to step through. What basically happens is
the following:
1. dissect_cip_data get's called the first time
2. (!!) p_add_proto_data get's called, at the beginning of the first run
through dissect_cip_data, and stores a reference to cia_data
3. using a heuristic dissector lookup table 'dissect_cip_generic_service_rsp'
get's called
4. using the case, it call's dissect_cip_multiple_service_packet_rsp
Here the error occurs, by accessing mr_mult_req_info->requests. The problem
with that access is, that the method relies on the fact, that p_get_proto_data
does in fact return a cip_req_info where pData is NULL, which would case a
se_alloc for mr_mult_req_info->requests.
But this does not happen, as this specific memory has already been written with
a call to p_add_proto_data during the first call to dissect_cip_data.
It seems, that dissect_cip_multiple_service_packet_rsp is not prepared to be
called during a heuristic call, if the memory has been pre-written with
0xbaddcafe.
So, I can not provide a solution directly here. This part of the code needs a
deeper background knowledge for CIP, to be handled correctly. In principal the
initialization for mr_mult_req_info->requests has to be handled more securely,
as it is done at the moment.
But I can say, that disabling the complete dissector seems to be unnecessary.
Disabling the method itself suffices for avoiding the fuzz-test crash. The
patch I will provide will add a malformed information to the relevant packages,
and disable the function itself.
regards,
Roland
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.