Wireshark-bugs: [Wireshark-bugs] [Bug 7803] New: Invalid memory accesses when loading radius cap
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7803
Summary: Invalid memory accesses when loading radius captures
Product: Wireshark
Version: SVN
Platform: All
OS/Version: All
Status: NEW
Severity: Major
Priority: Low
Component: Dissection engine (libwireshark)
AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
ReportedBy: eapache@xxxxxxxxx
Build Information:
wireshark 1.9.0 (SVN Rev 45350 from /trunk)
Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GTK+ 2.24.13, with Cairo 1.12.2, with Pango 1.30.1, with
GLib 2.34.0, with libpcap, with libz 1.2.7, with POSIX capabilities (Linux),
with libnl 1, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.2, without Python,
with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP, with
PortAudio V19-devel (built Dec 10 2011 11:43:10), without AirPcap.
Running on Linux 3.5.0-17-generic, with locale en_CA.UTF-8, with libpcap
version
1.3.0, with libz 1.2.7, GnuTLS 2.12.14, Gcrypt 1.5.0.
Built using gcc 4.7.2.
--
As discovered with Valgrind during investigation of bug 7801, there are invalid
memory accesses occurring when loading radius captures. The capture file from
that bug can be used to reproduce:
http://www.wireshark.org/download/automated/captures/fuzz-2012-10-05-27746.pcap
The Valgrind output looks like this:
==3867== Invalid read of size 1
==3867== at 0x4C2C831: strcmp (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3867== by 0x973C348: g_str_equal (ghash.c:1704)
==3867== by 0x973B51F: g_hash_table_insert_internal (ghash.c:422)
==3867== by 0x609A821: Radiuslex (radius_dict.l:231)
==3867== by 0x609B37C: radius_load_dictionary (radius_dict.l:596)
==3867== by 0x656797F: register_radius_fields (packet-radius.c:2016)
==3867== by 0x606CADD: proto_registrar_get_byname (proto.c:802)
==3867== by 0x6566DB1: dissect_radius (packet-radius.c:1401)
==3867== by 0x605F2DE: call_dissector_through_handle (packet.c:413)
==3867== by 0x605FB2C: call_dissector_work (packet.c:508)
==3867== by 0x606031F: dissector_try_uint_new (packet.c:928)
==3867== by 0x6060376: dissector_try_uint (packet.c:954)
==3867== Address 0x10279820 is 0 bytes inside a block of size 19 free'd
==3867== at 0x4C2A739: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3867== by 0x6099470: add_attribute (radius_dict.l:382)
==3867== by 0x609A821: Radiuslex (radius_dict.l:231)
==3867== by 0x609B37C: radius_load_dictionary (radius_dict.l:596)
==3867== by 0x656797F: register_radius_fields (packet-radius.c:2016)
==3867== by 0x606CADD: proto_registrar_get_byname (proto.c:802)
==3867== by 0x6566DB1: dissect_radius (packet-radius.c:1401)
==3867== by 0x605F2DE: call_dissector_through_handle (packet.c:413)
==3867== by 0x605FB2C: call_dissector_work (packet.c:508)
==3867== by 0x606031F: dissector_try_uint_new (packet.c:928)
==3867== by 0x6060376: dissector_try_uint (packet.c:954)
==3867== by 0x66BBEE4: decode_udp_ports (packet-udp.c:271)
==3867==
==3867== Invalid read of size 1
==3867== at 0x4C2C848: strcmp (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3867== by 0x973C348: g_str_equal (ghash.c:1704)
==3867== by 0x973B51F: g_hash_table_insert_internal (ghash.c:422)
==3867== by 0x609A821: Radiuslex (radius_dict.l:231)
==3867== by 0x609B37C: radius_load_dictionary (radius_dict.l:596)
==3867== by 0x656797F: register_radius_fields (packet-radius.c:2016)
==3867== by 0x606CADD: proto_registrar_get_byname (proto.c:802)
==3867== by 0x6566DB1: dissect_radius (packet-radius.c:1401)
==3867== by 0x605F2DE: call_dissector_through_handle (packet.c:413)
==3867== by 0x605FB2C: call_dissector_work (packet.c:508)
==3867== by 0x606031F: dissector_try_uint_new (packet.c:928)
==3867== by 0x6060376: dissector_try_uint (packet.c:954)
==3867== Address 0x10279821 is 1 bytes inside a block of size 19 free'd
==3867== at 0x4C2A739: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3867== by 0x6099470: add_attribute (radius_dict.l:382)
==3867== by 0x609A821: Radiuslex (radius_dict.l:231)
==3867== by 0x609B37C: radius_load_dictionary (radius_dict.l:596)
==3867== by 0x656797F: register_radius_fields (packet-radius.c:2016)
==3867== by 0x606CADD: proto_registrar_get_byname (proto.c:802)
==3867== by 0x6566DB1: dissect_radius (packet-radius.c:1401)
==3867== by 0x605F2DE: call_dissector_through_handle (packet.c:413)
==3867== by 0x605FB2C: call_dissector_work (packet.c:508)
==3867== by 0x606031F: dissector_try_uint_new (packet.c:928)
==3867== by 0x6060376: dissector_try_uint (packet.c:954)
==3867== by 0x66BBEE4: decode_udp_ports (packet-udp.c:271)
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.