Wireshark-bugs: [Wireshark-bugs] [Bug 8198] New: RTPS dissector crash
Date: Sat, 12 Jan 2013 13:12:09 +0000
Bug ID | 8198 |
---|---|
Summary | RTPS dissector crash |
Classification | Unclassified |
Product | Wireshark |
Version | 1.8.4 |
Hardware | x86-64 |
OS | All |
Status | UNCONFIRMED |
Severity | Major |
Priority | Low |
Component | TShark |
Assignee | bugzilla-admin@wireshark.org |
Reporter | laurentb@gmail.com |
Created attachment 9802 [details]
Capture that crashes
Build Information:
1.8.4
--
--
Hi,
Here is a PCAP file triggering an SIGABRT that could enable (at least) a remote
party to trigger a denial of service.
This file was generated thanks to a fuzz testing campaign.
Laurent Butti.
--
Program received signal SIGABRT, Aborted.
0x00007ffff2e9e425 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff2e9e425 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff2ea1b8b in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007ffff2edc39e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007ffff2f72807 in __fortify_fail () from
/lib/x86_64-linux-gnu/libc.so.6
#4 0x00007ffff2f727d0 in __stack_chk_fail () from
/lib/x86_64-linux-gnu/libc.so.6
#5 0x00007ffff514bc02 in rtps_util_add_bitmap (tree=0x7ffff7fefff0,
tvb=0x15eade0, offset=112, little_endian=<optimized out>, label=0x7ffff604d5d7
"gapList")
at packet-rtps.c:2819
#6 0x00007ffff56a32a8 in dissect_GAP (tree=0x7ffff7fefff0,
octects_to_next_header=60760, little_endian=0, flags=<optimized out>,
offset=36, tvb=0x15eade0)
at packet-rtps.c:5083
#7 dissect_rtps (tvb=0x15eade0, pinfo=0x7fffffffd510, tree=0x7ffff7fef000) at
packet-rtps.c:5792
#8 0x00007ffff517ee4c in dissector_try_heuristic (sub_dissectors=<optimized
out>, tvb=0x15eade0, pinfo=0x7fffffffd510, tree=0x7ffff7fef000) at
packet.c:1781
#9 0x00007ffff579b2fb in decode_udp_ports (tvb=<optimized out>,
offset=<optimized out>, pinfo=0x7fffffffd510, tree=0x7ffff7fef000,
uh_sport=58018,
uh_dport=7401, uh_ulen=132) at packet-udp.c:281
#10 0x00007ffff579b9c3 in dissect (tvb=0x15fc860, pinfo=0x7fffffffd510,
tree=0x7ffff7fef000, ip_proto=<optimized out>) at packet-udp.c:595
#11 0x00007ffff517d180 in call_dissector_through_handle (handle=0x1207a70,
tvb=0x15fc860, pinfo=0x7fffffffd510, tree=0x7ffff7fef000) at packet.c:433
#12 0x00007ffff517d865 in call_dissector_work (handle=0x1207a70, tvb=0x15fc860,
pinfo_arg=0x7fffffffd510, tree=0x7ffff7fef000, add_proto_name=1)
at packet.c:524
#13 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=17, tvb=0x15fc860, pinfo=0x7fffffffd510, tree=0x7ffff7fef000,
add_proto_name=1) at packet.c:943
#14 0x00007ffff54bfe6b in dissect_ip (tvb=0x15fc760, pinfo=<optimized out>,
parent_tree=0x7ffff7fef000) at packet-ip.c:2396
#15 0x00007ffff517d180 in call_dissector_through_handle (handle=0xb99b30,
tvb=0x15fc760, pinfo=0x7fffffffd510, tree=0x7ffff7fef000) at packet.c:433
#16 0x00007ffff517d865 in call_dissector_work (handle=0xb99b30, tvb=0x15fc760,
pinfo_arg=0x7fffffffd510, tree=0x7ffff7fef000, add_proto_name=1)
at packet.c:524
#17 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=2048, tvb=0x15fc760, pinfo=0x7fffffffd510, tree=0x7ffff7fef000,
add_proto_name=1) at packet.c:943
#18 0x00007ffff53adffa in ethertype (etype=2048, tvb=0x15fc400,
offset_after_etype=14, pinfo=0x7fffffffd510, tree=0x7ffff7fef000,
fh_tree=0x7ffff7fef6c0,
etype_id=21641, trailer_id=21645, fcs_len=-1) at packet-ethertype.c:270
#19 0x00007ffff53acabc in dissect_eth_common (tvb=0x15fc400,
pinfo=0x7fffffffd510, parent_tree=0x7ffff7fef000, fcs_len=-1) at
packet-eth.c:403
#20 0x00007ffff517d180 in call_dissector_through_handle (handle=0x9e2820,
tvb=0x15fc400, pinfo=0x7fffffffd510, tree=0x7ffff7fef000) at packet.c:433
#21 0x00007ffff517d865 in call_dissector_work (handle=0x9e2820, tvb=0x15fc400,
pinfo_arg=0x7fffffffd510, tree=0x7ffff7fef000, add_proto_name=1)
at packet.c:524
#22 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=1, tvb=0x15fc400, pinfo=0x7fffffffd510, tree=0x7ffff7fef000,
add_proto_name=1) at packet.c:943
#23 0x00007ffff53dfc1b in dissect_frame (tvb=0x15fc400, pinfo=0x7fffffffd510,
parent_tree=0x7ffff7fef000) at packet-frame.c:383
#24 0x00007ffff517d180 in call_dissector_through_handle (handle=0xa2a740,
tvb=0x15fc400, pinfo=0x7fffffffd510, tree=0x7ffff7fef000) at packet.c:433
#25 0x00007ffff517d865 in call_dissector_work (handle=0xa2a740, tvb=0x15fc400,
pinfo_arg=0x7fffffffd510, tree=0x7ffff7fef000, add_proto_name=1)
at packet.c:524
#26 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>,
tvb=0x15fc400, pinfo=0x7fffffffd510, tree=0x7ffff7fef000) at packet.c:2050
#27 0x00007ffff517f9b4 in dissect_packet (edt=0x7fffffffd500,
pseudo_header=0x0, pd=0x15d43b0 "\001", fd=0x7fffffffd6a0, cinfo=0x0) at
packet.c:364
#28 0x000000000041ad8b in ?? ()
#29 0x00000000015fc400 in ?? ()
#30 0x00007ffff7fef000 in ?? ()
#31 0x00007ffff604d501 in ?? () from
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2
#32 0x0000000000000000 in ?? ()
(gdb) python import exploitable
(gdb) exploitable -v
'exploitable' version 1.04
Linux nitro 3.2.0-30-generic #48-Ubuntu SMP Fri Aug 24 16:52:48 UTC 2012 x86_64
Signal si_signo: 6 Signal si_addr: 0x3e800000ba8
Nearby code:
0x00007ffff2e9e415 <+37>: movsxd rdx,edi
0x00007ffff2e9e418 <+40>: movsxd rsi,esi
0x00007ffff2e9e41b <+43>: movsxd rdi,eax
0x00007ffff2e9e41e <+46>: mov eax,0xea
0x00007ffff2e9e423 <+51>: syscall
=> 0x00007ffff2e9e425 <+53>: cmp rax,0xfffffffffffff000
0x00007ffff2e9e42b <+59>: ja 0x7ffff2e9e43f <raise+79>
0x00007ffff2e9e42d <+61>: repz ret
0x00007ffff2e9e42f <+63>: nop
0x00007ffff2e9e430 <+64>: test eax,eax
Stack trace:
# 0 raise at 0x7ffff2e9e425 in /lib/x86_64-linux-gnu/libc-2.15.so (BL)
# 1 abort at 0x7ffff2ea1b8b in /lib/x86_64-linux-gnu/libc-2.15.so (BL)
# 2 None at 0x7ffff2edc39e in /lib/x86_64-linux-gnu/libc-2.15.so (BL)
# 3 __fortify_fail at 0x7ffff2f72807 in /lib/x86_64-linux-gnu/libc-2.15.so
(BL)
# 4 __stack_chk_fail at 0x7ffff2f727d0 in /lib/x86_64-linux-gnu/libc-2.15.so
(BL)
# 5 rtps_util_add_bitmap at 0x7ffff514bc02 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 6 dissect_GAP at 0x7ffff56a32a8 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 7 dissect_rtps at 0x7ffff56a32a8 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 8 dissector_try_heuristic at 0x7ffff517ee4c in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 9 decode_udp_ports at 0x7ffff579b2fb in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 10 dissect at 0x7ffff579b9c3 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 11 call_dissector_through_handle at 0x7ffff517d180 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 12 call_dissector_work at 0x7ffff517d865 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 13 dissector_try_uint_new at 0x7ffff517e08e in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 14 dissect_ip at 0x7ffff54bfe6b in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 15 call_dissector_through_handle at 0x7ffff517d180 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 16 call_dissector_work at 0x7ffff517d865 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 17 dissector_try_uint_new at 0x7ffff517e08e in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 18 ethertype at 0x7ffff53adffa in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 19 dissect_eth_common at 0x7ffff53acabc in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 20 call_dissector_through_handle at 0x7ffff517d180 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 21 call_dissector_work at 0x7ffff517d865 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 22 dissector_try_uint_new at 0x7ffff517e08e in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 23 dissect_frame at 0x7ffff53dfc1b in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 24 call_dissector_through_handle at 0x7ffff517d180 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 25 call_dissector_work at 0x7ffff517d865 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 26 call_dissector at 0x7ffff517f5a1 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 27 dissect_packet at 0x7ffff517f9b4 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 28 None at 0x41ad8b in /home/laurent/fuzzing/bin/wireshark-1.8.4/bin/tshark
# 29 None at 0x15fc400 in [heap]
# 30 None at 0x7ffff7fef000 in
# 31 None at 0x7ffff604d501 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 32 None at 0x0 in None
Faulting frame: # 5 rtps_util_add_bitmap at 0x7ffff514bc02 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
Description: Stack buffer overflow
Short description: StackBufferOverflow (5/21)
Hash: 846d6bbc9997ffd09a83ce66fdf69d1b.deb14667b1f25fb8189efe42a51ef331
Exploitability Classification: EXPLOITABLE
Explanation: The target stopped while handling a signal that was generated by
libc due to detection of a stack buffer overflow. Stack buffer overflows are
generally considered exploitable.
Other tags: PossibleStackCorruption (6/21), AbortSignal (19/21)
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 8198] RTPS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8198] RTPS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8198] RTPS dissector crash
- Prev by Date: [Wireshark-bugs] [Bug 8197] New: PER dissector crash
- Next by Date: [Wireshark-bugs] [Bug 8199] New: CMSSTATUS dissector hangs
- Previous by thread: [Wireshark-bugs] [Bug 8197] PER dissector crash
- Next by thread: [Wireshark-bugs] [Bug 8198] RTPS dissector crash
- Index(es):