Wireshark-bugs: [Wireshark-bugs] [Bug 8383] New: csnStreamDissector dissector crash
Date: Fri, 22 Feb 2013 14:20:28 +0000
| Bug ID | 8383 |
|---|---|
| Summary | csnStreamDissector dissector crash |
| Classification | Unclassified |
| Product | Wireshark |
| Version | 1.8.5 |
| Hardware | x86-64 |
| OS | Linux (other) |
| Status | UNCONFIRMED |
| Severity | Major |
| Priority | Low |
| Component | TShark |
| Assignee | bugzilla-admin@wireshark.org |
| Reporter | laurentb@gmail.com |
Created attachment 10093 [details] csnStreamDissector.pcap Build Information: TShark 1.8.5 (SVN Rev Unknown from unknown) Copyright 1998-2013 Gerald Combs <gerald@wireshark.org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with GLib 2.32.3, with libpcap, with libz 1.2.3.4, without POSIX capabilities, without SMI, without c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos, without GeoIP. Running on Linux 3.2.0-30-generic, with locale en_US.UTF-8, with libpcap version 1.1.1, with libz 1.2.3.4. Built using gcc 4.6.3. -- Hi, Here is a PCAP file triggering a SIGSEGV that could enable (at least) a remote party to trigger a denial of service. This file was generated thanks to a fuzz testing campaign. Laurent Butti. -- Signal si_signo: 11 Signal si_addr: 0x1 Nearby code: 0x00007ffff2ead39c <+10716>: jmp 0x7ffff2eace88 <_IO_vfprintf_internal+9416> 0x00007ffff2ead3a1 <+10721>: mov rdi,QWORD PTR [rbp-0x558] 0x00007ffff2ead3a8 <+10728>: xor eax,eax 0x00007ffff2ead3aa <+10730>: or rcx,0xffffffffffffffff 0x00007ffff2ead3ae <+10734>: xor r9d,r9d => 0x00007ffff2ead3b1 <+10737>: repnz scas al,BYTE PTR es:[rdi] 0x00007ffff2ead3b3 <+10739>: not rcx 0x00007ffff2ead3b6 <+10742>: lea r8,[rcx-0x1] 0x00007ffff2ead3ba <+10746>: jmp 0x7ffff2eace88 <_IO_vfprintf_internal+9416> 0x00007ffff2ead3bf <+10751>: mov r14d,eax Stack trace: # 0 _IO_vfprintf_internal at 0x7ffff2ead3b1 in /lib/x86_64-linux-gnu/libc-2.15.so (BL) # 1 ___vsnprintf_chk at 0x7ffff2f6ad80 in /lib/x86_64-linux-gnu/libc-2.15.so (BL) # 2 proto_tree_set_representation at 0x7ffff5184fff in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 3 proto_tree_add_text at 0x7ffff51883e8 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 4 ProcessError at 0x7ffff52ea51f in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 5 csnStreamDissector at 0x7ffff52eac38 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 6 csnStreamDissector at 0x7ffff52ec553 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 7 csnStreamDissector at 0x7ffff52ead3e in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 8 csnStreamDissector at 0x7ffff52ec553 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 9 dissect_gsm_rlcmac_downlink at 0x7ffff5439cb1 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 10 call_dissector_through_handle at 0x7ffff51794b0 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 11 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 12 call_dissector at 0x7ffff517b7e1 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 13 call_dissector_through_handle at 0x7ffff51794b0 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 14 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 15 dissector_try_uint_new at 0x7ffff517a30e in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 16 decode_udp_ports at 0x7ffff5798875 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 17 dissect at 0x7ffff5798e83 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 18 call_dissector_through_handle at 0x7ffff51794b0 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 19 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 20 dissector_try_uint_new at 0x7ffff517a30e in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 21 dissect_ip at 0x7ffff54bd27b in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 22 call_dissector_through_handle at 0x7ffff51794b0 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 23 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 24 dissector_try_uint_new at 0x7ffff517a30e in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 25 ethertype at 0x7ffff53aabba in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 26 dissect_eth_common at 0x7ffff53a95dc in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 27 call_dissector_through_handle at 0x7ffff51794b0 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 28 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 29 dissector_try_uint_new at 0x7ffff517a30e in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 30 dissect_frame at 0x7ffff53dc8cb in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 31 call_dissector_through_handle at 0x7ffff51794b0 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 32 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 33 call_dissector at 0x7ffff517b7e1 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 34 dissect_packet at 0x7ffff517bbf4 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 35 process_packet at 0x41ad5b in /home/laurent/fuzzing/bin/wireshark-1.8.5/bin/tshark # 36 load_cap_file at 0x40dc8f in /home/laurent/fuzzing/bin/wireshark-1.8.5/bin/tshark # 37 main at 0x40dc8f in /home/laurent/fuzzing/bin/wireshark-1.8.5/bin/tshark Faulting frame: # 2 proto_tree_set_representation at 0x7ffff5184fff in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 Description: Access violation near NULL on source operand Short description: SourceAvNearNull (15/21) Hash: d25e723ec6c54309eb3d7e1dc02f1095.4d0b0322228c581d797b9798b4c883a5 ---Type <return> to continue, or q <return> to quit--- Exploitability Classification: PROBABLY_NOT_EXPLOITABLE Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor. Other tags: AccessViolation (20/21)
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 8383] csnStreamDissector dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8383] csnStreamDissector dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8383] csnStreamDissector dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8383] csnStreamDissector dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8383] csnStreamDissector dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8383] csnStreamDissector dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8383] csnStreamDissector dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8383] csnStreamDissector dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8383] csnStreamDissector dissector crash
- Prev by Date: [Wireshark-bugs] [Bug 8382] New: MS-MMS dissector crash
- Next by Date: [Wireshark-bugs] [Bug 7633] Decode Bluetooth HS 4-way handshake over 802.11 media
- Previous by thread: [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- Next by thread: [Wireshark-bugs] [Bug 8383] csnStreamDissector dissector crash
- Index(es):