Wireshark-bugs: [Wireshark-bugs] [Bug 8760] New: testcase crashes wireshark and tshark on all pl
Date: Mon, 03 Jun 2013 13:47:30 +0000
Bug ID 8760
Summary testcase crashes wireshark and tshark on all platforms(windows linux)
Classification Unclassified
Product Wireshark
Version unspecified
Hardware x86-64
OS All
Status UNCONFIRMED
Severity Critical
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter sachinshinde1102@gmail.com

Build Information:
Checked on Windows 7 wireshark 1.8.7

and linux wireshark 1.8.3 (SVN Rev Unknown from unknown)

UNAME ='Linux bt04 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux'
--
attached testcase crashes on all platforms.Its a heap-buffer-overflow


LINUX CRASH

 gdb tshark
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/bin/tshark...done.
(gdb) run -r cbc7f25ce33fb132b8aa90f21a673079.pcap 
Starting program: /usr/local/bin/tshark -r
cbc7f25ce33fb132b8aa90f21a673079.pcap
[Thread debugging using libthread_db enabled]
OOPS: dissector table "sctp.ppi" doesn't exist
Protocol being registered is "Datagram Transport Layer Security"
Running as user "root" and group "root". This could be dangerous.
  1   0.000000              ->              ETH 66 IxVeriWave Ethernet Tap
Capture, Length 48[Malformed Packet]
  2 -2009559094.765805              ->              ETH 64 IxVeriWave Ethernet
Tap Capture, Length 48[Malformed Packet]
  3 -576460749.080234              ->              ETH 64 IxVeriWave Ethernet
Tap Capture, Length 48[Malformed Packet]
  4 -2022732641.507124              ->              ETH 64 IxVeriWave Ethernet
Tap Capture, Length 48[Malformed Packet]

Program received signal SIGSEGV, Segmentation fault.
0xb56601cf in ?? () from /lib/tls/i686/cmov/libc.so.6
(gdb) where
#0  0xb56601cf in ?? () from /lib/tls/i686/cmov/libc.so.6
#1  0xb7f64240 in vwr_read_rec_data_ethernet (wth=<value optimized out>,
data_ptr=<value optimized out>, rec=0xbfff6cbc "@", rec_size=16, IS_TX=1) at
/usr/include/bits/string3.h:52
#2  0xb7f647cc in vwr_read (wth=0x88c5e28, err=0xbffff0e0, err_info=0xbffff0dc,
data_offset=0xbffff0c8) at vwr.c:738
#3  0xb7f649a4 in wtap_read (wth=0x88c5e28, err=0xbffff0e0,
err_info=0xbffff0dc, data_offset=0xbffff0c8) at wtap.c:844
#4  0x08061543 in load_cap_file (argc=3, argv=0xbffff264) at tshark.c:2885
#5  main (argc=3, argv=0xbffff264) at tshark.c:1780
(gdb) x/4i $pc
=> 0xb56601cf:  movdqa 0x20(%eax,%edi,1),%xmm3
   0xb56601d5:  movdqa %xmm3,%xmm1
   0xb56601d9:  palignr $0x8,%xmm2,%xmm3
   0xb56601df:  palignr $0x8,%xmm4,%xmm2
(gdb) i r
eax            0xbfff6cc0       -1073779520
ecx            0x6c78   27768
edx            0x88e6d30        143551792
ebx            0xb568a470       -1251433360
esp            0xbfff6b44       0xbfff6b44
ebp            0xbfff6c88       0xbfff6c88
esi            0xffe4   65508
edi            0x9320   37664
eip            0xb56601cf       0xb56601cf
eflags         0x210206 [ PF IF RF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) 



WINDOWS CRASH


(aac.ee8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\Program Files\Wireshark\wiretap-1.8.0.dll - 
wiretap_1_8_0!wtap_wtap_encap_to_pcap_encap+0x15b38:
000007fe`f73f9a88 0fb60401        movzx   eax,byte ptr [rcx+rax]
ds:00000001`00155bac=??
0:000> r
rax=0000000000000008 rbx=0000000005f7ba90 rcx=0000000100155ba4
rdx=00000000062400a0 rsi=000000005d02ca10 rdi=000000000015e258
rip=000007fef73f9a88 rsp=0000000000155a20 rbp=0000000000000001
 r8=0000000000155bc0  r9=0000000000000010 r10=0000000000000000
r11=0000000000155bc0 r12=000000000015e510 r13=000000000015e470
r14=0000000000000000 r15=00000000ffffffff
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
wiretap_1_8_0!wtap_wtap_encap_to_pcap_encap+0x15b38:
000007fe`f73f9a88 0fb60401        movzx   eax,byte ptr [rcx+rax]
ds:00000001`00155bac=??
0:000> .lastevent
Last event: aac.ee8: Access violation - code c0000005 (first chance)
  debugger time: Mon Jun  3 19:16:24.121 2013 (UTC + 5:30)
0:000> u eip
wiretap_1_8_0!wtap_wtap_encap_to_pcap_encap+0x15b38:
000007fe`f73f9a88 0fb60401        movzx   eax,byte ptr [rcx+rax]
000007fe`f73f9a8c c1e008          shl     eax,8
000007fe`f73f9a8f 488b8c2400010000 mov     rcx,qword ptr [rsp+100h]
000007fe`f73f9a97 8b491c          mov     ecx,dword ptr [rcx+1Ch]
000007fe`f73f9a9a 488b9424f8000000 mov     rdx,qword ptr [rsp+0F8h]
000007fe`f73f9aa2 0fb64c0a01      movzx   ecx,byte ptr [rdx+rcx+1]
000007fe`f73f9aa7 0bc1            or      eax,ecx
000007fe`f73f9aa9 66898424ec000000 mov     word ptr [rsp+0ECh],ax
0:000> ub eip
wiretap_1_8_0!wtap_wtap_encap_to_pcap_encap+0x15b0d:
000007fe`f73f9a5d 8bc0            mov     eax,eax
000007fe`f73f9a5f 488b8c2460010000 mov     rcx,qword ptr [rsp+160h]
000007fe`f73f9a67 4803c8          add     rcx,rax
000007fe`f73f9a6a 488bc1          mov     rax,rcx
000007fe`f73f9a6d 48898424f8000000 mov     qword ptr [rsp+0F8h],rax
000007fe`f73f9a75 488b842400010000 mov     rax,qword ptr [rsp+100h]
000007fe`f73f9a7d 8b401c          mov     eax,dword ptr [rax+1Ch]
000007fe`f73f9a80 488b8c24f8000000 mov     rcx,qword ptr [rsp+0F8h]



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Please fix the bug and assign a CVE for this 

thanks,
Sachin Shinde
@cons0ul


You are receiving this mail because:
  • You are watching all bug changes.