Wireshark-bugs: [Wireshark-bugs] [Bug 8923] New: Fuzz failure: very long loop in packet-gsm_a_rr
Date: Thu, 11 Jul 2013 13:04:54 +0000
Bug ID 8923
Summary Fuzz failure: very long loop in packet-gsm_a_rr
Classification Unclassified
Product Wireshark
Version SVN
Hardware All
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter jeff.morriss.ws@gmail.com

Build Information:
TShark 1.11.0 (SVN Rev 50503 from /trunk)

Copyright 1998-2013 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.34.2, with libpcap, with libz 1.2.7, without
POSIX
capabilities, without libnl, without SMI, with c-ares 1.9.1, with Lua 5.1,
without Python, with GnuTLS 2.12.23, with Gcrypt 1.5.0, without Kerberos,
without GeoIP.

Running on Linux 3.9.2-200.fc18.x86_64, with locale C, with libpcap version
1.3.0, with libz 1.2.7.
        Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz

Built using gcc 4.7.2 20121109 (Red Hat 4.7.2-8).

--
Got another fuzz failure (again, with the "-Yframe step enabled):

~~~
tools/fuzz-test.sh: line 163: 28206 Trace/breakpoint trap   (core dumped)
"$RUNNER" $ARGS $TMP_DIR/$TMP_FILE > /dev/null 2>> $TMP_DIR/$ERR_FILE

 ERROR
Processing failed. Capture info follows:

  Input file: ../caps/menagerie/public/2717-test_sccp_conversation.snoop
  Output file: /tmp/fuzz-2013-07-10-1226.pcap

stderr follows:

Input file: ../caps/menagerie/public/2717-test_sccp_conversation.snoop

Build host information:
Linux XXX 3.9.2-200.fc18.x86_64 #1 SMP Mon May 13 13:59:47 UTC 2013 x86_64
x86_64 x86_64 GNU/Linux

Return value:  133

Dissector bug:  0

Valgrind error count:  0



Subversion revision
------------------------------------------------------------------------
r50482 | cmaynard | 2013-07-10 12:18:37 -0400 (Wed, 10 Jul 2013) | 38 lines

Add strnatcmp by Martin Pool for 'natural order' string comparisons, and make
use of it in editcap and mergecap for listing encapsulation types.  For
example:
Before:
    user0 - USER 0
    user1 - USER 1
    user10 - USER 10
    user11 - USER 11
    user12 - USER 12
    user13 - USER 13
    user14 - USER 14
    user15 - USER 15
    user2 - USER 2
    user3 - USER 3
    user4 - USER 4
    user5 - USER 5
    user6 - USER 6
    user7 - USER 7
    user8 - USER 8
    user9 - USER 9

After:
    user0 - USER 0
    user1 - USER 1
    user2 - USER 2
    user3 - USER 3
    user4 - USER 4
    user5 - USER 5
    user6 - USER 6
    user7 - USER 7
    user8 - USER 8
    user9 - USER 9
    user10 - USER 10
    user11 - USER 11
    user12 - USER 12
    user13 - USER 13
    user14 - USER 14
    user15 - USER 15


------------------------------------------------------------------------


Command and args: ./tshark -Yframe -nr


** (process:28206): ERROR **: More than 1000000 items in the tree -- possible
infinite loop
~~~

Backtrace is:

~~~
#0  0x0000003de1c4ec67 in g_logv () from /lib64/libglib-2.0.so.0
#1  0x0000003de1c4ee32 in g_log () from /lib64/libglib-2.0.so.0
#2  0x00007f27faa924ab in proto_tree_add_bits_item (tree=tree@entry=0x28b5950,
hf_index=<optimized out>, tvb=tvb@entry=0x26a8f20,
bit_offset=bit_offset@entry=4999582, no_of_bits=no_of_bits@entry=4, 
    encoding=encoding@entry=0) at proto.c:6858
#3  0x00007f27fad6490c in de_rr_multirate_conf (tvb=0x26a8f20, tree=0x28b5950,
pinfo=<optimized out>, offset=<optimized out>, len=1, add_string=<optimized
out>, string_len=1024) at packet-gsm_a_rr.c:3864
#4  0x00007f27fad412a4 in elem_tlv (tvb=tvb@entry=0x26a8f20,
tree=tree@entry=0x28b5950, pinfo=pinfo@entry=0x7fff660926d0, iei=iei@entry=40
'(', pdu_type=pdu_type@entry=3, idx=idx@entry=37, 
    offset=offset@entry=44, len=len@entry=7, name_add=0x7f27fb852da6 "",
name_add@entry=0x0) at packet-gsm_a_common.c:1278
#5  0x00007f27fad7bb7e in dissect_gsm_bsslap_u_tdoa_res (offset=1,
pinfo=0x7fff660926d0, tree=0x28b5950, tvb=0x26a8f20) at packet-gsm_bsslap.c:777
#6  dissect_gsm_bsslap (tvb=0x26a8f20, pinfo=0x7fff660926d0, tree=<optimized
out>) at packet-gsm_bsslap.c:840
#7  0x00007f27faa7a0f8 in call_dissector_through_handle (handle=0x15fd280,
tvb=0x26a8f20, pinfo=0x7fff660926d0, tree=0x28b58f0, data="" at packet.c:433
#8  0x00007f27faa7a92d in call_dissector_work (handle=0x15fd280, tvb=0x26a8f20,
pinfo_arg=0x7fff660926d0, tree=0x28b58f0, add_proto_name=1, data="" at
packet.c:527
#9  0x00007f27faa7c6d1 in call_dissector_with_data (handle=<optimized out>,
tvb=0x26a8f20, pinfo=pinfo@entry=0x7fff660926d0, tree=0x28b58f0,
data="" at packet.c:2061
#10 0x00007f27faa7c798 in call_dissector (handle=<optimized out>,
tvb=<optimized out>, pinfo=pinfo@entry=0x7fff660926d0, tree=<optimized out>) at
packet.c:2079
#11 0x00007f27fad31051 in be_apdu (tvb=0x2908a80, tree=0x28b5890,
pinfo=0x7fff660926d0, offset=4, len=51, add_string=<optimized out>,
string_len=1024) at packet-gsm_a_bssmap.c:3117
#12 0x00007f27fad420c2 in elem_tlv_e (tvb=tvb@entry=0x2908a80,
tree=tree@entry=0x28b5890, pinfo=pinfo@entry=0x7fff660926d0, iei=iei@entry=73
'I', pdu_type=pdu_type@entry=0, idx=idx@entry=73, 
    offset=offset@entry=1, len=len@entry=55, name_add=0x7f27fb852da6 "",
name_add@entry=0x0) at packet-gsm_a_common.c:1442
#13 0x00007f27fad3b60f in bssmap_conn_oriented (tvb=0x2908a80, tree=0x28b5890,
pinfo=0x7fff660926d0, offset=1, len=55) at packet-gsm_a_bssmap.c:6378
#14 0x00007f27fad33b43 in dissect_bssmap (tvb=0x2908a80, pinfo=0x7fff660926d0,
tree=<optimized out>) at packet-gsm_a_bssmap.c:7037
#15 0x00007f27faa7a0f8 in call_dissector_through_handle (handle=0x16923f0,
tvb=0x2908a80, pinfo=0x7fff660926d0, tree=0x28b58f0, data="" at packet.c:433
#16 0x00007f27faa7a92d in call_dissector_work (handle=0x16923f0, tvb=0x2908a80,
pinfo_arg=0x7fff660926d0, tree=0x28b58f0, add_proto_name=1, data="" at
packet.c:527
#17 0x00007f27faa7c6d1 in call_dissector_with_data (handle=<optimized out>,
tvb=tvb@entry=0x2908a80, pinfo=pinfo@entry=0x7fff660926d0,
tree=tree@entry=0x28b58f0, data="" at packet.c:2061
#18 0x00007f27faa7c798 in call_dissector (handle=<optimized out>,
tvb=tvb@entry=0x2908a80, pinfo=pinfo@entry=0x7fff660926d0,
tree=tree@entry=0x28b58f0) at packet.c:2079
#19 0x00007f27fab94a9d in dissect_bssap_data_param (tree=0x28b58f0,
bssap_tree=0x28b5ad0, pinfo=0x7fff660926d0, tvb=0x2908a80) at
packet-bssap.c:416
#20 dissect_bssap_parameter (tvb=tvb@entry=0x29089e0,
pinfo=pinfo@entry=0x7fff660926d0, bssap_tree=bssap_tree@entry=0x28b5ad0,
tree=tree@entry=0x28b58f0, parameter_type=parameter_type@entry=2 '\002', 
    offset=<optimized out>, parameter_length=56) at packet-bssap.c:498
#21 0x00007f27fab96ce8 in dissect_bssap_var_parameter (parameter_type=2 '\002',
offset=<optimized out>, tree=0x28b58f0, bssap_tree=0x28b5ad0,
pinfo=0x7fff660926d0, tvb=0x29089e0) at packet-bssap.c:523
#22 dissect_bssap_message (tree=0x28b58f0, bssap_tree=0x28b5ad0,
pinfo=0x7fff660926d0, tvb=0x29089e0) at packet-bssap.c:571
#23 dissect_bssap (tvb=tvb@entry=0x29089e0, pinfo=pinfo@entry=0x7fff660926d0,
tree=tree@entry=0x28b58f0) at packet-bssap.c:611
#24 0x00007f27fab96ea3 in dissect_bssap_heur (tvb=0x29089e0,
pinfo=0x7fff660926d0, tree=0x28b58f0, data="" out>) at
packet-bssap.c:2172
#25 0x00007f27faa7bf70 in dissector_try_heuristic (sub_dissectors=<optimized
out>, tvb=tvb@entry=0x29089e0, pinfo=pinfo@entry=0x7fff660926d0,
tree=tree@entry=0x28b58f0, data="" at packet.c:1782
#26 0x00007f27fb015cdd in dissect_sccp_data_param (tvb=0x29089e0,
pinfo=pinfo@entry=0x7fff660926d0, tree=tree@entry=0x28b58f0) at
packet-sccp.c:2291
#27 0x00007f27fb01a3b5 in dissect_sccp_message (tree=0x28b58f0,
sccp_tree=0x28b5aa0, pinfo=0x7fff660926d0, tvb=0x2908b20) at packet-sccp.c:2846
#28 dissect_sccp (tvb=0x2908b20, pinfo=0x7fff660926d0, tree=0x28b58f0) at
packet-sccp.c:3350
~~~


You are receiving this mail because:
  • You are watching all bug changes.