Wireshark-bugs: [Wireshark-bugs] [Bug 9573] New: Global Variable in x509af dissector causing pro
Date: Tue, 17 Dec 2013 19:31:46 +0000
Bug ID | 9573 |
---|---|
Summary | Global Variable in x509af dissector causing problems |
Classification | Unclassified |
Product | Wireshark |
Version | SVN |
Hardware | All |
OS | All |
Status | UNCONFIRMED |
Severity | Major |
Priority | Low |
Component | Dissection engine (libwireshark) |
Assignee | bugzilla-admin@wireshark.org |
Reporter | eapache@gmail.com |
Build Information: TShark 1.11.3 (SVN Rev 54189 from /trunk) Copyright 1998-2013 Gerald Combs <gerald@wireshark.org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with GLib 2.38.1, with libpcap, with libz 1.2.8, with POSIX capabilities (Linux), without libnl, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.2, without Python, with GnuTLS 2.12.23, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP. Running on Linux 3.11.0-14-generic, with locale en_CA.UTF-8, with libpcap version 1.4.0, with libz 1.2.8. Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz Built using gcc 4.8.1. -- I have an attachment from fuzzing which causes the following valgrind errors: ==13166== Invalid read of size 1 ==13166== at 0x96109D0: g_str_hash (ghash.c:1732) ==13166== by 0x9610058: g_hash_table_lookup (ghash.c:365) ==13166== by 0x65E6D5E: call_ber_oid_callback (packet-ber.c:518) ==13166== by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285) ==13166== by 0x6DBEAEF: dissect_x509af_AlgorithmIdentifier (x509af.cnf:98) ==13166== by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285) ==13166== by 0x6DBEC2F: dissect_x509af_T_signedCertificate (x509af.cnf:159) ==13166== by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285) ==13166== by 0x6DBEBEF: dissect_x509af_Certificate (x509af.cnf:175) ==13166== by 0x6B59235: dissect_ssl3_handshake (packet-ssl.c:3131) ==13166== by 0x6B5AD5A: dissect_ssl3_record (packet-ssl.c:1791) ==13166== by 0x6B5B724: dissect_ssl (packet-ssl.c:909) ==13166== Address 0x12f93350 is 0 bytes inside a block of size 68 free'd ==13166== at 0x4C2B60C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==13166== by 0x64EA51C: emem_free_all (emem.c:1242) ==13166== by 0x64EC3CA: epan_dissect_run_with_taps (epan.c:333) ==13166== by 0x4134FD: process_packet (tshark.c:3453) ==13166== by 0x40BAA3: main (tshark.c:3256) ==13166== ==13166== Invalid read of size 1 ==13166== at 0x96109ED: g_str_hash (ghash.c:1732) ==13166== by 0x9610058: g_hash_table_lookup (ghash.c:365) ==13166== by 0x65E6D5E: call_ber_oid_callback (packet-ber.c:518) ==13166== by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285) ==13166== by 0x6DBEAEF: dissect_x509af_AlgorithmIdentifier (x509af.cnf:98) ==13166== by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285) ==13166== by 0x6DBEC2F: dissect_x509af_T_signedCertificate (x509af.cnf:159) ==13166== by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285) ==13166== by 0x6DBEBEF: dissect_x509af_Certificate (x509af.cnf:175) ==13166== by 0x6B59235: dissect_ssl3_handshake (packet-ssl.c:3131) ==13166== by 0x6B5AD5A: dissect_ssl3_record (packet-ssl.c:1791) ==13166== by 0x6B5B724: dissect_ssl (packet-ssl.c:909) ==13166== Address 0x12f93351 is 1 bytes inside a block of size 68 free'd ==13166== at 0x4C2B60C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==13166== by 0x64EA51C: emem_free_all (emem.c:1242) ==13166== by 0x64EC3CA: epan_dissect_run_with_taps (epan.c:333) ==13166== by 0x4134FD: process_packet (tshark.c:3453) ==13166== by 0x40BAA3: main (tshark.c:3256) ==13166== ==13166== Invalid read of size 1 ==13166== at 0x96109D0: g_str_hash (ghash.c:1732) ==13166== by 0x9610058: g_hash_table_lookup (ghash.c:365) ==13166== by 0x64F719F: dissector_try_string (packet.c:1280) ==13166== by 0x65E6DC6: call_ber_oid_callback (packet-ber.c:1078) ==13166== by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285) ==13166== by 0x6DBEAEF: dissect_x509af_AlgorithmIdentifier (x509af.cnf:98) ==13166== by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285) ==13166== by 0x6DBEC2F: dissect_x509af_T_signedCertificate (x509af.cnf:159) ==13166== by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285) ==13166== by 0x6DBEBEF: dissect_x509af_Certificate (x509af.cnf:175) ==13166== by 0x6B59235: dissect_ssl3_handshake (packet-ssl.c:3131) ==13166== by 0x6B5AD5A: dissect_ssl3_record (packet-ssl.c:1791) ==13166== Address 0x12f93350 is 0 bytes inside a block of size 68 free'd ==13166== at 0x4C2B60C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==13166== by 0x64EA51C: emem_free_all (emem.c:1242) ==13166== by 0x64EC3CA: epan_dissect_run_with_taps (epan.c:333) ==13166== by 0x4134FD: process_packet (tshark.c:3453) ==13166== by 0x40BAA3: main (tshark.c:3256) ==13166== ==13166== Invalid read of size 1 ==13166== at 0x96109ED: g_str_hash (ghash.c:1732) ==13166== by 0x9610058: g_hash_table_lookup (ghash.c:365) ==13166== by 0x64F719F: dissector_try_string (packet.c:1280) ==13166== by 0x65E6DC6: call_ber_oid_callback (packet-ber.c:1078) ==13166== by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285) ==13166== by 0x6DBEAEF: dissect_x509af_AlgorithmIdentifier (x509af.cnf:98) ==13166== by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285) ==13166== by 0x6DBEC2F: dissect_x509af_T_signedCertificate (x509af.cnf:159) ==13166== by 0x65E7AAD: dissect_ber_sequence (packet-ber.c:2285) ==13166== by 0x6DBEBEF: dissect_x509af_Certificate (x509af.cnf:175) ==13166== by 0x6B59235: dissect_ssl3_handshake (packet-ssl.c:3131) ==13166== by 0x6B5AD5A: dissect_ssl3_record (packet-ssl.c:1791) ==13166== Address 0x12f93351 is 1 bytes inside a block of size 68 free'd ==13166== at 0x4C2B60C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==13166== by 0x64EA51C: emem_free_all (emem.c:1242) ==13166== by 0x64EC3CA: epan_dissect_run_with_taps (epan.c:333) ==13166== by 0x4134FD: process_packet (tshark.c:3453) ==13166== by 0x40BAA3: main (tshark.c:3256) ==13166== In frame 2, memory is ep-allocated and assigned to the algorithm_id global in packet-x509af-template.c: #0 ep_alloc (size=size@entry=68) at emem.c:935 #1 0x00007ffff4c62b19 in ep_alloc0 (size=68) at emem.c:953 #2 0x00007ffff4c6b486 in rel_oid_subid2string (subids=0x7fffed5f88c0, len=6, is_absolute=1) at oids.c:848 #3 0x00007ffff4c6c1a5 in oid_encoded2string (encoded=<optimized out>, len=len@entry=6) at oids.c:1111 #4 0x00007ffff4d628b9 in dissect_ber_any_oid_str (implicit_tag=<optimized out>, actx=<optimized out>, tree=tree@entry=0x7fffebbd24e0, tvb=<optimized out>, offset=8, hf_id=<optimized out>, value_stringx=value_stringx@entry=0x7ffff7adf3b0 <algorithm_id>, is_absolute=is_absolute@entry=1) at packet-ber.c:3978 #5 0x00007ffff4d6294a in dissect_ber_object_identifier_str (implicit_tag=<optimized out>, actx=<optimized out>, tree=tree@entry=0x7fffebbd24e0, tvb=<optimized out>, offset=<optimized out>, hf_id=<optimized out>, value_stringx=value_stringx@entry=0x7ffff7adf3b0 <algorithm_id>) at packet-ber.c:4012 #6 0x00007ffff5536e8f in dissect_x509af_T_algorithmId (implicit_tag=<optimized out>, tvb=<optimized out>, offset=<optimized out>, actx=<optimized out>, tree=0x7fffebbd24e0, hf_index=<optimized out>) at ../../asn1/x509af/x509af.cnf:73 #7 0x00007ffff4d5faae in dissect_ber_sequence (implicit_tag=<optimized out>, actx=0x7fffffffca00, parent_tree=<optimized out>, tvb=0x1760450, offset=4, seq=seq@entry=0x7ffff6ac3600 <AlgorithmIdentifier_sequence>, hf_id=133724, ett_id=33761) at packet-ber.c:2285 #8 0x00007ffff5536af0 in dissect_x509af_AlgorithmIdentifier (implicit_tag=<optimized out>, tvb=<optimized out>, offset=<optimized out>, actx=<optimized out>, tree=<optimized out>, hf_index=<optimized out>) at ../../asn1/x509af/x509af.cnf:98 #9 0x00007ffff4d5faae in dissect_ber_sequence (implicit_tag=<optimized out>, actx=0x7fffffffca00, parent_tree=<optimized out>, tvb=0x1760630, offset=23, seq=0x7ffff6bdace0 <T_signedCertificate_sequence+64>, seq@entry=0x7ffff6bdaca0 <T_signedCertificate_sequence>, hf_id=133721, ett_id=33759) at packet-ber.c:2285 #10 0x00007ffff5536c30 in dissect_x509af_T_signedCertificate (implicit_tag=<optimized out>, tvb=<optimized out>, offset=<optimized out>, actx=<optimized out>, tree=<optimized out>, hf_index=<optimized out>) at ../../asn1/x509af/x509af.cnf:159 #11 0x00007ffff4d5faae in dissect_ber_sequence (implicit_tag=implicit_tag@entry=0, actx=actx@entry=0x7fffffffca00, parent_tree=parent_tree@entry=0x7fffebbd1e40, tvb=tvb@entry=0x17605e0, offset=109, seq=seq@entry=0x7ffff6bdac20 <Certificate_sequence>, hf_id=107353, ett_id=33758) at packet-ber.c:2285 #12 0x00007ffff5536bf0 in dissect_x509af_Certificate (implicit_tag=implicit_tag@entry=0, tvb=tvb@entry=0x17605e0, offset=<optimized out>, actx=actx@entry=0x7fffffffca00, tree=tree@entry=0x7fffebbd1e40, hf_index=<optimized out>) at ../../asn1/x509af/x509af.cnf:175 #13 0x00007ffff52d1236 in dissect_ssl3_hnd_cert (pinfo=0x197dcb8, offset=<optimized out>, tree=0x7fffebbd1a30, tvb=0x17605e0) at packet-ssl.c:3131 #14 dissect_ssl3_handshake (tvb=tvb@entry=0x17605e0, pinfo=pinfo@entry=0x197dcb8, tree=tree@entry=0x7fffebbd1620, offset=95, offset@entry=91, record_length=1453, record_length@entry=1362, conv_version=conv_version@entry=0x7fffeabc86f8, conv_cipher=conv_cipher@entry=0, ssl=ssl@entry=0x7fffeabc8480, content_type=content_type@entry=22 '\026') at packet-ssl.c:2110 #15 0x00007ffff52d2d5b in dissect_ssl3_record (tvb=tvb@entry=0x17605e0, pinfo=pinfo@entry=0x197dcb8, tree=tree@entry=0x7fffebbd0050, offset=91, offset@entry=86, conv_version=conv_version@entry=0x7fffeabc86f8, conv_cipher=conv_cipher@entry=0, need_desegmentation=need_desegmentation@entry=0x7fffffffcc2c, ssl=ssl@entry=0x7fffeabc8480, first_record_in_frame=first_record_in_frame@entry=0) at packet-ssl.c:1791 #16 0x00007ffff52d3725 in dissect_ssl (tvb=0x17605e0, pinfo=0x197dcb8, tree=<optimized out>) at packet-ssl.c:909 Then in frame 7, that global is used (I believe through a call to dissect_x509af_T_parameters which is optimized out of the backtrace). At this point it still points to the old ep-allocated value from frame 2, which has been freed and is garbage.
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
- Prev by Date: [Wireshark-bugs] [Bug 9568] Compilation failure: packet-pdcp-lte.c:1211:12: error: variable 'key' set but not used [-Werror=unused-but-set-variable]
- Next by Date: [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
- Previous by thread: [Wireshark-bugs] [Bug 8511] allow editcap to ignore certain bytes during duplicate detection
- Next by thread: [Wireshark-bugs] [Bug 9573] Global Variable in x509af dissector causing problems
- Index(es):