Fuzzed PCAP causing long runtime in dissect_openflow_v5

This issue was migrated from bug 12659 in our old bug tracker.

Original bug information:

Reporter: Antti Levomäki
Status: RESOLVED FIXED
Product: Wireshark
Component: Dissection engine (libwireshark)
OS: Ubuntu
Platform: x86
Version: 2.0.2

Attachments:

fd08236280fd3a88229333dd71b03846ba1f4f19cc8b206b4d3464f7e22f1b5e.pcap: Sample PCAP

Antti Levomäki said:

Created attachment 14757 Sample PCAP

Build Information: TShark (Wireshark) 2.0.2 (SVN Rev Unknown from unknown)

Copyright 1998-2016 Gerald Combs <gerald@‍wireshark.org> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3, with libz 1.2.8, with GLib 2.48.0, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.2, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with MIT Kerberos, with GeoIP.

Running on Linux 4.4.0-22-generic, with locale en_GB.UTF-8, with libpcap version 1.7.4, with libz 1.2.8, with GnuTLS 3.4.10, with Gcrypt 1.6.5. Intel Core Processor (Haswell) (with SSE4.2)

Built using gcc 5.3.1 20160407.

Fuzzed PCAP takes 100% CPU and runs for a long time on tshark 2.0.2 and a recent build from repository ( commit 688d055acd523e645c1e87267dcf4a0a9867adbd ).

GDB backtrace from 'tshark -2 -V -r <pcap>' aborted after running for a while:


Program received signal SIGABRT, Aborted.
0x00007ffff3cc483a in proto_tree_add_item_new (tree=0x0, hfinfo=0x7ffff6eacae8 <hf.16733+27208>, tvb=0x848630, start=42, length=2, encoding=0) at proto.c:2491
2491		get_hfi_length(hfinfo, tvb, start, &length, &item_length);
123 tomb gdb execution "thread apply all bt" 321

Thread 1 (Thread 0x7ffff7fb9740 (LWP 21376)):
#0  0x00007ffff3cc483a in proto_tree_add_item_new (tree=0x0, hfinfo=0x7ffff6eacae8 <hf.16733+27208>, tvb=0x848630, start=42, length=2, encoding=0) at proto.c:2491
#1  0x00007ffff3cc4bde in proto_tree_add_item (tree=0x0, hfindex=98557, tvb=0x848630, start=42, length=2, encoding=0) at proto.c:2509
#2  0x00007ffff44e6469 in dissect_openflow_tablemod_prop_v5 (tvb=0x848630, pinfo=0xb04c18, tree=0x0, offset=42, length=4910) at packet-openflow_v5.c:3368
#3  0x00007ffff44e8c11 in dissect_openflow_table_desc_v5 (tvb=0x848630, pinfo=0xb04c18, tree=0x0, offset=40, length=4910) at packet-openflow_v5.c:4400
#4  0x00007ffff44eb704 in dissect_openflow_multipart_reply_v5 (tvb=0x848630, pinfo=0xb04c18, tree=0x0, offset=32, length=4910) at packet-openflow_v5.c:5304
#5  0x00007ffff44ecc41 in dissect_openflow_message_v5 (tvb=0x848630, pinfo=0xb04c18, tree=0x0, offset=8) at packet-openflow_v5.c:5902
#6  0x00007ffff44ece99 in dissect_openflow_v5 (tvb=0x848630, pinfo=0xb04c18, tree=0x0, data=0x0) at packet-openflow_v5.c:5968
#7  0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb032e0, tvb=0x848630, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:660
#8  0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb032e0, tvb=0x848630, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:735
#9  0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffedb032e0, tvb=0x848630, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2791
#10 0x00007ffff3cadd68 in call_dissector_with_data (handle=0x7fffedb032e0, tvb=0x848630, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2804
#11 0x00007ffff3cade15 in call_dissector (handle=0x7fffedb032e0, tvb=0x848630, pinfo=0xb04c18, tree=0x0) at packet.c:2821
#12 0x00007ffff44d5730 in dissect_openflow_tcp_pdu (tvb=0x848630, pinfo=0xb04c18, tree=0x0, data=0x7fffffffc400) at packet-openflow.c:98
#13 0x00007ffff4781ac0 in tcp_dissect_pdus (tvb=0x8485e0, pinfo=0xb04c18, tree=0x0, proto_desegment=1, fixed_len=8, get_pdu_len=0x7ffff44d5634 <get_openflow_pdu_length>, dissect_pdu=0x7ffff44d5664 <dissect_openflow_tcp_pdu>, dissector_data=0x7fffffffc400) at packet-tcp.c:3120
#14 0x00007ffff44d57ce in dissect_openflow (tvb=0x8485e0, pinfo=0xb04c18, tree=0x0, data=0x7fffffffc400) at packet-openflow.c:112
#15 0x00007ffff44d588c in dissect_openflow_heur (tvb=0x8485e0, pinfo=0xb04c18, tree=0x0, data=0x7fffffffc400) at packet-openflow.c:133
#16 0x00007ffff3cad3f3 in dissector_try_heuristic (sub_dissectors=0x915e20, tvb=0x8485e0, pinfo=0xb04c18, tree=0x0, heur_dtbl_entry=0x7fffffffbfb8, data=0x7fffffffc400) at packet.c:2417
#17 0x00007ffff4786941 in decode_tcp_ports (tvb=0x848590, offset=32, pinfo=0xb04c18, tree=0x0, src_port=36547, dst_port=6633, tcpd=0x7fffeca6b770, tcpinfo=0x7fffffffc400) at packet-tcp.c:5052
#18 0x00007ffff4786c16 in process_tcp_payload (tvb=0x848590, offset=32, pinfo=0xb04c18, tree=0x0, tcp_tree=0x0, src_port=36547, dst_port=6633, seq=0, nxtseq=0, is_tcp_segment=0, tcpd=0x7fffeca6b770, tcpinfo=0x7fffffffc400) at packet-tcp.c:5098
#19 0x00007ffff4780efd in desegment_tcp (tvb=0x848590, pinfo=0xb04c18, offset=32, seq=1, nxtseq=11837, sport=36547, dport=6633, tree=0x0, tcp_tree=0x0, tcpd=0x7fffeca6b770, tcpinfo=0x7fffffffc400) at packet-tcp.c:2632
#20 0x00007ffff4786e67 in dissect_tcp_payload (tvb=0x848590, pinfo=0xb04c18, offset=32, seq=1, nxtseq=11837, sport=36547, dport=6633, tree=0x0, tcp_tree=0x0, tcpd=0x7fffeca6b770, tcpinfo=0x7fffffffc400) at packet-tcp.c:5165
#21 0x00007ffff478a75b in dissect_tcp (tvb=0x848590, pinfo=0xb04c18, tree=0x0, data=0x7fffec869030) at packet-tcp.c:6077
#22 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb110e0, tvb=0x848590, pinfo=0xb04c18, tree=0x0, data=0x7fffec869030) at packet.c:660
#23 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb110e0, tvb=0x848590, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x7fffec869030) at packet.c:735
#24 0x00007ffff3cab583 in dissector_try_uint_new (sub_dissectors=0x7b1cc0, uint_val=6, tvb=0x848590, pinfo=0xb04c18, tree=0x0, add_proto_name=1, data=0x7fffec869030) at packet.c:1199
#25 0x00007ffff425e409 in ip_try_dissect (heur_first=0, tvb=0x848590, pinfo=0xb04c18, tree=0x0, iph=0x7fffec869030) at packet-ip.c:1977
#26 0x00007ffff426037c in dissect_ip_v4 (tvb=0x848540, pinfo=0xb04c18, parent_tree=0x0, data=0x0) at packet-ip.c:2476
#27 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb78930, tvb=0x848540, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:660
#28 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb78930, tvb=0x848540, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:735
#29 0x00007ffff3cab583 in dissector_try_uint_new (sub_dissectors=0x73c040, uint_val=2048, tvb=0x848540, pinfo=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:1199
#30 0x00007ffff3cab5e4 in dissector_try_uint (sub_dissectors=0x73c040, uint_val=2048, tvb=0x848540, pinfo=0xb04c18, tree=0x0) at packet.c:1225
#31 0x00007ffff40a1c60 in dissect_ethertype (tvb=0xb03cc0, pinfo=0xb04c18, tree=0x0, data=0x7fffffffcbe0) at packet-ethertype.c:262
#32 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffeda50000, tvb=0xb03cc0, pinfo=0xb04c18, tree=0x0, data=0x7fffffffcbe0) at packet.c:660
#33 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffeda50000, tvb=0xb03cc0, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x7fffffffcbe0) at packet.c:735
#34 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffeda50000, tvb=0xb03cc0, pinfo=0xb04c18, tree=0x0, data=0x7fffffffcbe0) at packet.c:2791
#35 0x00007ffff3cadd68 in call_dissector_with_data (handle=0x7fffeda50000, tvb=0xb03cc0, pinfo=0xb04c18, tree=0x0, data=0x7fffffffcbe0) at packet.c:2804
#36 0x00007ffff40a04d5 in dissect_eth_common (tvb=0xb03cc0, pinfo=0xb04c18, parent_tree=0x0, fcs_len=-1) at packet-eth.c:540
#37 0x00007ffff40a106b in dissect_eth (tvb=0xb03cc0, pinfo=0xb04c18, tree=0x0, data=0xad6958) at packet-eth.c:836
#38 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb5c7a0, tvb=0xb03cc0, pinfo=0xb04c18, tree=0x0, data=0xad6958) at packet.c:660
#39 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb5c7a0, tvb=0xb03cc0, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0xad6958) at packet.c:735
#40 0x00007ffff3cab583 in dissector_try_uint_new (sub_dissectors=0x73c2c0, uint_val=1, tvb=0xb03cc0, pinfo=0xb04c18, tree=0x0, add_proto_name=1, data=0xad6958) at packet.c:1199
#41 0x00007ffff40e9887 in dissect_frame (tvb=0xb03cc0, pinfo=0xb04c18, parent_tree=0x0, data=0x7fffffffd340) at packet-frame.c:507
#42 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffeda51950, tvb=0xb03cc0, pinfo=0xb04c18, tree=0x0, data=0x7fffffffd340) at packet.c:660
#43 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffeda51950, tvb=0xb03cc0, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x7fffffffd340) at packet.c:735
#44 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffeda51950, tvb=0xb03cc0, pinfo=0xb04c18, tree=0x0, data=0x7fffffffd340) at packet.c:2791
#45 0x00007ffff3cadd68 in call_dissector_with_data (handle=0x7fffeda51950, tvb=0xb03cc0, pinfo=0xb04c18, tree=0x0, data=0x7fffffffd340) at packet.c:2804
#46 0x00007ffff3caa079 in dissect_record (edt=0xb04c00, file_type_subtype=1, phdr=0xad68f0, tvb=0xb03cc0, fd=0x7fffffffd510, cinfo=0x0) at packet.c:543
#47 0x00007ffff3c9ebf9 in epan_dissect_run (edt=0xb04c00, file_type_subtype=1, phdr=0xad68f0, tvb=0xb03cc0, fd=0x7fffffffd510, cinfo=0x0) at epan.c:365
#48 0x000000000041844c in process_packet_first_pass (cf=0x64f100 <cfile>, edt=0xb04c00, offset=24, whdr=0xad68f0, pd=0xb04e20 "") at tshark.c:2694
#49 0x0000000000418dd7 in load_cap_file (cf=0x64f100 <cfile>, save_file=0x0, out_file_type=2, out_file_name_res=0, max_packet_count=0, max_byte_count=0) at tshark.c:2988
#50 0x0000000000416fa0 in main (argc=5, argv=0x7fffffffdd68) at tshark.c:1873

added crash libwireshark osubuntu version2.0 labels

Gerrit Code Review said:

Change 16648 had a related patch set uploaded by Pascal Quantin: proto.c: add bounds check to proto_tree_add_text(_valist)_internal

https://code.wireshark.org/review/16648

Gerrit Code Review said:

Change 16648 merged by Anders Broman: proto.c: add bounds check to proto_tree_add_text(_valist)_internal

https://code.wireshark.org/review/16648

Gerrit Code Review said:

Change 16685 had a related patch set uploaded by Pascal Quantin: proto.c: add bounds check to proto_tree_add_text(_valist)_internal

https://code.wireshark.org/review/16685

Gerrit Code Review said:

Change 16685 merged by Pascal Quantin: proto.c: add bounds check to proto_tree_add_text(_valist)_internal

https://code.wireshark.org/review/16685

Gerrit Code Review said:

Change 16686 had a related patch set uploaded by Pascal Quantin: proto.c: add bounds check to proto_tree_add_text(_valist)_internal

https://code.wireshark.org/review/16686

Gerrit Code Review said:

Change 16686 merged by Pascal Quantin: proto.c: add bounds check to proto_tree_add_text(_valist)_internal

https://code.wireshark.org/review/16686

Pascal Quantin said:

*** Bug #12668 (closed) has been marked as a duplicate of this bug. ***

Gerrit Code Review said:

Change 16697 had a related patch set uploaded by Pascal Quantin: proto.c: add bounds check to proto_tree_add_text(_valist)_internal

https://code.wireshark.org/review/16697

Gerrit Code Review said:

Change 16697 merged by Michael Mann: proto.c: add bounds check to proto_tree_add_text(_valist)

https://code.wireshark.org/review/16697

Gerrit Code Review said:

Change 17022 had a related patch set uploaded by Balint Reczey: proto.c: add bounds check to proto_tree_add_text(_valist)

https://code.wireshark.org/review/17022

Gerrit Code Review said:

Change 17022 merged by Balint Reczey: proto.c: add bounds check to proto_tree_add_text(_valist)

https://code.wireshark.org/review/17022

closed

mentioned in issue #12668 (closed)

mentioned in merge request !8748 (merged)