14374 – Few FCP packets causing tshark to crash with null dereference

Bug 14374 - Few FCP packets causing tshark to crash with null dereference

Summary: Few FCP packets causing tshark to crash with null dereference

Status:	RESOLVED FIXED

Alias:	None

Product:	Wireshark
Classification:	Unclassified
Component:	Dissection engine (libwireshark) (show other bugs)
Version:	Git
Hardware:	x86 Linux

Importance:	Low Major (vote)
Target Milestone:	---
Assignee:	Bugzilla Administrator

URL:

Depends on:
Blocks:

Reported:	2018-01-30 20:25 UTC by otto.airamo
Modified:	2018-02-22 19:18 UTC (History)
CC List:	0 users

See Also:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7336

Attachments
fcp packets causing tshark to crash (4.57 KB, application/vnd.tcpdump.pcap) 2018-01-30 20:25 UTC, otto.airamo	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description otto.airamo 2018-01-30 20:25:22 UTC

Created attachment 16099 [details]
fcp packets causing tshark to crash

Build Information:
TShark (Wireshark) 2.5.0 (v2.5.0rc0-2501-g98d10690)
Built using gcc 5.4.0 20160609.
--
Fuzzed FCP packets causing null dereference with resent build from repository (commit 98d1069066724477156aedf1d18e0dc72c204ead)

gdb backtrace:

Thread 1 "tshark" received signal SIGSEGV, Segmentation fault.
0x00007ffff444cba6 in dissect_fcp (tvb=0x669230, pinfo=0x6b0028, tree=0x6634f0, data=0x7fffea45e9a0) at packet-fcp.c:684
684	packet-fcp.c: No such file or directory.
(gdb) bt
#0  0x00007ffff444cba6 in dissect_fcp (tvb=0x669230, pinfo=0x6b0028, tree=0x6634f0, data=0x7fffea45e9a0) at packet-fcp.c:684
#1  0x00007ffff4143f4b in call_dissector_through_handle (handle=handle@entry=0x7fffebfc2c00, tvb=tvb@entry=0x669230, pinfo=pinfo@entry=0x6b0028,
    tree=tree@entry=0x6634f0, data=data@entry=0x7fffea45e9a0) at packet.c:681
#2  0x00007ffff4144f72 in call_dissector_work (handle=0x7fffebfc2c00, tvb=tvb@entry=0x669230, pinfo_arg=pinfo_arg@entry=0x6b0028,
    tree=tree@entry=0x6634f0, add_proto_name=add_proto_name@entry=0, data=data@entry=0x7fffea45e9a0) at packet.c:766
#3  0x00007ffff41458df in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=uint_val@entry=3, tvb=tvb@entry=0x669230,
    pinfo=pinfo@entry=0x6b0028, tree=tree@entry=0x6634f0, add_proto_name=add_proto_name@entry=0, data=0x7fffea45e9a0) at packet.c:1348
#4  0x00007ffff4442383 in dissect_fc_helper (tvb=tvb@entry=0x668de0, pinfo=0x6b0028, tree=0x6634f0, is_ifcp=is_ifcp@entry=1, fc_data=<optimized out>)
    at packet-fc.c:1144
#5  0x00007ffff4442b76 in dissect_fc_ifcp (tvb=0x668de0, pinfo=<optimized out>, tree=<optimized out>, data=<optimized out>) at packet-fc.c:1251
#6  0x00007ffff4143f4b in call_dissector_through_handle (handle=handle@entry=0x7fffebe4f2f0, tvb=tvb@entry=0x668de0, pinfo=pinfo@entry=0x6b0028,
    tree=tree@entry=0x6634f0, data=data@entry=0x7fffffffc9c0) at packet.c:681
#7  0x00007ffff4144f72 in call_dissector_work (handle=0x7fffebe4f2f0, tvb=0x668de0, pinfo_arg=0x6b0028, tree=0x6634f0, add_proto_name=1,
    data=0x7fffffffc9c0) at packet.c:766
#8  0x00007ffff4146ca2 in call_dissector_with_data (handle=<optimized out>, tvb=0x668de0, pinfo=pinfo@entry=0x6b0028, tree=tree@entry=0x6634f0,
    data=data@entry=0x7fffffffc9c0) at packet.c:3092
#9  0x00007ffff45857cf in dissect_ifcp_pdu (tvb=tvb@entry=0x6690f0, pinfo=pinfo@entry=0x6b0028, parent_tree=parent_tree@entry=0x6634f0,
    data=data@entry=0x7fffffffd0d0) at packet-ifcp.c:444
#10 0x00007ffff49c0c26 in tcp_dissect_pdus (tvb=tvb@entry=0x668e80, pinfo=pinfo@entry=0x6b0028, tree=tree@entry=0x6634f0, proto_desegment=1,
    fixed_len=fixed_len@entry=16, get_pdu_len=get_pdu_len@entry=0x7ffff4585ab0 <get_ifcp_pdu_len>, dissect_pdu=0x7ffff4585400 <dissect_ifcp_pdu>,
    dissector_data=0x7fffffffd0d0) at packet-tcp.c:3624
#11 0x00007ffff4585b50 in dissect_ifcp (data=0x7fffffffd0d0, parent_tree=0x6634f0, pinfo=0x6b0028, tvb=0x668e80) at packet-ifcp.c:468
#12 dissect_ifcp_heur (tvb=0x668e80, pinfo=0x6b0028, tree=0x6634f0, data=0x7fffffffd0d0) at packet-ifcp.c:491
#13 0x00007ffff4146642 in dissector_try_heuristic (sub_dissectors=<optimized out>, tvb=tvb@entry=0x668e80, pinfo=pinfo@entry=0x6b0028,
    tree=tree@entry=0x6634f0, heur_dtbl_entry=heur_dtbl_entry@entry=0x7fffffffcce0, data=data@entry=0x7fffffffd0d0) at packet.c:2688
#14 0x00007ffff49c11e6 in decode_tcp_ports (tvb=tvb@entry=0x668f20, offset=<optimized out>, pinfo=pinfo@entry=0x6b0028, tree=tree@entry=0x6634f0,
    src_port=src_port@entry=3420, dst_port=dst_port@entry=49641, tcpd=0x7fffea692f90, tcpinfo=0x7fffffffd0d0) at packet-tcp.c:5568
#15 0x00007ffff49c1425 in process_tcp_payload (tvb=tvb@entry=0x668f20, offset=offset@entry=20, pinfo=pinfo@entry=0x6b0028, tree=tree@entry=0x6634f0,
    tcp_tree=tcp_tree@entry=0x7fffeb288f30, src_port=src_port@entry=3420, dst_port=49641, seq=0, nxtseq=0, is_tcp_segment=0, tcpd=0x7fffea692f90,
    tcpinfo=0x7fffffffd0d0) at packet-tcp.c:5623
#16 0x00007ffff49c1b40 in desegment_tcp (tcpinfo=0x7fffffffd0d0, tcpd=0x7fffea692f90, tcp_tree=0x7fffeb288f30, tree=0x6634f0, dport=49641, sport=3420,
    nxtseq=2611478292, seq=2611478204, offset=20, pinfo=0x6b0028, tvb=0x668f20) at packet-tcp.c:3146
#17 dissect_tcp_payload (tvb=tvb@entry=0x668f20, pinfo=pinfo@entry=0x6b0028, offset=offset@entry=20, seq=<optimized out>,
    nxtseq=nxtseq@entry=2611478292, sport=3420, dport=49641, tree=0x6634f0, tcp_tree=0x7fffeb288f30, tcpd=0x7fffea692f90, tcpinfo=0x7fffffffd0d0)
    at packet-tcp.c:5696
#18 0x00007ffff49c32bd in dissect_tcp (tvb=0x668f20, pinfo=<optimized out>, tree=0x6634f0, data=<optimized out>) at packet-tcp.c:6534
#19 0x00007ffff4143f4b in call_dissector_through_handle (handle=handle@entry=0x7fffebf64260, tvb=tvb@entry=0x668f20, pinfo=pinfo@entry=0x6b0028,
    tree=tree@entry=0x6634f0, data=data@entry=0x7fffea45e290) at packet.c:681
#20 0x00007ffff4144f72 in call_dissector_work (handle=0x7fffebf64260, tvb=tvb@entry=0x668f20, pinfo_arg=pinfo_arg@entry=0x6b0028,
    tree=tree@entry=0x6634f0, add_proto_name=add_proto_name@entry=1, data=data@entry=0x7fffea45e290) at packet.c:766
#21 0x00007ffff41458df in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=6, tvb=0x668f20, pinfo=0x6b0028, tree=0x6634f0,
    add_proto_name=add_proto_name@entry=1, data=0x7fffea45e290) at packet.c:1348
#22 0x00007ffff4598268 in ip_try_dissect (heur_first=<optimized out>, nxt=6, tvb=tvb@entry=0x668f20, pinfo=pinfo@entry=0x6b0028,
    tree=tree@entry=0x6634f0, iph=iph@entry=0x7fffea45e290) at packet-ip.c:1857
#23 0x00007ffff45992a3 in dissect_ip_v4 (tvb=0x6691e0, pinfo=<optimized out>, parent_tree=<optimized out>, data=<optimized out>) at packet-ip.c:2315
#24 0x00007ffff4143f4b in call_dissector_through_handle (handle=handle@entry=0x7fffebfe9bf0, tvb=tvb@entry=0x6691e0, pinfo=pinfo@entry=0x6b0028,
    tree=tree@entry=0x6634f0, data=data@entry=0x0) at packet.c:681
#25 0x00007ffff4144f72 in call_dissector_work (handle=0x7fffebfe9bf0, tvb=tvb@entry=0x6691e0, pinfo_arg=pinfo_arg@entry=0x6b0028,
    , add_proto_name=add_proto_name@entry=1, data=data@entry=0x0) at packet.c:766
#26 0x00007ffff41458df in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=2048, tvb=0x6691e0, pinfo=pinfo@entry=0x6b0028, tree=tree@entry=0x6634f0,
    add_proto_name=add_proto_name@entry=1, data=0x0) at packet.c:1348
#27 0x00007ffff4145921 in dissector_try_uint (sub_dissectors=<optimized out>, uint_val=<optimized out>, tvb=<optimized out>, pinfo=pinfo@entry=0x6b0028, tree=tree@entry=0x6634f0) at packet.c:1372
#28 0x00007ffff443b4a3 in dissect_ethertype (tvb=0x6af520, pinfo=0x6b0028, tree=0x6634f0, data=0x7fffffffd740) at packet-ethertype.c:271
#29 0x00007ffff4143f4b in call_dissector_through_handle (handle=handle@entry=0x7fffebe53330, tvb=tvb@entry=0x6af520, pinfo=pinfo@entry=0x6b0028, tree=tree@entry=0x6634f0,
    data=data@entry=0x7fffffffd740) at packet.c:681
#30 0x00007ffff4144f72 in call_dissector_work (handle=0x7fffebe53330, tvb=0x6af520, pinfo_arg=0x6b0028, tree=0x6634f0, add_proto_name=1, data=0x7fffffffd740) at packet.c:766
#31 0x00007ffff4146ca2 in call_dissector_with_data (handle=<optimized out>, tvb=tvb@entry=0x6af520, pinfo=pinfo@entry=0x6b0028, tree=tree@entry=0x6634f0, data=data@entry=0x7fffffffd740)
    at packet.c:3092
#32 0x00007ffff4439d38 in dissect_eth_common (tvb=tvb@entry=0x6af520, pinfo=pinfo@entry=0x6b0028, parent_tree=parent_tree@entry=0x6634f0, fcs_len=-1) at packet-eth.c:536
#33 0x00007ffff443a8c1 in dissect_eth (tvb=0x6af520, pinfo=0x6b0028, tree=0x6634f0, data=0x7fffffffe310) at packet-eth.c:800
#34 0x00007ffff4143f4b in call_dissector_through_handle (handle=handle@entry=0x7fffebfc2060, tvb=tvb@entry=0x6af520, pinfo=pinfo@entry=0x6b0028, tree=tree@entry=0x6634f0,
    data=data@entry=0x7fffffffe310) at packet.c:681
#35 0x00007ffff4144f72 in call_dissector_work (handle=0x7fffebfc2060, tvb=tvb@entry=0x6af520, pinfo_arg=pinfo_arg@entry=0x6b0028, tree=tree@entry=0x6634f0, add_proto_name=add_proto_name@entry=1,
    data=data@entry=0x7fffffffe310) at packet.c:766
#36 0x00007ffff41458df in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=1, tvb=tvb@entry=0x6af520, pinfo=pinfo@entry=0x6b0028, tree=tree@entry=0x6634f0,
    add_proto_name=add_proto_name@entry=1, data=0x7fffffffe310) at packet.c:1348
#37 0x00007ffff446e337 in dissect_frame (tvb=0x6af520, pinfo=0x6b0028, parent_tree=0x6634f0, data=0x7fffffffdd00) at packet-frame.c:563
#38 0x00007ffff4143f4b in call_dissector_through_handle (handle=handle@entry=0x7fffebe53eb0, tvb=tvb@entry=0x6af520, pinfo=pinfo@entry=0x6b0028, tree=tree@entry=0x6634f0,
    data=data@entry=0x7fffffffdd00) at packet.c:681
#39 0x00007ffff4144f72 in call_dissector_work (handle=0x7fffebe53eb0, tvb=0x6af520, pinfo_arg=0x6b0028, tree=0x6634f0, add_proto_name=1, data=0x7fffffffdd00) at packet.c:766
#40 0x00007ffff4146ca2 in call_dissector_with_data (handle=<optimized out>, tvb=0x6af520, pinfo=0x6b0028, tree=0x6634f0, data=<optimized out>) at packet.c:3092
#41 0x00007ffff41471ed in dissect_record (edt=edt@entry=0x6b0010, file_type_subtype=file_type_subtype@entry=1, phdr=phdr@entry=0x7fffffffe2a0, tvb=tvb@entry=0x6af520, fd=fd@entry=0x6b0d60,
    cinfo=cinfo@entry=0x0) at packet.c:555
#42 0x00007ffff413ca64 in epan_dissect_run_with_taps (edt=edt@entry=0x6b0010, file_type_subtype=1, phdr=phdr@entry=0x7fffffffe2a0, tvb=0x6af520, fd=fd@entry=0x6b0d60, cinfo=cinfo@entry=0x0)
    at epan.c:540
#43 0x000000000040fae9 in process_packet_second_pass (cf=0x645f00 <cfile>, tap_flags=<optimized out>, buf=0x7fffffffe000, phdr=0x7fffffffe2a0, fdata=0x6b0d60, edt=0x6b0010) at tshark.c:2979
#44 process_cap_file (cf=0x645f00 <cfile>, max_byte_count=<optimized out>, max_packet_count=<optimized out>, out_file_name_res=<optimized out>, out_file_type=<optimized out>, save_file=0x0)
    at tshark.c:3238
#45 main (argc=<optimized out>, argv=<optimized out>) at tshark.c:2019
(gdb)

Credit goes to: Otto Airamo and Antti Levomäki, Forcepoint

Comment 1 Gerrit Code Review 2018-02-07 02:37:03 UTC

Change 25649 had a related patch set uploaded by Michael Mann:
FCP: Add NULL check to prevent crash.

https://code.wireshark.org/review/25649

Comment 2 Gerrit Code Review 2018-02-07 03:16:45 UTC

Change 25649 merged by Michael Mann:
FCP: Add NULL check to prevent crash.

https://code.wireshark.org/review/25649

Comment 3 Gerrit Code Review 2018-02-07 03:16:56 UTC

Change 25653 had a related patch set uploaded by Michael Mann:
FCP: Add NULL check to prevent crash.

https://code.wireshark.org/review/25653

Comment 4 Gerrit Code Review 2018-02-07 03:17:18 UTC

Change 25654 had a related patch set uploaded by Michael Mann:
FCP: Add NULL check to prevent crash.

https://code.wireshark.org/review/25654

Comment 5 Gerrit Code Review 2018-02-07 04:11:44 UTC

Change 25653 merged by Michael Mann:
FCP: Add NULL check to prevent crash.

https://code.wireshark.org/review/25653

Comment 6 Gerrit Code Review 2018-02-07 05:18:49 UTC

Change 25654 merged by Anders Broman:
FCP: Add NULL check to prevent crash.

https://code.wireshark.org/review/25654