Skip to content
Snippets Groups Projects

Crash while loading a pcap file

    • Closed Issue created by Wireshark GitLab Migration @ws-gitlab-migration

    This issue was migrated from bug 3925 in our old bug tracker.

    Original bug information:

    Reporter: boa…@‍gma…
    Status: RESOLVED FIXED
    Product: Wireshark
    Component: GTK+ UI
    OS: Windows XP
    Platform: x86
    Version: 1.2.1

    Attachments:

    PcapFileAndScreenshot.zip: A zip file with the pcap file that crashes wireshark and the screenshot

    To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

    Child items ...

    • Activity

    • Wireshark GitLab Migration
      Wireshark GitLab Migration @ws-gitlab-migration ·
      Author

      :speech_balloon: boa…@‍gma… said:

      Created attachment 3551 A zip file with the pcap file that crashes wireshark and the screenshot

      Build Information: Version 1.2.1 (SVN Rev 29141)

      Copyright 1998-2009 Gerald Combs <gerald@‍wireshark.org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

      Compiled with GTK+ 2.16.2, with GLib 2.20.3, with WinPcap (version unknown), with libz 1.2.3, without POSIX capabilities, with libpcre 7.0, with SMI 0.4.8, with c-ares 1.6.0, with Lua 5.1, with GnuTLS 2.8.1, with Gcrypt 1.4.4, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 19 2009), with AirPcap.

      Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.0.2 (packet.dll version 4.0.0.1040), based on libpcap version 0.9.5, GnuTLS 2.8.1, Gcrypt 1.4.4, without AirPcap.

      Built using Microsoft Visual C++ 9.0 build 30729

      Wireshark is Open Source Software released under the GNU General Public License.

      Check the man page and http://www.wireshark.org for more information.

      I've created a pcap file using Pcap.Net (http://pcapdotnet.codeplex.com/) and I've tried to read it using Wireshark. The GUI crashes (attached a screenshot).
Also attached is the pcap file.
    • Wireshark GitLab Migration added crash oswindows uigtk version1.2 labels

      added crash oswindows uigtk version1.2 labels

    • Wireshark GitLab Migration
      Wireshark GitLab Migration @ws-gitlab-migration ·
      Author

      :speech_balloon: Joke Snelders said:

      Blame the capture file?

Run capinfos en look at the start and end time:

$ capinfos temp.pcap
File name:           temp.pcap
File type:           Wireshark/tcpdump/... - libpcap
File encapsulation:  Ethernet
Number of packets:   100
File size:           11088 bytes
Data size:           9464 bytes
Capture duration:    4153758529 seconds
Start time:          Fri May 18 11:06:15 1973
End time:            Fri Jan 02 07:55:03 2105
Data byte rate:      0.00 bytes/sec
Data bit rate:       0.00 bits/sec
Average packet size: 94.64 bytes
Average packet rate: 0.00 packets/sec


Run TShark to see some of the expert info...(before TShark crashes too)
$ tshark -r temp.pcap -T fields -e expert.message

Arrival Time: Fractional second out of range (0-1000000000)
Arrival Time: Fractional second out of range (0-1000000000)
Arrival Time: Fractional second out of range (0-1000000000)
Malformed Packet (Exception occurred)
Connection establish request (SYN): server port 60547
Arrival Time: Fractional second out of range (0-1000000000)
Arrival Time: Fractional second out of range (0-1000000000)
Arrival Time: Fractional second out of range (0-1000000000)
Connection establish request (SYN): server port 43979
Arrival Time: Fractional second out of range (0-1000000000)
Arrival Time: Fractional second out of range (0-1000000000)
Malformed Packet (Exception occurred)
Arrival Time: Fractional second out of range (0-1000000000)
Arrival Time: Fractional second out of range (0-1000000000)
Arrival Time: Fractional second out of range (0-1000000000)
Connection finish (FIN)
Connection reset (RST)
Arrival Time: Fractional second out of range (0-1000000000)
Connection establish request (SYN): server port 27038
Connection reset (RST)
Malformed Packet (Exception occurred)
Arrival Time: Fractional second out of range (0-1000000000)
Arrival Time: Fractional second out of range (0-1000000000)
Malformed Packet (Exception occurred)
Connection reset (RST)


Run TShark and save the first 40 packets:
$ tshark -r temp.pcap -c 40 -w temp40.pcap
I was able to open the temp40.pcap with Wireshark 1.2.1 (SVN Rev 29141)
    • Wireshark GitLab Migration
      Wireshark GitLab Migration @ws-gitlab-migration ·
      Author

      :speech_balloon: Bill Meier said:

      Frame 43 causes the crash.

      The crash is caused by a problem in the FCOE dissector which ends up trying to calculate a crc for a buffer for which an invalid length has been calculated.

    • Wireshark GitLab Migration
      Wireshark GitLab Migration @ws-gitlab-migration ·
      Author

      :speech_balloon: Bill Meier said:

      As Joan indicated, the .pcap file seems pretty messed up. ;)

      Reading this file is essentially a stress test (aka a "fuzz-test") for Wireshark/Tshark.

      Data in frame #‍43 caused the fcoe dissector to pass an invalid buffer length parameter to a function which computes a crc on a buffer.

      I've committed a fix (SVN #‍29505) for the crash; Essentially: certain of the crc calculation functions now do some additional validation of the length parameter they receive.

      (I'll commit a second fix in a day or so to add some additional defensive coding to the fcoe dissector itself).

      Thanks for the report.

    • Wireshark GitLab Migration closed

      closed

    Please register or sign in to reply