Capture file that crashes wireshark in packet-rtps2.c

This issue was migrated from bug 7568 in our old bug tracker.

Original bug information:

Reporter: Laurent Butti
Status: RESOLVED FIXED
Product: Wireshark
Component: GTK+ UI
OS: All
Platform: x86
Version: 1.8.1

Attachments:

packet-rtps2.crash: capture triggering the crash

Laurent Butti said:

Created attachment 8894

capture triggering the crash

Build Information:

1.8.1

Hi,

Here is a PCAP file triggering a crash that could enable a remote party to trigger (a least) a remote denial of service.

This was successfully tested on 1.8.1.

This file was generated thanks to a fuzz testing campaign.

Laurent Butti.

Program received signal SIGABRT, Aborted.
0x0012d422 in __kernel_vsyscall ()
(gdb) bt
#0  0x0012d422 in __kernel_vsyscall ()
#1  0x02a90651 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x02a93a82 in *__GI_abort () at abort.c:92
#3  0x02ac706d in __libc_message (do_abort=2, fmt=0x2b9a095 "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#4  0x02b482d0 in *__GI___fortify_fail (msg=<value optimized out>) at fortify_fail.c:32
#5  0x02b4827a in __stack_chk_fail () at stack_chk_fail.c:29
#6  0x015474c4 in __stack_chk_fail_local () from /home/laurent/wireshark-1.8.1/lib/libwireshark.so.2
#7  0x00e13e05 in rtps_util_add_bitmap (tree=<value optimized out>, tvb=<value optimized out>, offset=40, little_endian=0, label=0x19e754f "gapList")
    at packet-rtps2.c:3145
#8  0x00e1f079 in dissect_GAP (tvb=0x87f5070, pinfo=0xbfffe424, tree=0xb6914000) at packet-rtps2.c:7026
#9  dissect_rtps (tvb=0x87f5070, pinfo=0xbfffe424, tree=0xb6914000) at packet-rtps2.c:8843
#10 0x0078898e in dissector_try_heuristic (sub_dissectors=0x8749b00, tvb=0x87f5070, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:1727
#11 0x00f524f9 in decode_udp_ports (tvb=0x87f5038, offset=8, pinfo=0xbfffe424, tree=0xb6914000, uh_sport=58018, uh_dport=7401, uh_ulen=132)
    at packet-udp.c:281
#12 0x00f52cda in dissect (tvb=<value optimized out>, pinfo=<value optimized out>, tree=0xb6914000, ip_proto=17) at packet-udp.c:595
#13 0x00788786 in call_dissector_through_handle (handle=0x86cb010, tvb=<value optimized out>, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:419
#14 0x00788fe9 in call_dissector_work (handle=0x86cb010, tvb=<value optimized out>, pinfo_arg=0xbfffe424, tree=0xb6914000, add_proto_name=1) at packet.c:510
#15 0x0078a38b in dissector_try_uint_new (sub_dissectors=0x83444a8, uint_val=17, tvb=0x87f5038, pinfo=0xbfffe424, tree=0xb6914000, add_proto_name=1)
    at packet.c:935
#16 0x0078a401 in dissector_try_uint (sub_dissectors=0x83444a8, uint_val=17, tvb=0x87f5038, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:961
#17 0x00ba80f1 in dissect_ip (tvb=0x87f5000, pinfo=0xbfffe424, parent_tree=0xb6914000) at packet-ip.c:2370
#18 0x00788786 in call_dissector_through_handle (handle=0x8345920, tvb=<value optimized out>, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:419
#19 0x00788fe9 in call_dissector_work (handle=0x8345920, tvb=<value optimized out>, pinfo_arg=0xbfffe424, tree=0xb6914000, add_proto_name=1) at packet.c:510
---Type <return> to continue, or q <return> to quit---
#20 0x0078a38b in dissector_try_uint_new (sub_dissectors=0x8267a80, uint_val=2048, tvb=0x87f5000, pinfo=0xbfffe424, tree=0xb6914000, add_proto_name=1)
    at packet.c:935
#21 0x0078a401 in dissector_try_uint (sub_dissectors=0x8267a80, uint_val=2048, tvb=0x87f5000, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:961
#22 0x00a49f65 in ethertype (etype=2048, tvb=0x87f4fa8, offset_after_etype=14, pinfo=0xbfffe424, tree=0xb6914000, fh_tree=0xb6914168, etype_id=21582,
    trailer_id=21586, fcs_len=-1) at packet-ethertype.c:270
#23 0x00a4894a in dissect_eth_common (tvb=0x87f4fa8, pinfo=0xbfffe424, parent_tree=0xb6914000, fcs_len=-1) at packet-eth.c:403
#24 0x00788786 in call_dissector_through_handle (handle=0x8267a28, tvb=<value optimized out>, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:419
#25 0x00788fe9 in call_dissector_work (handle=0x8267a28, tvb=<value optimized out>, pinfo_arg=0xbfffe424, tree=0xb6914000, add_proto_name=1) at packet.c:510
#26 0x0078a38b in dissector_try_uint_new (sub_dissectors=0x828b9e0, uint_val=1, tvb=0x87f4fa8, pinfo=0xbfffe424, tree=0xb6914000, add_proto_name=1)
    at packet.c:935
#27 0x0078a401 in dissector_try_uint (sub_dissectors=0x828b9e0, uint_val=1, tvb=0x87f4fa8, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:961
#28 0x00a8a859 in dissect_frame (tvb=0x87f4fa8, pinfo=0xbfffe424, parent_tree=0xb6914000) at packet-frame.c:383
#29 0x00788786 in call_dissector_through_handle (handle=0x828bab0, tvb=<value optimized out>, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:419
#30 0x00788fe9 in call_dissector_work (handle=0x828bab0, tvb=<value optimized out>, pinfo_arg=0xbfffe424, tree=0xb6914000, add_proto_name=1) at packet.c:510
#31 0x007891ea in call_dissector (handle=0x828bab0, tvb=0x87f4fa8, pinfo=0xbfffe424, tree=0xb6914000) at packet.c:1996
#32 0x0078afa2 in dissect_packet (edt=0xbfffe41c, pseudo_header=0x88c5228, pd=0x88ca9e0 "\001", fd=0xbfffe548, cinfo=0x0) at packet.c:350
#33 0x00780009 in epan_dissect_run (edt=0xbfffe41c, pseudo_header=0x88c5228, data=0x88ca9e0 "\001", fd=0xbfffe548, cinfo=0x0) at epan.c:210
#34 0x0805d90b in process_packet (cf=0x8085300, offset=<value optimized out>, whdr=0x88c51dc, pseudo_header=0x88c5228, pd=0x88ca9e0 "\001",
    filtering_tap_listeners=0, tap_flags=<value optimized out>) at tshark.c:3074
#35 0x08061503 in load_cap_file (argc=3, argv=0xbfffeb04) at tshark.c:2867
#36 main (argc=3, argv=0xbfffeb04) at tshark.c:1759

added crash uigtk version1.8 labels

Jeff Morriss said:

I can't reproduce this one on Linux (64-bit). Valgrind is quiet, too. Were you running this under Fortify when the error occurred?

Jakub Zawadzki said:

From rtps_util_add_bitmap():

  (num_bits is 32-bit signed number fetched from tvb)
  (temp_buff char array with MAX_BITMAP_SIZE size)

  for (i = 0; i < num_bits; i += 32) {
    /* ... */
    for (j = 0; j < 32; ++j) {
      temp_buff[idx] = (data & datamask) ? '1':'0'; // <-- buffer overflow here.

      ++idx;
      /* ... */

      // protection here terminates only *inner* loop
      if (idx >= MAX_BITMAP_SIZE-1)
        break;
    }
  }

Jeff Morriss said:

*** Bug #7604 (closed) has been marked as a duplicate of this bug. ***

Gerald Combs said:

I was able to reproduce it on an Ubuntu 12.04 64-bit machine here. Fix checked in in r44320. Thanks!

Jeff Morriss said:

Closing since a fix was checked in.

Jeff Morriss said:

*** Bug #7605 (closed) has been marked as a duplicate of this bug. ***

closed

mentioned in issue #7604 (closed)

mentioned in issue #7605 (closed)