Fuzzed PCAP causing segmentation fault in dissect_ldss_transfer

This issue was migrated from bug 12662 in our old bug tracker.

Original bug information:

Reporter: Antti Levomäki
Status: RESOLVED FIXED
Product: Wireshark
Component: Dissection engine (libwireshark)
OS: Windows 7
Platform: x86
Version: 2.0.2

Attachments:

82f42c5d61cddd879098285d18156df4e7aeb5ffb1f37a7544f00e44ad52491e.pcap: Sample PCAP

Antti Levomäki said:

Created attachment 14760 Sample PCAP

Build Information: TShark (Wireshark) 2.0.2 (SVN Rev Unknown from unknown)

Copyright 1998-2016 Gerald Combs <gerald@‍wireshark.org> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3, with libz 1.2.8, with GLib 2.48.0, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.2, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with MIT Kerberos, with GeoIP.

Running on Linux 4.4.0-22-generic, with locale en_GB.UTF-8, with libpcap version 1.7.4, with libz 1.2.8, with GnuTLS 3.4.10, with Gcrypt 1.6.5. Intel Core Processor (Haswell) (with SSE4.2)

Built using gcc 5.3.1 20160407.

Fuzzed PCAP causes segmentation fault on tshark 2.0.2 and a recent build from repository ( commit 688d055acd523e645c1e87267dcf4a0a9867adbd ).

ASAN output from 'tshark -2 -V -r <pcap>':

ASAN:SIGSEGV
=================================================================
==14033==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7f7a7ba93fec bp 0x7fff425eab60 sp 0x7fff425ea200 T0)
    #0 0x7f7a7ba93feb in dissect_ldss_transfer /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ldss.c:507
    #1 0x7f7a7b3ac92e in call_dissector_through_handle /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #2 0x7f7a7b3ac92e in call_dissector_work /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #3 0x7f7a7b38e764 in try_conversation_dissector /workarea/fuzz/victimlibs2/wireshark/epan/conversation.c:1323
    #4 0x7f7a7bef5025 in decode_tcp_ports /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-tcp.c:4994
    #5 0x7f7a7bef5934 in process_tcp_payload /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-tcp.c:5098
    #6 0x7f7a7bef63d0 in dissect_tcp_payload /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-tcp.c:5179
    #7 0x7f7a7befaa60 in dissect_tcp /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-tcp.c:6036
    #8 0x7f7a7b3ac92e in call_dissector_through_handle /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #9 0x7f7a7b3ac92e in call_dissector_work /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #10 0x7f7a7b3ad707 in dissector_try_uint_new /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1187
    #11 0x7f7a7b9b5ec3 in ip_try_dissect /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ip.c:1976
    #12 0x7f7a7b9b8038 in dissect_ip_v4 /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ip.c:2439
    #13 0x7f7a7b3ac92e in call_dissector_through_handle /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #14 0x7f7a7b3ac92e in call_dissector_work /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #15 0x7f7a7b3ad707 in dissector_try_uint_new /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1187
    #16 0x7f7a7b3ad7a0 in dissector_try_uint /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1213
    #17 0x7f7a7b811978 in dissect_ethertype /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ethertype.c:262
    #18 0x7f7a7b3ac92e in call_dissector_through_handle /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #19 0x7f7a7b3ac92e in call_dissector_work /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #20 0x7f7a7b3afd41 in call_dissector_with_data /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:2792
    #21 0x7f7a7b80f772 in dissect_eth_common /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-eth.c:539
    #22 0x7f7a7b810822 in dissect_eth /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-eth.c:803
    #23 0x7f7a7b3ac92e in call_dissector_through_handle /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #24 0x7f7a7b3ac92e in call_dissector_work /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #25 0x7f7a7b3ad707 in dissector_try_uint_new /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1187
    #26 0x7f7a7b85b185 in dissect_frame /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-frame.c:507
    #27 0x7f7a7b3ac92e in call_dissector_through_handle /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #28 0x7f7a7b3ac92e in call_dissector_work /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #29 0x7f7a7b3afd41 in call_dissector_with_data /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:2792
    #30 0x7f7a7b3b0cb3 in dissect_record /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:531
    #31 0x7f7a7b397f83 in epan_dissect_run_with_taps /workarea/fuzz/victimlibs2/wireshark/epan/epan.c:378
    #32 0x41129f in process_packet_second_pass /workarea/fuzz/victimlibs2/wireshark/tshark.c:2777
    #33 0x41129f in load_cap_file /workarea/fuzz/victimlibs2/wireshark/tshark.c:3044
    #34 0x41129f in main /workarea/fuzz/victimlibs2/wireshark/tshark.c:1873
    #35 0x7f7a744fa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #36 0x412608 in _start (/workarea/fuzz/bin/shark/tshark+0x412608)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ldss.c:507 dissect_ldss_transfer
==14033==ABORTING

added crash libwireshark oswindows version2.0 labels

Gerrit Code Review said:

Change 16660 had a related patch set uploaded by Pascal Quantin: LDSS: check if a conversation already exists before recreating it

https://code.wireshark.org/review/16660

Gerrit Code Review said:

Change 16660 merged by Anders Broman: LDSS: check if a conversation already exists before recreating it

https://code.wireshark.org/review/16660

Gerrit Code Review said:

Change 16661 had a related patch set uploaded by Pascal Quantin: LDSS: check if a conversation already exists before recreating it

https://code.wireshark.org/review/16661

Gerrit Code Review said:

Change 16661 merged by Pascal Quantin: LDSS: check if a conversation already exists before recreating it

https://code.wireshark.org/review/16661

Gerrit Code Review said:

Change 16662 had a related patch set uploaded by Pascal Quantin: LDSS: check if a conversation already exists before recreating it

https://code.wireshark.org/review/16662

Gerrit Code Review said:

Change 16662 merged by Pascal Quantin: LDSS: check if a conversation already exists before recreating it

https://code.wireshark.org/review/16662

Gerrit Code Review said:

Change 16663 had a related patch set uploaded by Pascal Quantin: LDSS: check if a conversation already exists before recreating it

https://code.wireshark.org/review/16663

Gerrit Code Review said:

Change 16663 merged by Pascal Quantin: LDSS: check if a conversation already exists before recreating it

https://code.wireshark.org/review/16663

Gerrit Code Review said:

Change 17021 had a related patch set uploaded by Balint Reczey: LDSS: check if a conversation already exists before recreating it

https://code.wireshark.org/review/17021

Gerrit Code Review said:

Change 17021 merged by Balint Reczey: LDSS: check if a conversation already exists before recreating it

https://code.wireshark.org/review/17021

closed