Wireshark dies in dissect_coap
This issue was migrated from bug 14966 in our old bug tracker.
Original bug information:
Reporter: Bill Nickless
Status: RESOLVED FIXED
Product: Wireshark
Component: Qt UI
OS: macOS 10.13
Platform: x86-64
Version: 2.6.1
Attachments:
alludpports.pcap: Synthetic pcap file that reliably crashes Wireshark
See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14367
Activity
Created attachment 16487 Synthetic pcap file that reliably crashes Wireshark
Build Information: Wireshark 2.6.1 (v2.6.1-0-g860a78b3)
Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with GLib 2.36.0, with zlib 1.2.5, with SMI 0.4.8, with c-ares 1.12.0, with Lua 5.2.4, with GnuTLS 3.4.17, with Gcrypt 1.7.7, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.21.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with SBC, with SpanDSP, with bcg729.
Running on Mac OS X 10.13.5, build 17F77 (Darwin 17.6.0), with Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz (with SSE4.2), with 16384 MB of physical memory, with locale C, with libpcap version 1.8.1 -- Apple version 79.20.1, with GnuTLS 3.4.17, with Gcrypt 1.7.7, with zlib 1.2.11, binary plugins supported (0 loaded).
Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.9.00).
Wireshark reliably dies in dissect_coap when trying to open the attached .pcap file. The attached file was created with the following trafgen invocation on one virtual machine, and captured on a second virtual machine using tcpdump. trafgen invocation: trafgen -o ens192 --cpus 1 -n 8192 -t 1ms '{ 0x01, 0x00, 0x5e, 0x10, 0x01, 0x14, ipv4(da=230.16.1.20), udp(sp=666,dp=dinc(0,65535)), fill(0x00,128) }'added osmacos uiqt version2.6 labels
-
Crash also for me : hread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libwireshark.0.0.0.dylib 0x0000000101e011af dissect_coap + 143 (packet-coap.c:1014) 1 libwireshark.0.0.0.dylib 0x0000000102a98296 call_dissector_through_handle + 102 (packet.c:692) 2 libwireshark.0.0.0.dylib 0x0000000102a98c1e call_dissector_work + 270 (packet.c:777) 3 libwireshark.0.0.0.dylib 0x0000000102a993d9 dissector_try_uint + 105 (packet.c:1360) 4 libwireshark.0.0.0.dylib 0x0000000102514771 decode_udp_ports + 657 (packet-udp.c:670) 5 libwireshark.0.0.0.dylib 0x000000010251553c dissect + 3004 (packet-udp.c:953) 6 libwireshark.0.0.0.dylib 0x0000000102513ae9 dissect_udp + 25 (packet-udp.c:1133) 7 libwireshark.0.0.0.dylib 0x0000000102a98296 call_dissector_through_handle + 102 (packet.c:692) 8 libwireshark.0.0.0.dylib 0x0000000102a98c1e call_dissector_work + 270 (packet.c:777) 9 libwireshark.0.0.0.dylib 0x0000000102a99280 dissector_try_uint_new + 112 (packet.c:1360) 10 libwireshark.0.0.0.dylib 0x0000000102094c88 ip_try_dissect + 104 (packet-ip.c:1831) 11 libwireshark.0.0.0.dylib 0x00000001020922ac dissect_ip_v4 + 5564 (packet-ip.c:2287) 12 libwireshark.0.0.0.dylib 0x0000000102a98296 call_dissector_through_handle + 102 (packet.c:692) 13 libwireshark.0.0.0.dylib 0x0000000102a98c1e call_dissector_work + 270 (packet.c:777) 14 libwireshark.0.0.0.dylib 0x0000000102a993d9 dissector_try_uint + 105 (packet.c:1360) 15 libwireshark.0.0.0.dylib 0x0000000101f1df51 dissect_ethertype + 353 (packet-ethertype.c:260) 16 libwireshark.0.0.0.dylib 0x0000000102a98296 call_dissector_through_handle + 102 (packet.c:692) 17 libwireshark.0.0.0.dylib 0x0000000102a98c1e call_dissector_work + 270 (packet.c:777) 18 libwireshark.0.0.0.dylib 0x0000000102a98fe2 call_dissector_with_data + 50 (packet.c:3103) 19 libwireshark.0.0.0.dylib 0x0000000101f1d4fa dissect_eth_common + 3066 (packet-eth.c:526) 20 libwireshark.0.0.0.dylib 0x0000000101f1c685 dissect_eth + 373 (packet-eth.c:802) 21 libwireshark.0.0.0.dylib 0x0000000102a98296 call_dissector_through_handle + 102 (packet.c:692) 22 libwireshark.0.0.0.dylib 0x0000000102a98c1e call_dissector_work + 270 (packet.c:777) 23 libwireshark.0.0.0.dylib 0x0000000102a99280 dissector_try_uint_new + 112 (packet.c:1360) 24 libwireshark.0.0.0.dylib 0x0000000101f5213f dissect_frame + 3439 (packet-frame.c:579) 25 libwireshark.0.0.0.dylib 0x0000000102a98296 call_dissector_through_handle + 102 (packet.c:692) 26 libwireshark.0.0.0.dylib 0x0000000102a98c1e call_dissector_work + 270 (packet.c:777) 27 libwireshark.0.0.0.dylib 0x0000000102a98fe2 call_dissector_with_data + 50 (packet.c:3103) 28 libwireshark.0.0.0.dylib 0x0000000102a9b935 dissect_record + 901 (packet.c:568) 29 libwireshark.0.0.0.dylib 0x0000000102a8dc09 epan_dissect_run + 73 (epan.c:532) 30 org.wireshark.Wireshark 0x000000010113818f PacketListRecord::dissect(_capture_file*, bool) + 461 (packet_list_record.cpp:178) 31 org.wireshark.Wireshark 0x0000000101138363 PacketListRecord::columnString(_capture_file*, int, bool) + 179 (packet_list_record.cpp:71) 32 org.wireshark.Wireshark 0x0000000101132648 PacketListModel::ensureRowColorized(int) + 78 (qbytearray.h:427) 33 org.wireshark.Wireshark 0x00000001011327b8 PacketListModel::dissectIdle(bool) + 86 (packet_list_model.cpp:654) 34 org.wireshark.Wireshark 0x000000010118eb8c PacketListModel::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) + 488 (moc_packet_list_model.cpp:146) 35 QtCore 0x0000000108b63b6f QMetaObject::activate(QObject*, int, int, void**) + 1871 36 QtCore 0x0000000108b6a462 QSingleShotTimer::timerEvent(QTimerEvent*) + 50 37 QtCore 0x0000000108b5c9a3 QObject::event(QEvent*) + 51 38 QtWidgets 0x0000000107d8bffc QApplicationPrivate::notify_helper(QObject*, QEvent*) + 300 39 QtWidgets 0x0000000107d8eabb QApplication::notify(QObject*, QEvent*) + 6187 40 QtCore 0x0000000108b2f932 QCoreApplication::notifyInternal(QObject*, QEvent*) + 114 41 QtCore 0x0000000108b86196 QTimerInfoList::activateTimers() + 1302 42 libqcocoa.dylib 0x0000000109e9e855 QCocoaEventDispatcherPrivate::activateTimersSourceCallback(void*) + 21 43 com.apple.CoreFoundation 0x00007fff3fe25a61 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 44 com.apple.CoreFoundation 0x00007fff3fedf47c __CFRunLoopDoSource0 + 108 45 com.apple.CoreFoundation 0x00007fff3fe084c0 __CFRunLoopDoSources0 + 208 46 com.apple.CoreFoundation 0x00007fff3fe0793d __CFRunLoopRun + 1293 47 com.apple.CoreFoundation 0x00007fff3fe071a3 CFRunLoopRunSpecific + 483 48 com.apple.HIToolbox 0x00007fff3f0efd96 RunCurrentEventLoopInMode + 286 49 com.apple.HIToolbox 0x00007fff3f0efb06 ReceiveNextEventCommon + 613 50 com.apple.HIToolbox 0x00007fff3f0ef884 _BlockUntilNextEventMatchingListInModeWithFilter + 64 51 com.apple.AppKit 0x00007fff3d3a2a73 _DPSNextEvent + 2085 52 com.apple.AppKit 0x00007fff3db38e34 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 3044 53 com.apple.AppKit 0x00007fff3d397885 -[NSApplication run] + 764 54 libqcocoa.dylib 0x0000000109e9f5e4 QCocoaEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 2420 55 QtCore 0x0000000108b2c9ad QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) + 381 56 QtCore 0x0000000108b2fee7 QCoreApplication::exec() + 359 57 org.wireshark.Wireshark 0x0000000100dab2ce main + 4126 (wireshark-qt.cpp:909) 58 org.wireshark.Wireshark 0x0000000100daa004 start + 52 -
Problem still present in master HEAD as well.
dissect_coap() uses PINFO_FD_VISITED to determine is proto data needs to be added or is already present for the packet. This assumption is wrong; it should try to get the data, if that fails data should be allocated. Only then you can use the pointer.
The same problem occurs in packet-dmp.c (which triggers a DISSECTOR_ASSERT), in register_dmp_id().
-
Change 28694 had a related patch set uploaded by Jaap Keuter: CoAP: handle per packet data properly
-
Change 28694 merged by Roland Knall: CoAP: handle per packet data properly
-
Change 28696 had a related patch set uploaded by Pascal Quantin: CoAP: handle per packet data properly
-
Change 28696 merged by Pascal Quantin: CoAP: handle per packet data properly
-
Change 28697 had a related patch set uploaded by Pascal Quantin: CoAP: handle per packet data properly
-
Change 28697 merged by Pascal Quantin: CoAP: handle per packet data properly