Wireshark and tshark become non-responsive when reading certain packets
Summary
Wireshark and tshark become non-responsive when reading certain types of packets.
Steps to reproduce
One must use a version of Wireshark that includes commit bf26f538 - "wiretap: Do not silently limit capture length".
When working with the attached pcap file (packet_that_causes_the_sharks_to_lock_up.pcap), the non-responsive behavior is easier to deal with if Wireshark or tshark is started in a CLI:
-
First verify that the pcap can be successfully displayed if the "smtp" dissector is disabled:
% wireshark --disable-protocol smtp -r packet_that_causes_the_sharks_to_lock_up.pcap
- or
% tshark --disable-protocol smtp -r packet_that_causes_the_sharks_to_lock_up.pcap
-
Now attempt to read the pcap with the smtp dissector enabled:
% wireshark --enable-protocol smtp -r packet_that_causes_the_sharks_to_lock_up.pcap
- or
% tshark --enable-protocol smtp -r packet_that_causes_the_sharks_to_lock_up.pcap
When the smtp dissector is enabled, Wireshark or tshark will need to be terminated manually (Ctrl-C, Ctrl-Break, abort, Force Quit, TaskManager, etc).
What is the current bug behavior?
Wireshark and tshark become completely non-responsive when they encounter certain packet payloads.
What is the expected correct behavior?
Wireshark and tshark should dissect all the packets.
Sample capture file
Single packet pcap that can trigger wireshark and tshark to lockup when the smtp dissector is enabled:
packet_that_causes_the_sharks_to_lock_up.pcap
Relevant logs and/or screenshots
$ time tshark --disable-protocol smtp -r packet_that_causes_the_sharks_to_lock_up.pcap
1 0.000000 0.000000 104.47.74.171 → 10.250.8.181 TCP 0 108 ·······AP··· 40933 → 25 [PSH, ACK] Seq=1 Ack=1 Win=2052 Len=52
real 0m0.251s
user 0m0.190s
sys 0m0.060s
$ time tshark --enable-protocol smtp -r packet_that_causes_the_sharks_to_lock_up.pcap
<After about 10 seconds a CTRL-\ sequence was entered into the Terminal window>
^\Quit: 3
real 0m10.623s
user 0m10.564s
sys 0m0.055s
bash-3.2$
Build information
Wireshark 4.1.0rc0-145-g1940fd0d14aa (v4.1.0rc0-145-g1940fd0d14aa).
Copyright 1998-2022 Gerald Combs <gerald@wireshark.org> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) using Clang 11.0.0 (clang-1100.0.33.16), with GLib 2.68.4,
with PCRE2, with zlib 1.2.11, with Qt 6.2.4, with libpcap, without POSIX
capabilities, with Lua 5.2.4, with GnuTLS 3.6.15 and PKCS #11 support, with
Gcrypt 1.8.7, with Kerberos (MIT), with MaxMind, with nghttp2 1.46.0, with
brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.9, with libsmi
0.4.8, with QtMultimedia, with automatic updates using Sparkle, with SpeexDSP
(using system library), with Minizip, with binary plugins.
Running on Mac OS X 10.16, build 21G83 (Darwin 21.6.0), with Intel(R) Core(TM)
i9-9880H CPU @ 2.30GHz (with SSE4.2), with 16384 MB of physical memory, with
GLib 2.68.4, with PCRE2 10.39 2021-10-29, with zlib 1.2.11, with Qt 6.2.4, with
libpcap 1.9.1, with c-ares 1.15.0, with GnuTLS 3.6.15, with Gcrypt 1.8.7, with
nghttp2 1.46.0, with brotli 1.0.9, with LZ4 1.9.2, with Zstandard 1.4.2, with
libsmi 0.4.8, with LC_TYPE=en_US.UTF-8, binary plugins supported.