HTTP3 crash in read_qpack_prefixed_integer
Summary
In the attached pcap wireshark crashes attempting to parse packet number 91.
It appears that this is a result of #19475 (closed) where wireshark thinks that the stream in packet 91 is the start of a QPACK stream rather than a continuation of one. I'm opening this bug though because wireshark still shouldn't be crashing on the malformed QPACK stream even when #19475 (closed) is fixed. A cursory glance make me think it's just lack of bounds checking in dissect_http3_qpack_encoder_stream
where decoded
is incremented without checking if it's passed the buffer and then read_qpack_prefixed_integer
does a read before checking end
. Didn't dive too deep into it though.
See backtrace:
#0 0x00007ffff01dbd64 in read_qpack_prefixed_integer
(buf=0x555569513b7e <error: Cannot access memory at address 0x555569513b7e>, end=0x5555595ede82 "\324\316\301W\236\333\367\226\212\357\036\37183y3\343Lj\257\367\305\332\373\376e\374\256\376Wvf\361\273\321<W{\037/=\353[\267\036{ɓl\375\370j\277\245iݽ\231\303\361Yfsg\254\375.\356\351\r\2158Hg\353\253a^\026<Q\356k6\315\356\271\t^\nszX\235\371\351\346\337|\375\372sfK\263\332·:=\207=\373\334y\311\315\f\340s\272:\344Y\311I\373\256,=\315u\343a\355\243\205Z\364\372\323\vzK\b4\356\311\371\222nm\343\375\361\372,\357\327\373\232z7Ù\0344\264\325\362\335g\177\355\245\353߯\357\346\257Ӣ\317<\261\307\333\302\033\275/|\263\367-\024k\212/"..., prefix=7, out_result=0x7fffffffb3f8, out_fin=0x7fffffffb39c, out_flag=0x7fffffffb3a4) at /home/dexter/wireshark/wireshark/epan/dissectors/packet-http3.c:1455
#1 0x00007ffff01dc351 in dissect_http3_qpack_encoder_stream
(tvb=0x5555599f0db0, pinfo=0x7fffffffd708, tree=0x0, offset=0, qpack_buf=0x5555595edce0 "CUD\235\265j\323\034)\362*\337σ\3603_\301\247l\361\373\303\371\307\312Y\335\343\307\3422\365\323\324T\321\323\r\335Na\247g\345\363^\323{\221\272\006\321n\323?\215\372\371?\205\261\247K~/C\277~\3751]\177\213iw\214Z{\335x\334\034", remaining=418, http3_stream=0x555558df5e80) at /home/dexter/wireshark/wireshark/epan/dissectors/packet-http3.c:1626
#2 0x00007ffff01dc8f9 in dissect_http3_qpack_enc (tvb=0x5555599f0db0, pinfo=0x7fffffffd708, tree=0x0, offset=0, stream_info=0x7fffffffb9f0, http3_stream=0x555558df5e80)
at /home/dexter/wireshark/wireshark/epan/dissectors/packet-http3.c:1730
#3 0x00007ffff01dce8b in dissect_http3_uni_stream (tvb=0x5555599f0db0, pinfo=0x7fffffffd708, tree=0x0, offset=0, stream_info=0x7fffffffb9f0, http3_stream=0x555558df5e80)
at /home/dexter/wireshark/wireshark/epan/dissectors/packet-http3.c:1847
#4 0x00007ffff01dd192 in dissect_http3 (tvb=0x5555599f0db0, pinfo=0x7fffffffd708, tree=0x0, data=0x7fffffffb9f0) at /home/dexter/wireshark/wireshark/epan/dissectors/packet-http3.c:1937
#5 0x00007ffff166e9d8 in call_dissector_through_handle (handle=0x5555579417d0, tvb=0x5555599f0db0, pinfo=0x7fffffffd708, tree=0x0, data=0x7fffffffb9f0) at /home/dexter/wireshark/wireshark/epan/packet.c:857
#6 0x00007ffff166ec14 in call_dissector_work (handle=0x5555579417d0, tvb=0x5555599f0db0, pinfo=0x7fffffffd708, tree=0x0, add_proto_name=1, data=0x7fffffffb9f0) at /home/dexter/wireshark/wireshark/epan/packet.c:948
#7 0x00007ffff1673398 in call_dissector_only (handle=0x5555579417d0, tvb=0x5555599f0db0, pinfo=0x7fffffffd708, tree=0x0, data=0x7fffffffb9f0) at /home/dexter/wireshark/wireshark/epan/packet.c:3487
#8 0x00007ffff16733db in call_dissector_with_data (handle=0x5555579417d0, tvb=0x5555599f0db0, pinfo=0x7fffffffd708, tree=0x0, data=0x7fffffffb9f0) at /home/dexter/wireshark/wireshark/epan/packet.c:3500
#9 0x00007ffff0729642 in process_quic_stream (tvb=0x5555599f0e90, offset=6, pinfo=0x7fffffffd708, tree=0x0, quic_info=0x555558df1350, stream_info=0x7fffffffb9f0) at /home/dexter/wireshark/wireshark/epan/dissectors/packet-quic.c:1474
#10 0x00007ffff07299ba in desegment_quic_stream (tvb=0x5555599f0e90, offset=6, length=418, pinfo=0x7fffffffd708, tree=0x0, quic_info=0x555558df1350, stream_info=0x7fffffffb9f0, stream=0x555558df5de0)
at /home/dexter/wireshark/wireshark/epan/dissectors/packet-quic.c:1624
#11 0x00007ffff0729f58 in dissect_quic_stream_payload (tvb=0x5555599f5b90, offset=6, length=418, pinfo=0x7fffffffd708, tree=0x0, quic_info=0x555558df1350, stream_info=0x7fffffffb9f0, stream=0x555558df5de0)
at /home/dexter/wireshark/wireshark/epan/dissectors/packet-quic.c:1823
#12 0x00007ffff072c124 in dissect_quic_frame_type (tvb=0x5555599f5b90, pinfo=0x7fffffffd708, quic_tree=0x0, offset=6, quic_info=0x555558df1350, quic_packet=0x555558e13658, from_server=0)
at /home/dexter/wireshark/wireshark/epan/dissectors/packet-quic.c:2484
#13 0x00007ffff072f31d in quic_process_payload
(tvb=0x5555599f67c0, pinfo=0x7fffffffd708, tree=0x0, ti=0x0, offset=10, quic_info=0x555558df1350, quic_packet=0x555558e13658, from_server=0, pp_cipher=0x555558df1428, first_byte=64 '@', pkn_len=1)
at /home/dexter/wireshark/wireshark/epan/dissectors/packet-quic.c:3525
#14 0x00007ffff073175d in dissect_quic_short_header (tvb=0x5555599f67c0, pinfo=0x7fffffffd708, quic_tree=0x0, dgram_info=0x555558e13650, quic_packet=0x555558e13658) at /home/dexter/wireshark/wireshark/epan/dissectors/packet-quic.c:4201
#15 0x00007ffff0732abb in dissect_quic (tvb=0x5555599f6980, pinfo=0x7fffffffd708, tree=0x0, data=0x0) at /home/dexter/wireshark/wireshark/epan/dissectors/packet-quic.c:4581
#16 0x00007ffff166e9d8 in call_dissector_through_handle (handle=0x55555797e0b0, tvb=0x5555599f6980, pinfo=0x7fffffffd708, tree=0x0, data=0x0) at /home/dexter/wireshark/wireshark/epan/packet.c:857
#17 0x00007ffff166ec14 in call_dissector_work (handle=0x55555797e0b0, tvb=0x5555599f6980, pinfo=0x7fffffffd708, tree=0x0, add_proto_name=1, data=0x0) at /home/dexter/wireshark/wireshark/epan/packet.c:948
#18 0x00007ffff1673398 in call_dissector_only (handle=0x55555797e0b0, tvb=0x5555599f6980, pinfo=0x7fffffffd708, tree=0x0, data=0x0) at /home/dexter/wireshark/wireshark/epan/packet.c:3487
#19 0x00007ffff1655143 in try_conversation_call_dissector_helper (conversation=0x555558df0f60, dissector_success=0x7fffffffbf4c, tvb=0x5555599f6980, pinfo=0x7fffffffd708, tree=0x0, data=0x0)
at /home/dexter/wireshark/wireshark/epan/conversation.c:1593
#20 0x00007ffff1655246 in try_conversation_dissector (addr_a=0x7fffffffd7f0, addr_b=0x7fffffffd7d8, ctype=CONVERSATION_UDP, port_a=443, port_b=33488, tvb=0x5555599f6980, pinfo=0x7fffffffd708, tree=0x0, data=0x0, options=196608)
at /home/dexter/wireshark/wireshark/epan/conversation.c:1627
#21 0x00007ffff0a636ff in decode_udp_ports (tvb=0x5555599f5a40, offset=8, pinfo=0x7fffffffd708, udp_tree=0x0, uh_sport=33488, uh_dport=443, uh_ulen=482) at /home/dexter/wireshark/wireshark/epan/dissectors/packet-udp.c:608
#22 0x00007ffff0a65ac7 in dissect (tvb=0x5555599f5a40, pinfo=0x7fffffffd708, tree=0x0, ip_proto=17) at /home/dexter/wireshark/wireshark/epan/dissectors/packet-udp.c:1281
#23 0x00007ffff0a65b1c in dissect_udp (tvb=0x5555599f5a40, pinfo=0x7fffffffd708, tree=0x0, data=0x5555595ed910) at /home/dexter/wireshark/wireshark/epan/dissectors/packet-udp.c:1287
#24 0x00007ffff166e9d8 in call_dissector_through_handle (handle=0x5555579915a0, tvb=0x5555599f5a40, pinfo=0x7fffffffd708, tree=0x0, data=0x5555595ed910) at /home/dexter/wireshark/wireshark/epan/packet.c:857
#25 0x00007ffff166ec14 in call_dissector_work (handle=0x5555579915a0, tvb=0x5555599f5a40, pinfo=0x7fffffffd708, tree=0x0, add_proto_name=1, data=0x5555595ed910) at /home/dexter/wireshark/wireshark/epan/packet.c:948
#26 0x00007ffff166ff7d in dissector_try_uint_new (sub_dissectors=0x7fff8019b9c0, uint_val=17, tvb=0x5555599f5a40, pinfo=0x7fffffffd708, tree=0x0, add_proto_name=1, data=0x5555595ed910)
at /home/dexter/wireshark/wireshark/epan/packet.c:1581
#27 0x00007ffff02a3cdb in ip_try_dissect (heur_first=0, nxt=17, tvb=0x5555599f5a40, pinfo=0x7fffffffd708, tree=0x0, iph=0x5555595ed910) at /home/dexter/wireshark/wireshark/epan/dissectors/packet-ip.c:1822
#28 0x00007ffff02a57c5 in dissect_ip_v4 (tvb=0x5555599f69f0, pinfo=0x7fffffffd708, parent_tree=0x0, data=0x0) at /home/dexter/wireshark/wireshark/epan/dissectors/packet-ip.c:2328
#29 0x00007ffff166e9d8 in call_dissector_through_handle (handle=0x555557af8620, tvb=0x5555599f69f0, pinfo=0x7fffffffd708, tree=0x0, data=0x0) at /home/dexter/wireshark/wireshark/epan/packet.c:857
#30 0x00007ffff166ec14 in call_dissector_work (handle=0x555557af8620, tvb=0x5555599f69f0, pinfo=0x7fffffffd708, tree=0x0, add_proto_name=1, data=0x0) at /home/dexter/wireshark/wireshark/epan/packet.c:948
#31 0x00007ffff166ff7d in dissector_try_uint_new (sub_dissectors=0x7fff8010ee00, uint_val=2048, tvb=0x5555599f69f0, pinfo=0x7fffffffd708, tree=0x0, add_proto_name=1, data=0x0) at /home/dexter/wireshark/wireshark/epan/packet.c:1581
#32 0x00007ffff166ffd7 in dissector_try_uint (sub_dissectors=0x7fff8010ee00, uint_val=2048, tvb=0x5555599f69f0, pinfo=0x7fffffffd708, tree=0x0) at /home/dexter/wireshark/wireshark/epan/packet.c:1605
#33 0x00007ffff001869b in dissect_ethertype (tvb=0x5555599fa0e0, pinfo=0x7fffffffd708, tree=0x0, data=0x7fffffffc8a0) at /home/dexter/wireshark/wireshark/epan/dissectors/packet-ethertype.c:297
#34 0x00007ffff166e9d8 in call_dissector_through_handle (handle=0x5555578444b0, tvb=0x5555599fa0e0, pinfo=0x7fffffffd708, tree=0x0, data=0x7fffffffc8a0) at /home/dexter/wireshark/wireshark/epan/packet.c:857
#35 0x00007ffff166ec14 in call_dissector_work (handle=0x5555578444b0, tvb=0x5555599fa0e0, pinfo=0x7fffffffd708, tree=0x0, add_proto_name=1, data=0x7fffffffc8a0) at /home/dexter/wireshark/wireshark/epan/packet.c:948
#36 0x00007ffff1673398 in call_dissector_only (handle=0x5555578444b0, tvb=0x5555599fa0e0, pinfo=0x7fffffffd708, tree=0x0, data=0x7fffffffc8a0) at /home/dexter/wireshark/wireshark/epan/packet.c:3487
#37 0x00007ffff16733db in call_dissector_with_data (handle=0x5555578444b0, tvb=0x5555599fa0e0, pinfo=0x7fffffffd708, tree=0x0, data=0x7fffffffc8a0) at /home/dexter/wireshark/wireshark/epan/packet.c:3500
#38 0x00007ffff0016c1b in dissect_eth_common (tvb=0x5555599fa0e0, pinfo=0x7fffffffd708, parent_tree=0x0, fcs_len=-1) at /home/dexter/wireshark/wireshark/epan/dissectors/packet-eth.c:531
--Type <RET> for more, q to quit, c to continue without paging--
#39 0x00007ffff0017720 in dissect_eth (tvb=0x5555599fa0e0, pinfo=0x7fffffffd708, tree=0x0, data=0x7fffffffda10) at /home/dexter/wireshark/wireshark/epan/dissectors/packet-eth.c:890
#40 0x00007ffff166e9d8 in call_dissector_through_handle (handle=0x555557ac3ae0, tvb=0x5555599fa0e0, pinfo=0x7fffffffd708, tree=0x0, data=0x7fffffffda10) at /home/dexter/wireshark/wireshark/epan/packet.c:857
#41 0x00007ffff166ec14 in call_dissector_work (handle=0x555557ac3ae0, tvb=0x5555599fa0e0, pinfo=0x7fffffffd708, tree=0x0, add_proto_name=1, data=0x7fffffffda10) at /home/dexter/wireshark/wireshark/epan/packet.c:948
#42 0x00007ffff1673398 in call_dissector_only (handle=0x555557ac3ae0, tvb=0x5555599fa0e0, pinfo=0x7fffffffd708, tree=0x0, data=0x7fffffffda10) at /home/dexter/wireshark/wireshark/epan/packet.c:3487
#43 0x00007ffff0079c2c in dissect_frame (tvb=0x5555599fa0e0, pinfo=0x7fffffffd708, parent_tree=0x0, data=0x7fffffffd130) at /home/dexter/wireshark/wireshark/epan/dissectors/packet-frame.c:1291
#44 0x00007ffff166e9d8 in call_dissector_through_handle (handle=0x55555791f580, tvb=0x5555599fa0e0, pinfo=0x7fffffffd708, tree=0x0, data=0x7fffffffd130) at /home/dexter/wireshark/wireshark/epan/packet.c:857
#45 0x00007ffff166ec14 in call_dissector_work (handle=0x55555791f580, tvb=0x5555599fa0e0, pinfo=0x7fffffffd708, tree=0x0, add_proto_name=1, data=0x7fffffffd130) at /home/dexter/wireshark/wireshark/epan/packet.c:948
#46 0x00007ffff1673398 in call_dissector_only (handle=0x55555791f580, tvb=0x5555599fa0e0, pinfo=0x7fffffffd708, tree=0x0, data=0x7fffffffd130) at /home/dexter/wireshark/wireshark/epan/packet.c:3487
#47 0x00007ffff16733db in call_dissector_with_data (handle=0x55555791f580, tvb=0x5555599fa0e0, pinfo=0x7fffffffd708, tree=0x0, data=0x7fffffffd130) at /home/dexter/wireshark/wireshark/epan/packet.c:3500
#48 0x00007ffff166e00b in dissect_record (edt=0x7fffffffd6f0, file_type_subtype=0, rec=0x7fffffffd9c0, tvb=0x5555599fa0e0, fd=0x5555595d5800, cinfo=0x0) at /home/dexter/wireshark/wireshark/epan/packet.c:661
#49 0x00007ffff165d484 in epan_dissect_run_with_taps (edt=0x7fffffffd6f0, file_type_subtype=0, rec=0x7fffffffd9c0, tvb=0x5555599fa0e0, fd=0x5555595d5800, cinfo=0x0) at /home/dexter/wireshark/wireshark/epan/epan.c:657
#50 0x0000555555d3b11e in add_packet_to_packet_list (fdata=0x5555595d5800, cf=0x5555562f9ca0 <cfile>, edt=0x7fffffffd6f0, dfcode=0x0, cinfo=0x0, rec=0x7fffffffd9c0, buf=0x7fffffffd6b0, add_to_packet_list=1)
at /home/dexter/wireshark/wireshark/file.c:1237
#51 0x0000555555d3b69c in read_record (cf=0x5555562f9ca0 <cfile>, rec=0x7fffffffd9c0, buf=0x7fffffffd6b0, dfcode=0x0, edt=0x7fffffffd6f0, cinfo=0x0, offset=37676, frame_dup_cache=0x7fffffffd6d0, frame_cksum=0x0)
at /home/dexter/wireshark/wireshark/file.c:1363
#52 0x0000555555d39e9e in cf_read (cf=0x5555562f9ca0 <cfile>, reloading=0) at /home/dexter/wireshark/wireshark/file.c:665
#53 0x0000555555a77a59 in WiresharkMainWindow::openCaptureFile(QString, QString, unsigned int, int) (this=0x5555563cd2f0, cf_path=..., read_filter=..., type=0, is_tempfile=0)
at /home/dexter/wireshark/wireshark/ui/qt/wireshark_main_window_slots.cpp:265
#54 0x00005555558d58d0 in main(int, char**) (argc=2, qt_argv=0x7fffffffe2b8) at /home/dexter/wireshark/wireshark/ui/qt/main.cpp:1032
Steps to reproduce
Open attached pcap.
What is the current bug behavior?
Crash.
What is the expected correct behavior?
No crash.
Sample capture file
Build information
Version 4.3.0 (v4.3.0rc0-821-gcbc2cd039d15).
Compiled (64-bit) using GCC 13.2.1 20230801, with GLib 2.78.1, with Qt 6.6.0,
with libpcap, with POSIX capabilities (Linux), with libnl 3, with zlib 1.3, with
PCRE2, with Lua 5.2.4, with GnuTLS 3.8.2 and PKCS #11 support, with Gcrypt
1.10.3-unknown, with Kerberos (MIT), with MaxMind, with nghttp2 1.58.0, with
nghttp3 1.1.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2
2.12.1, without libsmi, with QtMultimedia, without automatic updates, with
Minizip, with binary plugins, debug build.
Running on Linux 6.6.2-arch1-1, with AMD Ryzen 9 7950X 16-Core Processor (with
SSE4.2), with 63435 MB of physical memory, with GLib 2.78.1, with Qt 6.6.0, with
libpcap 1.10.4 (with TPACKET_V3), with zlib 1.3, with PCRE2 10.42 2022-12-11,
with c-ares 1.22.1, with GnuTLS 3.8.2, with Gcrypt 1.10.3-unknown, with nghttp2
1.58.0, with nghttp3 1.1.0, with brotli 1.1.0, with LZ4 1.9.4, with Zstandard
1.5.5, with dark display mode, without HiDPI, with Xorg, with QPA plugin "xcb",
with LC_TYPE=en_US.UTF-8, binary plugins supported.