Hello you all,
Still playing with Ethereal on my data, which today comes from a
test
network where I am playing with some attack tools. And lo, ethereal
core dumps
again.
[bonnetain@maquette]$ tethereal -v
tethereal 0.8.20, with GLib 1.2.6, with libpcap 0.6, with libz 1.1.3,
with CMU SNMP V1.14, Shared (1:14:0)
Begining of stack backtrace is :
(gdb) where
#0 asn1_oid_value_decode (asn1=0xbffff10c, enc_len=2147483647,
oid=0xbfffe8a4, len=0xbfffe8a8) at asn1.c:813
#1 0x8127392 in asn1_oid_decode (asn1=0xbffff10c, oid=0xbfffe8a4,
len=0xbfffe8a8, nbytes=0xbfffe8f0) at asn1.c:878
#2 0x8102e1f in dissect_common_pdu (tvb=0x830b264, offset=27,
pinfo=0x826d140, tree=0x0, asn1={tvb = 0x830b264, offset = 36},
pdu_type=0, start=13) at packet-snmp.c:1225
#3 0x8103d3a in dissect_snmp_pdu (tvb=0x830b264, offset=0,
pinfo=0x826d140,
tree=0x0, proto_name=0x81d7402 "SNMP", proto=3061, ett=766)
at packet-snmp.c:1825
#4 0x81044db in dissect_snmp (tvb=0x830b264, pinfo=0x826d140,
tree=0x0)
at packet-snmp.c:2138
#5 0x813a242 in dissector_try_port (sub_dissectors=0x82b6388,
port=161,
tvb=0x830b264, pinfo=0x826d140, tree=0x0) at packet.c:459
#6 0x810fe19 in decode_udp_ports (tvb=0x830b230, offset=8,
pinfo=0x826d140,
tree=0x0, uh_sport=1298, uh_dport=161) at packet-udp.c:102
#7 0x8110200 in dissect_udp (tvb=0x830b230, pinfo=0x826d140,
tree=0x0)
at packet-udp.c:227
#8 0x813a242 in dissector_try_port (sub_dissectors=0x8270e48,
port=17,
tvb=0x830b230, pinfo=0x826d140, tree=0x0) at packet.c:459
#9 0x80a0453 in dissect_ip (tvb=0x830b1fc, pinfo=0x826d140, tree=0x0)
at packet-ip.c:1109
Looking at asn1_oid_value_decude, I have :
809 if (subid < 40) {
810 optr[0] = 0;
811 optr[1] = subid;
812 } else if (subid < 80) {
813 optr[0] = 1;
814 optr[1] = subid - 40;
815 } else {
And, otherwise it would not be fun :
(gdb) print optr
$4 = (subid_t *) 0x0
This seems to come from :
(gdb) list asn1_oid_value_decode
789 int
790 asn1_oid_value_decode ( ASN1_SCK *asn1, int enc_len, subid_t
**oid, guint *len)
791 {
792 int ret;
793 int eoc;
794 subid_t subid;
795 guint size;
(gdb)
796 subid_t *optr;
797
798 eoc = asn1->offset + enc_len;
799 size = enc_len + 1;
800 *oid = g_malloc(size * sizeof(gulong));
801 optr = *oid;
Where I have, surprise surprise...
(gdb) print size
$5 = 2147483648
A little too big for anyone around here :-)
Since the g_malloc fails but the fail condition is not checked, I
go down
the drain.
I have attached a mini-tcpdump file (two packets). The second
packet is
the offending one.
Keep me posted as to a patch or any corrective action. I'll be
delighted to
1/ analyze my data 2/ help you enhance this great tool.
Sincerely,
-- Pierre-Yves Bonnetain
Consultant Sécurité -- B&A Consultants
Tél +33 (0) 563 277 241 -- Fax +33 (0) 563 277 245
Attachment:
sauve.pcap
Description: Binary data