Wireshark · Ethereal-dev: [Ethereal-dev] Segfault when applying a WEP key to decrypt traffic

[Joshua Wright <jwright@xxxxxxxxxxx>]

I'm experiencing a segfault with Ethereal from SVN as of this morning. 
When I apply a 40-bit WEP key and change the key index count to apply 
the key, Ethereal segfaults.

Here is the backtrace:

jwright@mercury:~$ gdb `which ethereal`
GNU gdb 6.1.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain 
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux"...Using host 
libthread_db library "/lib/libthread_db.so.1".

(gdb) run
Starting program: /usr/local/bin/ethereal

Program received signal SIGSEGV, Segmentation fault.
0x4032cff2 in dissect_ieee80211_common (tvb=0x83b32b0, pinfo=0x83f7010,
    tree=0x8429c98, fixed_length_header=0, has_radio_information=64,
    fcs_len=-1, wlan_broken_fc=0) at packet-ieee80211.c:3306
3306      keylen = wep_keylens[keyidx];
(gdb) bt
#0  0x4032cff2 in dissect_ieee80211_common (tvb=0x83b32b0, pinfo=0x83f7010,
    tree=0x8429c98, fixed_length_header=0, has_radio_information=64,
    fcs_len=-1, wlan_broken_fc=0) at packet-ieee80211.c:3306
#1  0x4032d6b1 in dissect_ieee80211 (tvb=0xffffffff, pinfo=0x0, 
tree=0x8429c98)
    at packet-ieee80211.c:2513
#2  0x4019322d in call_dissector_through_handle (handle=0x82531f8,
    tvb=0x83b32b0, pinfo=0x83f7010, tree=0x8429c98) at packet.c:365
#3  0x4019349c in call_dissector_work (handle=0x82531f8, tvb=0x83b32b0,
    pinfo=0x83f7010, tree=0x8429c98) at packet.c:515
#4  0x40193e2f in dissector_try_port (sub_dissectors=0xffffffff, port=20,
    tvb=0x83b32b0, pinfo=0x83f7010, tree=0x8429c98) at packet.c:778
#5  0x402bcaa8 in dissect_frame (tvb=0x83b32b0, pinfo=0x83f7010,
    tree=0x8429c98) at packet-frame.c:184
#6  0x4019322d in call_dissector_through_handle (handle=0x82470f8,
    tvb=0x83b32b0, pinfo=0x83f7010, tree=0x8429c98) at packet.c:365
#7  0x4019349c in call_dissector_work (handle=0x82470f8, tvb=0x83b32b0,
    pinfo=0x83f7010, tree=0x8429c98) at packet.c:515
#8  0x4019361a in call_dissector (handle=0xffffffff, tvb=0x83b32b0,
    pinfo=0x83f7010, tree=0x8429c98) at packet.c:1616
#9  0x4019394f in dissect_packet (edt=0x83f7008, pseudo_header=0xffffffff,
    pd=0x811e058 "\bA:\001", fd=0x8416218, cinfo=0x83f7010) at packet.c:313
#10 0x4019185c in epan_dissect_run (edt=0x83f7008, pseudo_header=0x811dfc8,
    data=0x811e058 "\bA:\001", fd=0x8416218, cinfo=0x0) at epan.c:153
(gdb)


I've attached the capture file I'm using to reproduce this error.  The 
WEP key is 0e:f0:a8:95:05.

I'll see if I can figure out where this is going wrong, but I'm kind of 
pressed for time on another project.  Thanks,

-Josh

--
-Joshua Wright
jwright@xxxxxxxxxxx
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

Today I stumbled across the world's largest hotspot.  The SSID is "linksys".

Attachment: nd1.dump
Description: Binary data