Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 6707] New: Decoding IE

Wireshark-bugs: [Wireshark-bugs] [Bug 6707] New: Decoding IE_ID on WiFi adapter

Date: Wed, 4 Jan 2012 06:09:00 -0800 (PST)

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6707

           Summary: Decoding IE_ID on WiFi adapter
           Product: Wireshark
           Version: SVN
          Platform: x86
        OS/Version: Windows XP
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: gvanem@xxxxxxxxxxxx


Build Information:
Didn't build wireshark.exe myself. I made a fresh install from
http://www.wireshark.org/download/automated/win32/wireshark-win32-1.7.1-SVN-40367.exe

Also had the matching .pdb files installed.

--
WS crashes inside gtk/capture_if_details_dlg_win32.c while decoding some
IE_ID (Information Elements) of my 2nd WiFi adapter. I have 2 
(from windump -Dv):

1: \\.\airpcap00
    Descr: AirPcap USB wireless capture adapter nr. 00
...
5: \Device\NPF_{37FC13D9-2F52-47CA-AB64-32B2B434C749}
    Descr: Realtek RTL8187 Wireless LAN USB NIC

Steps:
1) Start wireshark.exe from 4NT console.
2) Select "Airpcap USB wireless capture adapter nr. 00" (\\.\airpcap00) and
   start capturing. Let it run for appox. 5 min.
3) Open menu "Capture | Interfaces" and pressing "details" button of my 
   *2nd* wireless adapter "Realtek RTL8187 Wireless LAN USB NIC".
4) Crash trapped by WinDbg (my JIT-debugger) indicates a read out-of-bounds:

(17e4.3e8): Access violation - code c0000005 (!!! second chance !!!)
eax=05036000 ebx=00000000 ecx=05035f00 edx=05036000 esi=04d2ccf8 edi=0012f198
eip=0047df4e esp=0012c6d4 ebp=0012eb40 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
wireshark!capture_if_details_802_11_bssid_list+0x33e:
0047df4e 0fb608          movzx   ecx,byte ptr [eax]         ds:0023:05036000=??


Stack-dump:

wireshark!capture_if_details_802_11_bssid_list(struct _GtkWidget * main_vb =
0x049b6e70, struct ndis_bssid_list * bssid_list = 0x04f2f670)+0x33e
wireshark!capture_if_details_802_11(struct _GtkWidget * table = 0x04a4e068,
struct _GtkWidget * main_vb = 0x049b6e70, unsigned int * row = 0x0012f05c,
struct _ADAPTER * adapter = 0x001750a8)+0x6a5
wireshark!capture_if_details_open_win(char * iface = 0x04ca8b80
"\Device\NPF_{37FC13D9-2F52-47CA-AB64-32B2B434C749}")+0x2b0
wireshark!capture_if_details_open(char * iface = 0x04ca8b80
"\Device\NPF_{37FC13D9-2F52-47CA-AB64-32B2B434C749}")+0x153
wireshark!capture_details_cb(struct _GtkWidget * details_bt = 0x049d0b20, void
* if_data = 0x04c93860)+0x16
WARNING: Stack unwind information not available. Following frames may be wrong.
libgobject_2_0_0!g_closure_invoke+0x19a
libgobject_2_0_0!g_signal_handler_disconnect+0x1440
libgobject_2_0_0!g_signal_emit_valist+0x6f6
libgobject_2_0_0!g_signal_emit+0x26
libgtk_win32_2_0_0!gtk_button_clicked+0x69
libgtk_win32_2_0_0!gtk_button_get_alignment+0x44c
libgobject_2_0_0!g_closure_invoke+0x19a
libgobject_2_0_0!g_signal_handler_disconnect+0xc9c
libgobject_2_0_0!g_signal_emit_valist+0x6f6
libgobject_2_0_0!g_signal_emit+0x26
libgtk_win32_2_0_0!gtk_button_released+0x69
libgtk_win32_2_0_0!gtk_button_released+0xa4
libgtk_win32_2_0_0!gtk_marshal_VOID__UINT_STRING+0x136
libgobject_2_0_0!g_closure_invoke+0x19a
libgobject_2_0_0!g_signal_handler_disconnect+0x1278
libgobject_2_0_0!g_signal_emit_valist+0x51e
libgobject_2_0_0!g_signal_emit+0x26
libgtk_win32_2_0_0!gtk_widget_get_realized+0x21b
libgtk_win32_2_0_0!gtk_propagate_event+0xb3
libgtk_win32_2_0_0!gtk_main_do_event+0x207
libgdk_win32_2_0_0!gdk_event_get_graphics_expose+0x39db
libglib_2_0_0!g_main_context_dispatch+0x19b
libglib_2_0_0!g_main_context_dispatch+0x9b5
libglib_2_0_0!g_main_loop_run+0x161
libgtk_win32_2_0_0!gtk_main+0xa0
wireshark!main(int argc = 0n0, char ** argv = 0x02f19d74)+0x17fa
wireshark!WinMain(struct HINSTANCE__ * hInstance = 0x00400000, struct
HINSTANCE__ * hPrevInstance = 0x00000000, char * lpszCmdLine = 0x00152306 "",
int nCmdShow = 0n10)+0x6b
wireshark!__tmainCRTStartup(void)+0x140
kernel32!BaseProcessStart+0x23


Output of ".dump /m wireshark.dmp" is here:
  http://home.broadpark.no/~gvanem/misc/wireshark.dmp


Offending code in capture_if_details_802_11_bssid_list():

 while(len >= 2) {
   id = *iep;    
   iep++;
   el_len = *iep;   !! <<< eax=05036000 which looks suspiciously high.
   iep++;
   len-=2;


The crash is 100% reproducible.

--gv, gvanem@xxxxxxxxxxxx

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 6707] Decoding IE_ID on WiFi adapter
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 6697] Modbus object support for CIP dissector
Next by Date: [Wireshark-bugs] [Bug 6707] Decoding IE_ID on WiFi adapter
Previous by thread: [Wireshark-bugs] [Bug 6697] Modbus object support for CIP dissector
Next by thread: [Wireshark-bugs] [Bug 6707] Decoding IE_ID on WiFi adapter
Index(es):
- Date
- Thread