Wireshark-bugs: [Wireshark-bugs] [Bug 7561] Capture file that crashes wireshark in emem.c
Date: Tue, 7 Aug 2012 10:07:44 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7561

Martin Kaiser <wireshark@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |wireshark@xxxxxxxxx

--- Comment #12 from Martin Kaiser <wireshark@xxxxxxxxx> 2012-08-07 10:07:43 PDT ---

Hi,

(In reply to comment #0)
> Created attachment 8888 [details]
> capture triggering the crash
> 
> Build Information:
> 1.8.1
> --
> Hi,
> 
> Here is a PCAP file triggering a crash that could enable a remote party to
> trigger (a least) a remote denial of service.
> 
> This was successfully tested on 1.8.1.
> 
> This file was generated thanks to a fuzz testing campaign.
> 
> Laurent Butti.
> 

the problem is as follows: In dissect_gsm_rlcmac_downlink(), we allocate

RlcMacDownlink_t * data =
  (RlcMacDownlink_t *) ep_alloc(sizeof(RlcMacDownlink_t));

The packet in the pcap overflows data. RlcMacDownlink_t contains a union

  union 
  { 
...
    Packet_Measurement_Order_Reduced_t    Packet_Measurement_Order;
...

but later, we call the csn dissector and assume we have
Packet_Measurement_Order_t, which is bigger.

/*ret =*/
csnStreamDissector(rlcmac_tree, &ar, CSNDESCR(Packet_Measurement_Order_t),
   tvb, &data->u.Packet_Measurement_Order, ett_gsm_rlcmac);

This overflows data and causes a crash.

I'll attach a trivial fix. However, I'm reluctant to commit it as I'm not
familiar with the protocol. Any comments about possible side-effects is
appreciated.

Best regards,

   Martin

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.