Wireshark-bugs: [Wireshark-bugs] [Bug 7561] Capture file that crashes wireshark in emem.c
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7561
Martin Kaiser <wireshark@xxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |wireshark@xxxxxxxxx
--- Comment #12 from Martin Kaiser <wireshark@xxxxxxxxx> 2012-08-07 10:07:43 PDT ---
Hi,
(In reply to comment #0)
> Created attachment 8888 [details]
> capture triggering the crash
>
> Build Information:
> 1.8.1
> --
> Hi,
>
> Here is a PCAP file triggering a crash that could enable a remote party to
> trigger (a least) a remote denial of service.
>
> This was successfully tested on 1.8.1.
>
> This file was generated thanks to a fuzz testing campaign.
>
> Laurent Butti.
>
the problem is as follows: In dissect_gsm_rlcmac_downlink(), we allocate
RlcMacDownlink_t * data =
(RlcMacDownlink_t *) ep_alloc(sizeof(RlcMacDownlink_t));
The packet in the pcap overflows data. RlcMacDownlink_t contains a union
union
{
...
Packet_Measurement_Order_Reduced_t Packet_Measurement_Order;
...
but later, we call the csn dissector and assume we have
Packet_Measurement_Order_t, which is bigger.
/*ret =*/
csnStreamDissector(rlcmac_tree, &ar, CSNDESCR(Packet_Measurement_Order_t),
tvb, &data->u.Packet_Measurement_Order, ett_gsm_rlcmac);
This overflows data and causes a crash.
I'll attach a trivial fix. However, I'm reluctant to commit it as I'm not
familiar with the protocol. Any comments about possible side-effects is
appreciated.
Best regards,
Martin
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.