Wireshark-bugs: [Wireshark-bugs] [Bug 8110] New: CLNP dissector crash
      
      
Date: Thu, 20 Dec 2012 20:22:25 +0000
| Bug ID | 8110 | 
|---|---|
| Summary | CLNP dissector crash | 
| Classification | Unclassified | 
| Product | Wireshark | 
| Version | 1.8.4 | 
| Hardware | x86-64 | 
| OS | All | 
| Status | UNCONFIRMED | 
| Severity | Major | 
| Priority | Low | 
| Component | Wireshark | 
| Assignee | bugzilla-admin@wireshark.org | 
| Reporter | laurentb@gmail.com | 
Created attachment 9724 [details] crashfile Build Information: -- Hi, Here is a PCAP file triggering an SIGSEGV that could enable (at least) a remote party to trigger a denial of service. This file was generated thanks to a fuzz testing campaign. Laurent Butti. -- Program received signal SIGSEGV, Segmentation fault. 0x00007ffff2eb09f2 in vfprintf () from /lib/x86_64-linux-gnu/libc.so.6 (gdb) bt #0 0x00007ffff2eb09f2 in vfprintf () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007ffff2f70d80 in __vsnprintf_chk () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x00007ffff5188d9f in proto_tree_set_representation (pi=<optimized out>, format=0x7ffff5d32208 "Holding Time : %u (%u.%u secs)", ap=0x7fffff7ff618) at proto.c:3652 #3 0x00007ffff518f8e5 in proto_tree_add_uint_format (tree=<optimized out>, hfindex=<optimized out>, tvb=<optimized out>, start=<optimized out>, length=<optimized out>, value=<optimized out>, format=0x7ffff5d32208 "Holding Time : %u (%u.%u secs)") at proto.c:2985 #4 0x00007ffff52da0c8 in dissect_clnp (tvb=0x1895700, pinfo=0x7fffffffd520, tree=0x7fffe7d88960) at packet-clnp.c:260 #5 0x00007ffff517d180 in call_dissector_through_handle (handle=0x146ce40, tvb=0x1895700, pinfo=0x7fffffffd520, tree=0x7fffe7d88960) at packet.c:433 #6 0x00007ffff517d6de in call_dissector_work_error (handle=0x146ce40, tvb=0x1895700, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d88960) at packet.c:589 #7 0x00007ffff517d7e8 in call_dissector_work (handle=0x146ce40, tvb=0x1895700, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d88960, add_proto_name=1) at packet.c:519 #8 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>, tvb=0x1895700, pinfo=0x7fffffffd520, tree=0x7fffe7d88960) at packet.c:2050 #9 0x00007ffff52da8ba in dissect_clnp (tvb=<optimized out>, pinfo=0x7fffffffd520, tree=0x7fffe7d88600) at packet-clnp.c:529 #10 0x00007ffff517d180 in call_dissector_through_handle (handle=0x146ce40, tvb=0x18956a0, pinfo=0x7fffffffd520, tree=0x7fffe7d88600) at packet.c:433 #11 0x00007ffff517d6de in call_dissector_work_error (handle=0x146ce40, tvb=0x18956a0, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d88600) at packet.c:589 #12 0x00007ffff517d7e8 in call_dissector_work (handle=0x146ce40, tvb=0x18956a0, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d88600, add_proto_name=1) at packet.c:519 #13 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>, tvb=0x18956a0, pinfo=0x7fffffffd520, tree=0x7fffe7d88600) at packet.c:2050 #14 0x00007ffff52da8ba in dissect_clnp (tvb=<optimized out>, pinfo=0x7fffffffd520, tree=0x7fffe7d882a0) at packet-clnp.c:529 #15 0x00007ffff517d180 in call_dissector_through_handle (handle=0x146ce40, tvb=0x1895640, pinfo=0x7fffffffd520, tree=0x7fffe7d882a0) at packet.c:433 #16 0x00007ffff517d6de in call_dissector_work_error (handle=0x146ce40, tvb=0x1895640, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d882a0) at packet.c:589 #17 0x00007ffff517d7e8 in call_dissector_work (handle=0x146ce40, tvb=0x1895640, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d882a0, add_proto_name=1) at packet.c:519 #18 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>, tvb=0x1895640, pinfo=0x7fffffffd520, tree=0x7fffe7d882a0) at packet.c:2050 #19 0x00007ffff52da8ba in dissect_clnp (tvb=<optimized out>, pinfo=0x7fffffffd520, tree=0x7fffe7d96f20) at packet-clnp.c:529 #20 0x00007ffff517d180 in call_dissector_through_handle (handle=0x146ce40, tvb=0x18955e0, pinfo=0x7fffffffd520, tree=0x7fffe7d96f20) at packet.c:433 #21 0x00007ffff517d6de in call_dissector_work_error (handle=0x146ce40, tvb=0x18955e0, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d96f20) at packet.c:589 #22 0x00007ffff517d7e8 in call_dissector_work (handle=0x146ce40, tvb=0x18955e0, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d96f20, add_proto_name=1) at packet.c:519 #23 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>, tvb=0x18955e0, pinfo=0x7fffffffd520, tree=0x7fffe7d96f20) at packet.c:2050 #24 0x00007ffff52da8ba in dissect_clnp (tvb=<optimized out>, pinfo=0x7fffffffd520, tree=0x7fffe7d96bc0) at packet-clnp.c:529 #25 0x00007ffff517d180 in call_dissector_through_handle (handle=0x146ce40, tvb=0x1895580, pinfo=0x7fffffffd520, tree=0x7fffe7d96bc0) at packet.c:433 #26 0x00007ffff517d6de in call_dissector_work_error (handle=0x146ce40, tvb=0x1895580, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d96bc0) at packet.c:589 #27 0x00007ffff517d7e8 in call_dissector_work (handle=0x146ce40, tvb=0x1895580, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d96bc0, add_proto_name=1) at packet.c:519 #28 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>, tvb=0x1895580, pinfo=0x7fffffffd520, tree=0x7fffe7d96bc0) at packet.c:2050 #29 0x00007ffff52da8ba in dissect_clnp (tvb=<optimized out>, pinfo=0x7fffffffd520, tree=0x7fffe7d96860) at packet-clnp.c:529 #30 0x00007ffff517d180 in call_dissector_through_handle (handle=0x146ce40, tvb=0x1895520, pinfo=0x7fffffffd520, tree=0x7fffe7d96860) at packet.c:433 #31 0x00007ffff517d6de in call_dissector_work_error (handle=0x146ce40, tvb=0x1895520, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d96860) at packet.c:589 #32 0x00007ffff517d7e8 in call_dissector_work (handle=0x146ce40, tvb=0x1895520, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d96860, add_proto_name=1) at packet.c:519 #33 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>, tvb=0x1895520, pinfo=0x7fffffffd520, tree=0x7fffe7d96860) at packet.c:2050 #34 0x00007ffff52da8ba in dissect_clnp (tvb=<optimized out>, pinfo=0x7fffffffd520, tree=0x7fffe7d96500) at packet-clnp.c:529 #35 0x00007ffff517d180 in call_dissector_through_handle (handle=0x146ce40, tvb=0x18954c0, pinfo=0x7fffffffd520, tree=0x7fffe7d96500) at packet.c:433 #36 0x00007ffff517d6de in call_dissector_work_error (handle=0x146ce40, tvb=0x18954c0, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d96500) at packet.c:589 #37 0x00007ffff517d7e8 in call_dissector_work (handle=0x146ce40, tvb=0x18954c0, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d96500, add_proto_name=1) at packet.c:519 #38 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>, tvb=0x18954c0, pinfo=0x7fffffffd520, tree=0x7fffe7d96500) at packet.c:2050 #39 0x00007ffff52da8ba in dissect_clnp (tvb=<optimized out>, pinfo=0x7fffffffd520, tree=0x7fffe7d961a0) at packet-clnp.c:529 #40 0x00007ffff517d180 in call_dissector_through_handle (handle=0x146ce40, tvb=0x1895460, pinfo=0x7fffffffd520, tree=0x7fffe7d961a0) at packet.c:433 #41 0x00007ffff517d6de in call_dissector_work_error (handle=0x146ce40, tvb=0x1895460, pinfo_arg=0x7fffffffd520, tree=0x7fffe7d961a0) at packet.c:589 ---Type <return> to continue, or q <return> to quit---q Quit (gdb) info registers rax 0xfffffff5 4294967285 rbx 0x7fffff7ff480 140737479963776 rcx 0x0 0 rdx 0x7fffff7ff618 140737479964184 rsi 0x7ffff5d32208 140737317642760 rdi 0x7fffff7ff480 140737479963776 rbp 0x7fffff7ff470 0x7fffff7ff470 rsp 0x7fffff7fee10 0x7fffff7fee10 r8 0x0 0 r9 0x7fffff7ff618 140737479964184 r10 0x25e6 9702 r11 0x1 1 r12 0x7fffff7ff618 140737479964184 r13 0x7ffff5d32208 140737317642760 r14 0xef 239 r15 0x7ffff5d32208 140737317642760 rip 0x7ffff2eb09f2 0x7ffff2eb09f2 <vfprintf+50> eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 8110] CLNP dissector crash
- From: bugzilla-daemon
 
- [Wireshark-bugs] [Bug 8110] CLNP dissector crash
- From: bugzilla-daemon
 
- [Wireshark-bugs] [Bug 8110] CLNP dissector crash
- From: bugzilla-daemon
 
- [Wireshark-bugs] [Bug 8110] CLNP dissector crash
- From: bugzilla-daemon
 
 
- [Wireshark-bugs] [Bug 8110] CLNP dissector crash
- Prev by Date: [Wireshark-bugs] [Bug 8095] GPRS-NS in MPLS, MPLS/IP, MPLS/GRE
- Next by Date: [Wireshark-bugs] [Bug 8111] New: DTLS dissector crash
- Previous by thread: [Wireshark-bugs] [Bug 7441] When using Advanced IO Graph with Counts --> Runtime Error! The Application has requested that the Runtime to Terminate it in an unusual way.
- Next by thread: [Wireshark-bugs] [Bug 8110] CLNP dissector crash
- Index(es):
