Wireshark-bugs: [Wireshark-bugs] [Bug 8752] New: Erroneous Sign Extension and Faulty Memory Allo
Date: Sun, 02 Jun 2013 16:41:20 +0000
Bug ID 8752
Summary Erroneous Sign Extension and Faulty Memory Allocation at pcapng_read_interface_statistics_block()
Classification Unclassified
Product Wireshark
Version SVN
Hardware x86-64
OS Ubuntu
Status UNCONFIRMED
Severity Minor
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter georgi.geshev@owasp.org

Comment # 1 on bug 8752 from
*** Bug 8749 has been marked as a duplicate of this bug. ***
Build Information:
TShark 1.11.0 (SVN Rev 49680 from /trunk)

Copyright 1998-2013 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.32.3, with libpcap, with libz 1.2.3.4, with POSIX
capabilities (Linux), without libnl, with SMI 0.4.8, with c-ares 1.7.5, with
Lua
5.1, without Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos,
with GeoIP.

Running on Linux 3.5.0-32-generic, with locale en_US.UTF-8, with libpcap
version
1.1.1, with libz 1.2.3.4.
      Intel(R) Core(TM) i7-3610QM CPU @ 2.30GHz

Built using gcc 4.6.3.
--
$ file 89db11cd7ce9edf598548534aee38abc.pcapng 
89db11cd7ce9edf598548534aee38abc.pcapng: pcap-ng capture file - version 1.0
$ gdb -q -batch -ex 'set br pen on' -ex 'br pcapng.c:1693' -ex 'r -n -r
89db11cd7ce9edf598548534aee38abc.pcapng' -ex 'printf
"\nopt_cont_buf_len:\t\t0x%x (%d | %u)\n(gsize)opt_cont_buf_len:\t0x%lx (%ld |
%lu)\n", opt_cont_buf_len, opt_cont_buf_len, opt_cont_buf_len,
opt_cont_buf_len, opt_cont_buf_len, opt_cont_buf_len,' /usr/local/bin/tshark
-ex 'next' -ex 'bt'
No source file named pcapng.c.
Breakpoint 1 (pcapng.c:1693) pending.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  1 0.000000000 192.168.1.145 -> 192.168.1.118 TCP 66 49173 > 21 [SYN] Seq=0
Win=8192 Len=0 MSS=1464 WS=256 SACK_PERM=1
  2 0.078804000 192.168.1.118 -> 192.168.1.145 TCP 60 21 > 49173 [SYN, ACK]
Seq=0 Ack=1 Win=40960 Len=0 MSS=1460
  3 0.078938000 192.168.1.145 -> 192.168.1.118 TCP 54 49173 > 21 [ACK] Seq=1
Ack=1 Win=64240 Len=0
  4 0.181849000 192.168.1.118 -> 192.168.1.145 TCP 60 [TCP Dup ACK 2#1] 21 >
49173 [ACK] Seq=1 Ack=1 Win=40960 Len=0
  5 0.327918000 192.168.1.118 -> 192.168.1.145 FTP 91 Response: 220 Welcome to
KolibriOS FTP daemon
  6 0.328557000 192.168.1.145 -> 192.168.1.118 FTP 70 Request: USER anonymous
  7 0.417093000 192.168.1.118 -> 192.168.1.145 TCP 60 [TCP Dup ACK 5#1] 21 >
49173 [ACK] Seq=38 Ack=1 Win=40960 Len=0
  8 0.524722000 192.168.1.118 -> 192.168.1.145 TCP 60 [TCP Dup ACK 5#2] 21 >
49173 [ACK] Seq=38 Ack=1 Win=40960 Len=0
  9 0.627438000 192.168.1.145 -> 192.168.1.118 FTP 70 [TCP Retransmission]
Request: USER anonymous
 10 0.765743000 192.168.1.118 -> 192.168.1.145 TCP 60 21 > 49173 [ACK] Seq=38
Ack=17 Win=40960 Len=0
 11 0.960900000 192.168.1.118 -> 192.168.1.145 FTP 87 Response: 331 Please
specify the password
 12 0.961190000 192.168.1.145 -> 192.168.1.118 FTP 75 Request: PASS
anon@localhost
 13 1.050083000 192.168.1.118 -> 192.168.1.145 TCP 60 [TCP Dup ACK 11#1] 21 >
49173 [ACK] Seq=71 Ack=17 Win=40960 Len=0
 14 1.170477000 192.168.1.118 -> 192.168.1.145 TCP 60 [TCP Dup ACK 11#2] 21 >
49173 [ACK] Seq=71 Ack=17 Win=40960 Len=0
 15 1.266970000 192.168.1.145 -> 192.168.1.118 FTP 75 [TCP Retransmission]
Request: PASS anon@localhost
 16 1.405259000 192.168.1.118 -> 192.168.1.145 TCP 60 21 > 49173 [ACK] Seq=71
Ack=38 Win=40960 Len=0
 17 1.600851000 192.168.1.118 -> 192.168.1.145 FTP 75 Response: 530 Login
incorrect
 18 1.601155000 192.168.1.145 -> 192.168.1.118 TCP 54 49173 > 21 [FIN, ACK]
Seq=38 Ack=92 Win=64149 Len=0
 19 1.698786000 192.168.1.118 -> 192.168.1.145 TCP 60 21 > 49173 [ACK] Seq=92
Ack=39 Win=40960 Len=0
 20 1.784796000 192.168.1.118 -> 192.168.1.145 TCP 60 [TCP Dup ACK 19#1] 21 >
49173 [ACK] Seq=92 Ack=39 Win=40960 Len=0
 21 1.963574000 192.168.1.118 -> 192.168.1.145 TCP 60 [TCP Dup ACK 19#2] 21 >
49173 [ACK] Seq=92 Ack=39 Win=40960 Len=0

Breakpoint 1, pcapng_read_interface_statistics_block (fh=0x179dd80,
bh=0x7fffffffdad0, pn=0x179a830, wblock=0x7fffffffdb20, err=0x7fffffffde14,
err_info=0x7fffffffddd8) at pcapng.c:1693
1693            option_content = (char *)g_malloc(opt_cont_buf_len);

opt_cont_buf_len:        0xc0000054 (-1073741740 | 3221225556)
(gsize)opt_cont_buf_len:    0xffffffffc0000054 (-1073741740 |
18446744072635809876)

(process:55838): GLib-ERROR **: /build/buildd/glib2.0-2.32.3/./glib/gmem.c:165:
failed to allocate 18446744072635809876 bytes

Program received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff2f03fdb in g_logv () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#0  0x00007ffff2f03fdb in g_logv () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#1  0x00007ffff2f041b2 in g_log () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007ffff2f02aaf in g_malloc () from
/lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007ffff7b58b0e in pcapng_read_interface_statistics_block (fh=0x179dd80,
bh=0x7fffffffdad0, pn=0x179a830, wblock=0x7fffffffdb20, err=0x7fffffffde14,
err_info=0x7fffffffddd8) at pcapng.c:1693
#4  0x00007ffff7b595ba in pcapng_read_block (fh=0x179dd80, first_block=0,
pn=0x179a830, wblock=0x7fffffffdb20, err=0x7fffffffde14,
err_info=0x7fffffffddd8) at pcapng.c:1941
#5  0x00007ffff7b59df2 in pcapng_read (wth=0x179dc00, err=0x7fffffffde14,
err_info=0x7fffffffddd8, data_offset=0x7fffffffdde0) at pcapng.c:2177
#6  0x00007ffff7b6aa15 in wtap_read (wth=0x179dc00, err=0x7fffffffde14,
err_info=0x7fffffffddd8, data_offset=0x7fffffffdde0) at wtap.c:868
#7  0x000000000041d473 in load_cap_file (cf=0x653ce0, save_file=0x0,
out_file_type=2, out_file_name_res=0, max_packet_count=-21, max_byte_count=0)
at tshark.c:3039
#8  0x000000000041b87d in main (argc=4, argv=0x7fffffffe238) at tshark.c:1918
$

Because of an implicit cast from int to gsize when calling g_malloc(),
opt_cont_buf_len get erroneously sign extended. Furthermore, I guess
opt_cont_buf_len should really be unsigned, i.e. guint/32/64.

gpointer g_malloc(gsize n_bytes);     //
https://developer.gnome.org/glib/2.28/glib-Memory-Allocation.html#g-malloc

typedef unsigned long gsize;         //
https://developer.gnome.org/glib/2.28/glib-Basic-Types.html#gsize


You are receiving this mail because:
  • You are watching all bug changes.