Wireshark-bugs: [Wireshark-bugs] [Bug 8941] New: Fuzz failure:
Date: Tue, 16 Jul 2013 14:36:38 +0000
Bug ID | 8941 |
---|---|
Summary | Fuzz failure: |
Classification | Unclassified |
Product | Wireshark |
Version | SVN |
Hardware | All |
OS | All |
Status | UNCONFIRMED |
Severity | Major |
Priority | Low |
Component | Dissection engine (libwireshark) |
Assignee | bugzilla-admin@wireshark.org |
Reporter | jeff.morriss.ws@gmail.com |
Build Information: -- Got another fuzz failure last night: ~~~ ERROR Processing failed. Capture info follows: Input file: ../caps/menagerie/public/10129-trc_00004_20130227111552 Output file: /tmp/fuzz-2013-07-15-23661.pcap stderr follows: Input file: ../caps/menagerie/public/10129-trc_00004_20130227111552 Build host information: Linux mtl-morriss-d1.ulticom.com 3.9.2-200.fc18.x86_64 #1 SMP Mon May 13 13:59:47 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux Return value: 139 Dissector bug: 0 Valgrind error count: 0 Subversion revision ------------------------------------------------------------------------ r50634 | darkjames | 2013-07-15 14:59:42 -0400 (Mon, 15 Jul 2013) | 4 lines Fix bug #8934: Fuzz failure: seg-fault in tvb_new_proxy() It is possible to have NULL reassembly data, support this case in tvb_new_proxy(). ------------------------------------------------------------------------ Command and args: ./tshark -nVxr ** (process:19795): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet 10736: packet-dcerpc.c:2279: failed assertion "id <= ((guint32) 0xffffffff)" ** (process:19795): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet 10812: packet-dcerpc.c:2279: failed assertion "id <= ((guint32) 0xffffffff)" ** (process:19795): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet 12498: packet-dcerpc.c:2279: failed assertion "id <= ((guint32) 0xffffffff)" ~~~ Backtrace is: ~~~ #0 print_hex_data_buffer (stream=stream@entry=0x1f7e010, cp=0x1e2898235 <Address 0x1e2898235 out of bounds>, length=length@entry=8, encoding=PACKET_CHAR_ENC_CHAR_ASCII) at print.c:1005 #1 0x00007f15279f8659 in print_hex_data (stream=0x1f7e010, edt=edt@entry=0x7fff0bb89200) at print.c:922 #2 0x0000000000411807 in print_packet (cf=cf@entry=0x63ca00 <cfile>, edt=edt@entry=0x7fff0bb89200) at tshark.c:3663 #3 0x0000000000413048 in process_packet (cf=cf@entry=0x63ca00 <cfile>, offset=<optimized out>, whdr=<optimized out>, pd=pd@entry=0x205e000 "", filtering_tap_listeners=<optimized out>, filtering_tap_listeners@entry=0, tap_flags=tap_flags@entry=4) at tshark.c:3268 #4 0x000000000040afd7 in load_cap_file (cf=0x63ca00 <cfile>, max_byte_count=0, max_packet_count=-13200, out_file_name_res=0, out_file_type=2, save_file=0x0) at tshark.c:3046 #5 main (argc=<optimized out>, argv=<optimized out>) at tshark.c:1920 ~~~ Interestingly, Valgrind shows a different kind of errors: ~~~ ==29870== Conditional jump or move depends on uninitialised value(s) ==29870== at 0x67E11D8: get_unicode_or_ascii_string (packet-smb-common.c:240) ==29870== by 0x680172F: dissect_get_dfs_request_data (packet-smb.c:10949) ==29870== by 0x6812E75: dissect_smb2_ioctl_data (packet-smb2.c:4625) ==29870== by 0x6811A3C: dissect_smb2_ioctl_request (packet-smb2.c:4737) ==29870== by 0x68104BC: dissect_smb2 (packet-smb2.c:6637) ==29870== by 0x6810C66: dissect_smb2_heur (packet-smb2.c:7074) ==29870== by 0x61EA80F: dissector_try_heuristic (packet.c:1782) ==29870== by 0x667F5F3: dissect_netbios_payload (packet-netbios.c:1055) ==29870== by 0x664A8ED: dissect_nbss_packet (packet-nbns.c:1612) ==29870== by 0x664AACA: dissect_nbss (packet-nbns.c:1816) ==29870== by 0x61E8997: call_dissector_through_handle (packet.c:433) ==29870== by 0x61E91CC: call_dissector_work (packet.c:527) ==29870== ==29870== Conditional jump or move depends on uninitialised value(s) ==29870== at 0x66A9631: decrypt_data_payload.isra.1 (packet-ntlmssp.c:2027) ==29870== by 0x66A99E6: dissect_ntlmssp_payload_only (packet-ntlmssp.c:2417) ==29870== by 0x66A9A19: wrap_dissect_ntlmssp_payload_only (packet-ntlmssp.c:2512) ==29870== by 0x61B75A7: dissect_dcerpc_cn_stub.isra.5 (packet-dcerpc.c:886) ==29870== by 0x63DEBB2: dissect_dcerpc_cn (packet-dcerpc.c:3705) ==29870== by 0x63DF983: dissect_dcerpc_cn_bs_body (packet-dcerpc.c:4733) ==29870== by 0x61EA80F: dissector_try_heuristic (packet.c:1782) ==29870== by 0x6852D6E: decode_tcp_ports (packet-tcp.c:3877) ==29870== by 0x6853281: process_tcp_payload (packet-tcp.c:3922) ==29870== by 0x685385C: dissect_tcp_payload (packet-tcp.c:1747) ==29870== by 0x6855284: dissect_tcp (packet-tcp.c:4757) ==29870== by 0x61E8997: call_dissector_through_handle (packet.c:433) ==29870== ==29870== Conditional jump or move depends on uninitialised value(s) ==29870== at 0x66A83C9: decrypt_verifier (packet-ntlmssp.c:2255) ==29870== by 0x66A88FF: dissect_ntlmssp_verf (packet-ntlmssp.c:2488) ==29870== by 0x61B6237: dissect_auth_verf.isra.2 (packet-dcerpc.c:858) ==29870== by 0x61B6390: dissect_dcerpc_verifier (packet-dcerpc.c:2776) ==29870== by 0x63DE96F: dissect_dcerpc_cn (packet-dcerpc.c:3857) ==29870== by 0x63DF983: dissect_dcerpc_cn_bs_body (packet-dcerpc.c:4733) ==29870== by 0x61EA80F: dissector_try_heuristic (packet.c:1782) ==29870== by 0x6852D6E: decode_tcp_ports (packet-tcp.c:3877) ==29870== by 0x6853281: process_tcp_payload (packet-tcp.c:3922) ==29870== by 0x685385C: dissect_tcp_payload (packet-tcp.c:1747) ==29870== by 0x6855284: dissect_tcp (packet-tcp.c:4757) ==29870== by 0x61E8997: call_dissector_through_handle (packet.c:433) ==29870== ** (process:29870): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet 10736: packet-dcerpc.c:2279: failed assertion "id <= ((guint32) 0xffffffff)" ** (process:29870): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet 10812: packet-dcerpc.c:2279: failed assertion "id <= ((guint32) 0xffffffff)" ** (process:29870): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet 12498: packet-dcerpc.c:2279: failed assertion "id <= ((guint32) 0xffffffff)" ==29870== Conditional jump or move depends on uninitialised value(s) ==29870== at 0x66A95D3: decrypt_data_payload.isra.1 (packet-ntlmssp.c:2008) ==29870== by 0x66A9C98: dissect_ntlmssp_payload (packet-ntlmssp.c:1976) ==29870== by 0x61E89DE: call_dissector_through_handle (packet.c:429) ==29870== by 0x61E91CC: call_dissector_work (packet.c:527) ==29870== by 0x61EAF70: call_dissector_with_data (packet.c:2061) ==29870== by 0x64FCCE0: dissect_gssapi_work (packet-gssapi.c:319) ==29870== by 0x61E8997: call_dissector_through_handle (packet.c:433) ==29870== by 0x61E91CC: call_dissector_work (packet.c:527) ==29870== by 0x61EAF70: call_dissector_with_data (packet.c:2061) ==29870== by 0x680F338: dissect_smb2_negotiate_protocol_response (packet-smb2.c:3471) ==29870== by 0x68104BC: dissect_smb2 (packet-smb2.c:6637) ==29870== by 0x6810247: dissect_smb2 (packet-smb2.c:7053) ==29870== ==29870== Use of uninitialised value of size 8 ==29870== at 0x8FD3AC6: crc32c_calculate (crc32.c:245) ==29870== by 0x66A9562: header_hash (packet-ntlmssp.c:2616) ==29870== by 0x3DE1C37C98: g_hash_table_lookup (in /usr/lib64/libglib-2.0.so.0.3400.2) ==29870== by 0x66A83A2: decrypt_verifier (packet-ntlmssp.c:2246) ==29870== by 0x66A9CBA: dissect_ntlmssp_payload (packet-ntlmssp.c:1977) ==29870== by 0x61E89DE: call_dissector_through_handle (packet.c:429) ==29870== by 0x61E91CC: call_dissector_work (packet.c:527) ==29870== by 0x61EAF70: call_dissector_with_data (packet.c:2061) ==29870== by 0x64FCCE0: dissect_gssapi_work (packet-gssapi.c:319) ==29870== by 0x61E8997: call_dissector_through_handle (packet.c:433) ==29870== by 0x61E91CC: call_dissector_work (packet.c:527) ==29870== by 0x61EAF70: call_dissector_with_data (packet.c:2061) ==29870== ==29870== Conditional jump or move depends on uninitialised value(s) ==29870== at 0x66A83BB: decrypt_verifier (packet-ntlmssp.c:2254) ==29870== by 0x66A9CBA: dissect_ntlmssp_payload (packet-ntlmssp.c:1977) ==29870== by 0x61E89DE: call_dissector_through_handle (packet.c:429) ==29870== by 0x61E91CC: call_dissector_work (packet.c:527) ==29870== by 0x61EAF70: call_dissector_with_data (packet.c:2061) ==29870== by 0x64FCCE0: dissect_gssapi_work (packet-gssapi.c:319) ==29870== by 0x61E8997: call_dissector_through_handle (packet.c:433) ==29870== by 0x61E91CC: call_dissector_work (packet.c:527) ==29870== by 0x61EAF70: call_dissector_with_data (packet.c:2061) ==29870== by 0x680F338: dissect_smb2_negotiate_protocol_response (packet-smb2.c:3471) ==29870== by 0x68104BC: dissect_smb2 (packet-smb2.c:6637) ==29870== by 0x6810247: dissect_smb2 (packet-smb2.c:7053) ~~~
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 8941] Fuzz failure: crash in print_hex_data_buffer()
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8941] Fuzz failure: crash in print_hex_data_buffer()
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8941] Fuzz failure: crash in print_hex_data_buffer()
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8941] Fuzz failure: crash in print_hex_data_buffer()
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8941] Fuzz failure: NTLMSSP caused crash in print_hex_data_buffer()
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8941] Fuzz failure: NTLMSSP caused crash in print_hex_data_buffer()
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8941] Fuzz failure: NTLMSSP caused crash in print_hex_data_buffer()
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8941] Fuzz failure: NTLMSSP caused crash in print_hex_data_buffer()
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8941] Fuzz failure: crash in print_hex_data_buffer()
- Prev by Date: [Wireshark-bugs] [Bug 8940] New: Fuzz failure in packet-gsm_a_common.c:elem_telv()
- Next by Date: [Wireshark-bugs] [Bug 8941] Fuzz failure: crash in print_hex_data_buffer()
- Previous by thread: [Wireshark-bugs] [Bug 8940] Fuzz failure in packet-gsm_a_common.c:elem_telv()
- Next by thread: [Wireshark-bugs] [Bug 8941] Fuzz failure: crash in print_hex_data_buffer()
- Index(es):