Wireshark-bugs: [Wireshark-bugs] [Bug 8941] Fuzz failure: NTLMSSP caused crash in print_hex_data
Date: Wed, 17 Jul 2013 03:21:32 +0000

changed bug 8941

What Removed Added
Status IN_PROGRESS CONFIRMED
Summary Fuzz failure: crash in print_hex_data_buffer() Fuzz failure: NTLMSSP caused crash in print_hex_data_buffer()

Comment # 5 on bug 8941 from
OK, so the problem is that the NTLMSSP dissector is storing 2 different things
on the FD:

1) dissect_ntlmssp_auth() stores a ntlmssp_info
2) decrypt_data_payload() and others store a packet_ntlmssp_info

(This is OLD code: the 2nd use was added in r6825.)

The problem is that in frame 13201 there's both an auth blob and another blob
that gets descrypted.  dissect_ntlmssp_auth() stores a ntlmssp_info and
decrypt_data_payload() retrieves it, thinks its a packet_ntlmssp_info and
eventually crashes on an invalid pointer.

If I get rid of (1) the crash goes away AND the couple of sample captures I got
(from bug 5251 and bug 2444) decode the same way.  Probably requires more
investigation before going that route...  Maybe the solution is obvious to
someone who knows the protocol better...

Oh, yeah, there is one obvious solution: trunk and trunk-1.10 have a key used
for storing proto_data.  Make ntlmssp_info key=0 and packet_ntlmssp_info key=1
and then both functions can store there data on there.  But that doesn't help
trunk-1.8 (which also crashes on this capture).


You are receiving this mail because:
  • You are watching all bug changes.