Wireshark-bugs: [Wireshark-bugs] [Bug 10028] Buildbot crash output: fuzz-2014-04-22-17437.pcap
Evan Huus
changed
bug 10028
What |
Removed |
Added |
CC |
|
eapache@gmail.com, mmann78@netscape.net
|
Comment # 1
on bug 10028
from Evan Huus
In kerberos.cnf:344, the dissector assumes that actx->value_ptr is a pointer to
a kerberos_key_t. In this particular case, it's a pointer to a guint32 instead
and we read uninitialized memory. I do not know enough about the
protocol/dissector to take this much further, but I see different functions
using value_ptr as different types all over, which doesn't seem safe?
==7631== Invalid read of size 8
==7631== at 0x6FAE01A: dissect_kerberos_EncryptionKey (kerberos.cnf:352)
==7631== by 0x66A3E9D: dissect_ber_sequence (packet-ber.c:2351)
==7631== by 0x6FABDBF: dissect_kerberos_EncKDCRepPart (kerberos.cnf:434)
==7631== by 0x66A13CB: dissect_ber_tagged_type (packet-ber.c:676)
==7631== by 0x6FACB5D: dissect_kerberos_EncASRepPart (kerberos.cnf:444)
==7631== by 0x66A2164: dissect_ber_choice (packet-ber.c:2862)
==7631== by 0x6FAC97F: dissect_kerberos_Applications (kerberos.cnf:185)
==7631== by 0x66A3B1B: dissect_ber_octet_string_wcb (packet-ber.c:1734)
==7631== by 0x6FAD1E7: dissect_kerberos_T_padata_value (kerberos.cnf:178)
==7631== by 0x66A3E9D: dissect_ber_sequence (packet-ber.c:2351)
==7631== by 0x6FABAFF: dissect_kerberos_PA_DATA (kerberos.cnf:195)
==7631== by 0x66A5B4E: dissect_ber_sq_of (packet-ber.c:3437)
==7631== Address 0x128daa08 is 4 bytes after a block of size 4 alloc'd
==7631== at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7631== by 0x9879610: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==7631== by 0x70913CF: wmem_simple_alloc (wmem_allocator_simple.c:50)
==7631== by 0x6FAD621: dissect_kerberos_PADATA_TYPE (kerberos.cnf:123)
==7631== by 0x66A3E9D: dissect_ber_sequence (packet-ber.c:2351)
==7631== by 0x6FABAFF: dissect_kerberos_PA_DATA (kerberos.cnf:195)
==7631== by 0x66A5B4E: dissect_ber_sq_of (packet-ber.c:3437)
==7631== by 0x66A62CD: dissect_ber_sequence_of (packet-ber.c:3468)
==7631== by 0x6FAC3CF: dissect_kerberos_SEQUENCE_OF_PA_DATA
(kerberos.cnf:208)
==7631== by 0x66A3E9D: dissect_ber_sequence (packet-ber.c:2351)
==7631== by 0x6FAC13F: dissect_kerberos_KDC_REQ (kerberos.cnf:422)
==7631== by 0x66A13CB: dissect_ber_tagged_type (packet-ber.c:676)
You are receiving this mail because:
- You are watching all bug changes.