Wireshark-bugs: [Wireshark-bugs] [Bug 11389] Segmentation fault on malformed ZigBee packet
Date: Wed, 22 Jul 2015 21:33:27 +0000

changed bug 11389


What Removed Added
CC   pascal.quantin@gmail.com

Comment # 2 on bug 11389 from
Even if it does not crash on your PC, the ZigBee decrypting code is still doing
nasty things on packet 141 which could lead to a crash depending on the machine
used:

==7122== Invalid read of size 16
==7122==    at 0xB53CA36: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2)
==7122==    by 0xB523AA9: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2)
==7122==    by 0xB521685: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2)
==7122==    by 0xB516D7D: gcry_cipher_encrypt (in
/lib/x86_64-linux-gnu/libgcrypt.so.20.0.2)
==7122==    by 0x700B4DC: zbee_sec_ccm_decrypt (packet-zbee-security.c:975)
==7122==    by 0x700B90B: zbee_sec_decrypt_payload (packet-zbee-security.c:831)
==7122==    by 0x700BD08: dissect_zbee_secure (packet-zbee-security.c:699)
==7122==    by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648)
==7122==    by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701)
==7122==    by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337)
==7122==    by 0x67AEFA9: dissector_try_heuristic (packet.c:2161)
==7122==    by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137)
==7122==    by 0x67ACC33: call_dissector_through_handle (packet.c:620)
==7122==  Address 0x142e1916 is 22 bytes inside a block of size 36 alloc'd
==7122==    at 0x4C2BBA0: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7122==    by 0xA0CC799: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4400.1)
==7122==    by 0x7309C6B: wmem_simple_alloc (wmem_allocator_simple.c:55)
==7122==    by 0x67DC918: tvb_memdup (tvbuff.c:829)
==7122==    by 0x700BA7D: dissect_zbee_secure (packet-zbee-security.c:517)
==7122==    by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648)
==7122==    by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701)
==7122==    by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337)
==7122==    by 0x67AEFA9: dissector_try_heuristic (packet.c:2161)
==7122==    by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137)
==7122==    by 0x67ACC33: call_dissector_through_handle (packet.c:620)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)
==7122==    by 0x67ADD8E: dissector_try_uint_new (packet.c:1138)
==7122== 
==7122== Invalid read of size 16
==7122==    at 0xB53CA42: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2)
==7122==    by 0xB523AA9: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2)
==7122==    by 0xB521685: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2)
==7122==    by 0xB516D7D: gcry_cipher_encrypt (in
/lib/x86_64-linux-gnu/libgcrypt.so.20.0.2)
==7122==    by 0x700B4DC: zbee_sec_ccm_decrypt (packet-zbee-security.c:975)
==7122==    by 0x700B90B: zbee_sec_decrypt_payload (packet-zbee-security.c:831)
==7122==    by 0x700BD08: dissect_zbee_secure (packet-zbee-security.c:699)
==7122==    by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648)
==7122==    by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701)
==7122==    by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337)
==7122==    by 0x67AEFA9: dissector_try_heuristic (packet.c:2161)
==7122==    by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137)
==7122==    by 0x67ACC33: call_dissector_through_handle (packet.c:620)
==7122==  Address 0x142e1926 is 2 bytes after a block of size 36 alloc'd
==7122==    at 0x4C2BBA0: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7122==    by 0xA0CC799: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4400.1)
==7122==    by 0x7309C6B: wmem_simple_alloc (wmem_allocator_simple.c:55)
==7122==    by 0x67DC918: tvb_memdup (tvbuff.c:829)
==7122==    by 0x700BA7D: dissect_zbee_secure (packet-zbee-security.c:517)
==7122==    by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648)
==7122==    by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701)
==7122==    by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337)
==7122==    by 0x67AEFA9: dissector_try_heuristic (packet.c:2161)
==7122==    by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137)
==7122==    by 0x67ACC33: call_dissector_through_handle (packet.c:620)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)
==7122==    by 0x67ADD8E: dissector_try_uint_new (packet.c:1138)
==7122== 
==7122== Invalid read of size 16
==7122==    at 0xB53CA50: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2)
==7122==    by 0xB523AA9: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2)
==7122==    by 0xB521685: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2)
==7122==    by 0xB516D7D: gcry_cipher_encrypt (in
/lib/x86_64-linux-gnu/libgcrypt.so.20.0.2)
==7122==    by 0x700B4DC: zbee_sec_ccm_decrypt (packet-zbee-security.c:975)
==7122==    by 0x700B90B: zbee_sec_decrypt_payload (packet-zbee-security.c:831)
==7122==    by 0x700BD08: dissect_zbee_secure (packet-zbee-security.c:699)
==7122==    by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648)
==7122==    by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701)
==7122==    by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337)
==7122==    by 0x67AEFA9: dissector_try_heuristic (packet.c:2161)
==7122==    by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137)
==7122==    by 0x67ACC33: call_dissector_through_handle (packet.c:620)
==7122==  Address 0x142e1936 is 18 bytes after a block of size 36 alloc'd
==7122==    at 0x4C2BBA0: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7122==    by 0xA0CC799: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4400.1)
==7122==    by 0x7309C6B: wmem_simple_alloc (wmem_allocator_simple.c:55)
==7122==    by 0x67DC918: tvb_memdup (tvbuff.c:829)
==7122==    by 0x700BA7D: dissect_zbee_secure (packet-zbee-security.c:517)
==7122==    by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648)
==7122==    by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701)
==7122==    by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337)
==7122==    by 0x67AEFA9: dissector_try_heuristic (packet.c:2161)
==7122==    by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137)
==7122==    by 0x67ACC33: call_dissector_through_handle (packet.c:620)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)
==7122==    by 0x67ADD8E: dissector_try_uint_new (packet.c:1138)
==7122== 
==7122== Invalid read of size 16
==7122==    at 0xB53CA5E: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2)
==7122==    by 0xB523AA9: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2)
==7122==    by 0xB521685: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2)
==7122==    by 0xB516D7D: gcry_cipher_encrypt (in
/lib/x86_64-linux-gnu/libgcrypt.so.20.0.2)
==7122==    by 0x700B4DC: zbee_sec_ccm_decrypt (packet-zbee-security.c:975)
==7122==    by 0x700B90B: zbee_sec_decrypt_payload (packet-zbee-security.c:831)
==7122==    by 0x700BD08: dissect_zbee_secure (packet-zbee-security.c:699)
==7122==    by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648)
==7122==    by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701)
==7122==    by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337)
==7122==    by 0x67AEFA9: dissector_try_heuristic (packet.c:2161)
==7122==    by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137)
==7122==    by 0x67ACC33: call_dissector_through_handle (packet.c:620)
==7122==  Address 0x142e1946 is 22 bytes after a block of size 48 in arena
"client"
==7122== 
==7122== Conditional jump or move depends on uninitialised value(s)
==7122==    at 0x4C31CB1: __memcmp_sse4_1 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7122==    by 0x700B7A0: zbee_sec_ccm_decrypt (packet-zbee-security.c:1096)
==7122==    by 0x700B90B: zbee_sec_decrypt_payload (packet-zbee-security.c:831)
==7122==    by 0x700BD08: dissect_zbee_secure (packet-zbee-security.c:699)
==7122==    by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648)
==7122==    by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701)
==7122==    by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337)
==7122==    by 0x67AEFA9: dissector_try_heuristic (packet.c:2161)
==7122==    by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137)
==7122==    by 0x67ACC33: call_dissector_through_handle (packet.c:620)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)
==7122==    by 0x67ADD8E: dissector_try_uint_new (packet.c:1138)
==7122==    by 0x67ADDD0: dissector_try_uint (packet.c:1164)
==7122== 
==7122== Conditional jump or move depends on uninitialised value(s)
==7122==    at 0x700BD0D: dissect_zbee_secure (packet-zbee-security.c:702)
==7122==    by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648)
==7122==    by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701)
==7122==    by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337)
==7122==    by 0x67AEFA9: dissector_try_heuristic (packet.c:2161)
==7122==    by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137)
==7122==    by 0x67ACC33: call_dissector_through_handle (packet.c:620)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)
==7122==    by 0x67ADD8E: dissector_try_uint_new (packet.c:1138)
==7122==    by 0x67ADDD0: dissector_try_uint (packet.c:1164)
==7122==    by 0x6A4A1D2: dissect_ethertype (packet-ethertype.c:306)
==7122==    by 0x67ACC6E: call_dissector_through_handle (packet.c:618)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)
==7122== 
==7122== Conditional jump or move depends on uninitialised value(s)
==7122==    at 0x700BD19: dissect_zbee_secure (packet-zbee-security.c:698)
==7122==    by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648)
==7122==    by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701)
==7122==    by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337)
==7122==    by 0x67AEFA9: dissector_try_heuristic (packet.c:2161)
==7122==    by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137)
==7122==    by 0x67ACC33: call_dissector_through_handle (packet.c:620)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)
==7122==    by 0x67ADD8E: dissector_try_uint_new (packet.c:1138)
==7122==    by 0x67ADDD0: dissector_try_uint (packet.c:1164)
==7122==    by 0x6A4A1D2: dissect_ethertype (packet-ethertype.c:306)
==7122==    by 0x67ACC6E: call_dissector_through_handle (packet.c:618)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)
==7122== 
==7122== Conditional jump or move depends on uninitialised value(s)
==7122==    at 0x700BD52: dissect_zbee_secure (packet-zbee-security.c:721)
==7122==    by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648)
==7122==    by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701)
==7122==    by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337)
==7122==    by 0x67AEFA9: dissector_try_heuristic (packet.c:2161)
==7122==    by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137)
==7122==    by 0x67ACC33: call_dissector_through_handle (packet.c:620)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)
==7122==    by 0x67ADD8E: dissector_try_uint_new (packet.c:1138)
==7122==    by 0x67ADDD0: dissector_try_uint (packet.c:1164)
==7122==    by 0x6A4A1D2: dissect_ethertype (packet-ethertype.c:306)
==7122==    by 0x67ACC6E: call_dissector_through_handle (packet.c:618)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)
==7122== 
==7122== Conditional jump or move depends on uninitialised value(s)
==7122==    at 0x4C31CB1: __memcmp_sse4_1 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7122==    by 0x700B7A0: zbee_sec_ccm_decrypt (packet-zbee-security.c:1096)
==7122==    by 0x700B90B: zbee_sec_decrypt_payload (packet-zbee-security.c:831)
==7122==    by 0x700BD80: dissect_zbee_secure (packet-zbee-security.c:722)
==7122==    by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648)
==7122==    by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701)
==7122==    by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337)
==7122==    by 0x67AEFA9: dissector_try_heuristic (packet.c:2161)
==7122==    by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137)
==7122==    by 0x67ACC33: call_dissector_through_handle (packet.c:620)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)
==7122==    by 0x67ADD8E: dissector_try_uint_new (packet.c:1138)
==7122==    by 0x67ADDD0: dissector_try_uint (packet.c:1164)
==7122== 
==7122== Conditional jump or move depends on uninitialised value(s)
==7122==    at 0x700BD85: dissect_zbee_secure (packet-zbee-security.c:725)
==7122==    by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648)
==7122==    by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701)
==7122==    by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337)
==7122==    by 0x67AEFA9: dissector_try_heuristic (packet.c:2161)
==7122==    by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137)
==7122==    by 0x67ACC33: call_dissector_through_handle (packet.c:620)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)
==7122==    by 0x67ADD8E: dissector_try_uint_new (packet.c:1138)
==7122==    by 0x67ADDD0: dissector_try_uint (packet.c:1164)
==7122==    by 0x6A4A1D2: dissect_ethertype (packet-ethertype.c:306)
==7122==    by 0x67ACC6E: call_dissector_through_handle (packet.c:618)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)
==7122== 
==7122== Conditional jump or move depends on uninitialised value(s)
==7122==    at 0x700BD91: dissect_zbee_secure (packet-zbee-security.c:721)
==7122==    by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648)
==7122==    by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701)
==7122==    by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337)
==7122==    by 0x67AEFA9: dissector_try_heuristic (packet.c:2161)
==7122==    by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137)
==7122==    by 0x67ACC33: call_dissector_through_handle (packet.c:620)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)
==7122==    by 0x67ADD8E: dissector_try_uint_new (packet.c:1138)
==7122==    by 0x67ADDD0: dissector_try_uint (packet.c:1164)
==7122==    by 0x6A4A1D2: dissect_ethertype (packet-ethertype.c:306)
==7122==    by 0x67ACC6E: call_dissector_through_handle (packet.c:618)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)
==7122== 
==7122== Conditional jump or move depends on uninitialised value(s)
==7122==    at 0x700BF1E: dissect_zbee_secure (packet-zbee-security.c:744)
==7122==    by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648)
==7122==    by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701)
==7122==    by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337)
==7122==    by 0x67AEFA9: dissector_try_heuristic (packet.c:2161)
==7122==    by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137)
==7122==    by 0x67ACC33: call_dissector_through_handle (packet.c:620)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)
==7122==    by 0x67ADD8E: dissector_try_uint_new (packet.c:1138)
==7122==    by 0x67ADDD0: dissector_try_uint (packet.c:1164)
==7122==    by 0x6A4A1D2: dissect_ethertype (packet-ethertype.c:306)
==7122==    by 0x67ACC6E: call_dissector_through_handle (packet.c:618)
==7122==    by 0x67AD604: call_dissector_work (packet.c:706)


You are receiving this mail because:
  • You are watching all bug changes.