Wireshark-bugs: [Wireshark-bugs] [Bug 11389] Segmentation fault on malformed ZigBee packet
Date: Wed, 22 Jul 2015 21:33:27 +0000
Pascal Quantin changed bug 11389
What | Removed | Added |
---|---|---|
CC | pascal.quantin@gmail.com |
Comment # 2
on bug 11389
from Pascal Quantin
Even if it does not crash on your PC, the ZigBee decrypting code is still doing nasty things on packet 141 which could lead to a crash depending on the machine used: ==7122== Invalid read of size 16 ==7122== at 0xB53CA36: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2) ==7122== by 0xB523AA9: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2) ==7122== by 0xB521685: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2) ==7122== by 0xB516D7D: gcry_cipher_encrypt (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2) ==7122== by 0x700B4DC: zbee_sec_ccm_decrypt (packet-zbee-security.c:975) ==7122== by 0x700B90B: zbee_sec_decrypt_payload (packet-zbee-security.c:831) ==7122== by 0x700BD08: dissect_zbee_secure (packet-zbee-security.c:699) ==7122== by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648) ==7122== by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701) ==7122== by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337) ==7122== by 0x67AEFA9: dissector_try_heuristic (packet.c:2161) ==7122== by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137) ==7122== by 0x67ACC33: call_dissector_through_handle (packet.c:620) ==7122== Address 0x142e1916 is 22 bytes inside a block of size 36 alloc'd ==7122== at 0x4C2BBA0: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7122== by 0xA0CC799: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4400.1) ==7122== by 0x7309C6B: wmem_simple_alloc (wmem_allocator_simple.c:55) ==7122== by 0x67DC918: tvb_memdup (tvbuff.c:829) ==7122== by 0x700BA7D: dissect_zbee_secure (packet-zbee-security.c:517) ==7122== by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648) ==7122== by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701) ==7122== by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337) ==7122== by 0x67AEFA9: dissector_try_heuristic (packet.c:2161) ==7122== by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137) ==7122== by 0x67ACC33: call_dissector_through_handle (packet.c:620) ==7122== by 0x67AD604: call_dissector_work (packet.c:706) ==7122== by 0x67ADD8E: dissector_try_uint_new (packet.c:1138) ==7122== ==7122== Invalid read of size 16 ==7122== at 0xB53CA42: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2) ==7122== by 0xB523AA9: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2) ==7122== by 0xB521685: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2) ==7122== by 0xB516D7D: gcry_cipher_encrypt (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2) ==7122== by 0x700B4DC: zbee_sec_ccm_decrypt (packet-zbee-security.c:975) ==7122== by 0x700B90B: zbee_sec_decrypt_payload (packet-zbee-security.c:831) ==7122== by 0x700BD08: dissect_zbee_secure (packet-zbee-security.c:699) ==7122== by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648) ==7122== by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701) ==7122== by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337) ==7122== by 0x67AEFA9: dissector_try_heuristic (packet.c:2161) ==7122== by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137) ==7122== by 0x67ACC33: call_dissector_through_handle (packet.c:620) ==7122== Address 0x142e1926 is 2 bytes after a block of size 36 alloc'd ==7122== at 0x4C2BBA0: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7122== by 0xA0CC799: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4400.1) ==7122== by 0x7309C6B: wmem_simple_alloc (wmem_allocator_simple.c:55) ==7122== by 0x67DC918: tvb_memdup (tvbuff.c:829) ==7122== by 0x700BA7D: dissect_zbee_secure (packet-zbee-security.c:517) ==7122== by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648) ==7122== by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701) ==7122== by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337) ==7122== by 0x67AEFA9: dissector_try_heuristic (packet.c:2161) ==7122== by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137) ==7122== by 0x67ACC33: call_dissector_through_handle (packet.c:620) ==7122== by 0x67AD604: call_dissector_work (packet.c:706) ==7122== by 0x67ADD8E: dissector_try_uint_new (packet.c:1138) ==7122== ==7122== Invalid read of size 16 ==7122== at 0xB53CA50: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2) ==7122== by 0xB523AA9: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2) ==7122== by 0xB521685: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2) ==7122== by 0xB516D7D: gcry_cipher_encrypt (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2) ==7122== by 0x700B4DC: zbee_sec_ccm_decrypt (packet-zbee-security.c:975) ==7122== by 0x700B90B: zbee_sec_decrypt_payload (packet-zbee-security.c:831) ==7122== by 0x700BD08: dissect_zbee_secure (packet-zbee-security.c:699) ==7122== by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648) ==7122== by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701) ==7122== by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337) ==7122== by 0x67AEFA9: dissector_try_heuristic (packet.c:2161) ==7122== by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137) ==7122== by 0x67ACC33: call_dissector_through_handle (packet.c:620) ==7122== Address 0x142e1936 is 18 bytes after a block of size 36 alloc'd ==7122== at 0x4C2BBA0: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7122== by 0xA0CC799: g_malloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4400.1) ==7122== by 0x7309C6B: wmem_simple_alloc (wmem_allocator_simple.c:55) ==7122== by 0x67DC918: tvb_memdup (tvbuff.c:829) ==7122== by 0x700BA7D: dissect_zbee_secure (packet-zbee-security.c:517) ==7122== by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648) ==7122== by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701) ==7122== by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337) ==7122== by 0x67AEFA9: dissector_try_heuristic (packet.c:2161) ==7122== by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137) ==7122== by 0x67ACC33: call_dissector_through_handle (packet.c:620) ==7122== by 0x67AD604: call_dissector_work (packet.c:706) ==7122== by 0x67ADD8E: dissector_try_uint_new (packet.c:1138) ==7122== ==7122== Invalid read of size 16 ==7122== at 0xB53CA5E: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2) ==7122== by 0xB523AA9: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2) ==7122== by 0xB521685: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2) ==7122== by 0xB516D7D: gcry_cipher_encrypt (in /lib/x86_64-linux-gnu/libgcrypt.so.20.0.2) ==7122== by 0x700B4DC: zbee_sec_ccm_decrypt (packet-zbee-security.c:975) ==7122== by 0x700B90B: zbee_sec_decrypt_payload (packet-zbee-security.c:831) ==7122== by 0x700BD08: dissect_zbee_secure (packet-zbee-security.c:699) ==7122== by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648) ==7122== by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701) ==7122== by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337) ==7122== by 0x67AEFA9: dissector_try_heuristic (packet.c:2161) ==7122== by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137) ==7122== by 0x67ACC33: call_dissector_through_handle (packet.c:620) ==7122== Address 0x142e1946 is 22 bytes after a block of size 48 in arena "client" ==7122== ==7122== Conditional jump or move depends on uninitialised value(s) ==7122== at 0x4C31CB1: __memcmp_sse4_1 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7122== by 0x700B7A0: zbee_sec_ccm_decrypt (packet-zbee-security.c:1096) ==7122== by 0x700B90B: zbee_sec_decrypt_payload (packet-zbee-security.c:831) ==7122== by 0x700BD08: dissect_zbee_secure (packet-zbee-security.c:699) ==7122== by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648) ==7122== by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701) ==7122== by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337) ==7122== by 0x67AEFA9: dissector_try_heuristic (packet.c:2161) ==7122== by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137) ==7122== by 0x67ACC33: call_dissector_through_handle (packet.c:620) ==7122== by 0x67AD604: call_dissector_work (packet.c:706) ==7122== by 0x67ADD8E: dissector_try_uint_new (packet.c:1138) ==7122== by 0x67ADDD0: dissector_try_uint (packet.c:1164) ==7122== ==7122== Conditional jump or move depends on uninitialised value(s) ==7122== at 0x700BD0D: dissect_zbee_secure (packet-zbee-security.c:702) ==7122== by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648) ==7122== by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701) ==7122== by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337) ==7122== by 0x67AEFA9: dissector_try_heuristic (packet.c:2161) ==7122== by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137) ==7122== by 0x67ACC33: call_dissector_through_handle (packet.c:620) ==7122== by 0x67AD604: call_dissector_work (packet.c:706) ==7122== by 0x67ADD8E: dissector_try_uint_new (packet.c:1138) ==7122== by 0x67ADDD0: dissector_try_uint (packet.c:1164) ==7122== by 0x6A4A1D2: dissect_ethertype (packet-ethertype.c:306) ==7122== by 0x67ACC6E: call_dissector_through_handle (packet.c:618) ==7122== by 0x67AD604: call_dissector_work (packet.c:706) ==7122== ==7122== Conditional jump or move depends on uninitialised value(s) ==7122== at 0x700BD19: dissect_zbee_secure (packet-zbee-security.c:698) ==7122== by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648) ==7122== by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701) ==7122== by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337) ==7122== by 0x67AEFA9: dissector_try_heuristic (packet.c:2161) ==7122== by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137) ==7122== by 0x67ACC33: call_dissector_through_handle (packet.c:620) ==7122== by 0x67AD604: call_dissector_work (packet.c:706) ==7122== by 0x67ADD8E: dissector_try_uint_new (packet.c:1138) ==7122== by 0x67ADDD0: dissector_try_uint (packet.c:1164) ==7122== by 0x6A4A1D2: dissect_ethertype (packet-ethertype.c:306) ==7122== by 0x67ACC6E: call_dissector_through_handle (packet.c:618) ==7122== by 0x67AD604: call_dissector_work (packet.c:706) ==7122== ==7122== Conditional jump or move depends on uninitialised value(s) ==7122== at 0x700BD52: dissect_zbee_secure (packet-zbee-security.c:721) ==7122== by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648) ==7122== by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701) ==7122== by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337) ==7122== by 0x67AEFA9: dissector_try_heuristic (packet.c:2161) ==7122== by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137) ==7122== by 0x67ACC33: call_dissector_through_handle (packet.c:620) ==7122== by 0x67AD604: call_dissector_work (packet.c:706) ==7122== by 0x67ADD8E: dissector_try_uint_new (packet.c:1138) ==7122== by 0x67ADDD0: dissector_try_uint (packet.c:1164) ==7122== by 0x6A4A1D2: dissect_ethertype (packet-ethertype.c:306) ==7122== by 0x67ACC6E: call_dissector_through_handle (packet.c:618) ==7122== by 0x67AD604: call_dissector_work (packet.c:706) ==7122== ==7122== Conditional jump or move depends on uninitialised value(s) ==7122== at 0x4C31CB1: __memcmp_sse4_1 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7122== by 0x700B7A0: zbee_sec_ccm_decrypt (packet-zbee-security.c:1096) ==7122== by 0x700B90B: zbee_sec_decrypt_payload (packet-zbee-security.c:831) ==7122== by 0x700BD80: dissect_zbee_secure (packet-zbee-security.c:722) ==7122== by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648) ==7122== by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701) ==7122== by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337) ==7122== by 0x67AEFA9: dissector_try_heuristic (packet.c:2161) ==7122== by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137) ==7122== by 0x67ACC33: call_dissector_through_handle (packet.c:620) ==7122== by 0x67AD604: call_dissector_work (packet.c:706) ==7122== by 0x67ADD8E: dissector_try_uint_new (packet.c:1138) ==7122== by 0x67ADDD0: dissector_try_uint (packet.c:1164) ==7122== ==7122== Conditional jump or move depends on uninitialised value(s) ==7122== at 0x700BD85: dissect_zbee_secure (packet-zbee-security.c:725) ==7122== by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648) ==7122== by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701) ==7122== by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337) ==7122== by 0x67AEFA9: dissector_try_heuristic (packet.c:2161) ==7122== by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137) ==7122== by 0x67ACC33: call_dissector_through_handle (packet.c:620) ==7122== by 0x67AD604: call_dissector_work (packet.c:706) ==7122== by 0x67ADD8E: dissector_try_uint_new (packet.c:1138) ==7122== by 0x67ADDD0: dissector_try_uint (packet.c:1164) ==7122== by 0x6A4A1D2: dissect_ethertype (packet-ethertype.c:306) ==7122== by 0x67ACC6E: call_dissector_through_handle (packet.c:618) ==7122== by 0x67AD604: call_dissector_work (packet.c:706) ==7122== ==7122== Conditional jump or move depends on uninitialised value(s) ==7122== at 0x700BD91: dissect_zbee_secure (packet-zbee-security.c:721) ==7122== by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648) ==7122== by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701) ==7122== by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337) ==7122== by 0x67AEFA9: dissector_try_heuristic (packet.c:2161) ==7122== by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137) ==7122== by 0x67ACC33: call_dissector_through_handle (packet.c:620) ==7122== by 0x67AD604: call_dissector_work (packet.c:706) ==7122== by 0x67ADD8E: dissector_try_uint_new (packet.c:1138) ==7122== by 0x67ADDD0: dissector_try_uint (packet.c:1164) ==7122== by 0x6A4A1D2: dissect_ethertype (packet-ethertype.c:306) ==7122== by 0x67ACC6E: call_dissector_through_handle (packet.c:618) ==7122== by 0x67AD604: call_dissector_work (packet.c:706) ==7122== ==7122== Conditional jump or move depends on uninitialised value(s) ==7122== at 0x700BF1E: dissect_zbee_secure (packet-zbee-security.c:744) ==7122== by 0x7007FC2: dissect_zbee_nwk_full (packet-zbee-nwk.c:648) ==7122== by 0x7007FC2: dissect_zbee_nwk (packet-zbee-nwk.c:701) ==7122== by 0x7009028: dissect_zbee_nwk_heur (packet-zbee-nwk.c:337) ==7122== by 0x67AEFA9: dissector_try_heuristic (packet.c:2161) ==7122== by 0x6B6CAC2: dissect_ieee802154_common (packet-ieee802154.c:1137) ==7122== by 0x67ACC33: call_dissector_through_handle (packet.c:620) ==7122== by 0x67AD604: call_dissector_work (packet.c:706) ==7122== by 0x67ADD8E: dissector_try_uint_new (packet.c:1138) ==7122== by 0x67ADDD0: dissector_try_uint (packet.c:1164) ==7122== by 0x6A4A1D2: dissect_ethertype (packet-ethertype.c:306) ==7122== by 0x67ACC6E: call_dissector_through_handle (packet.c:618) ==7122== by 0x67AD604: call_dissector_work (packet.c:706)
You are receiving this mail because:
- You are watching all bug changes.
- References:
- [Wireshark-bugs] [Bug 11389] New: Segmentation fault on malformed ZigBee packet
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11389] New: Segmentation fault on malformed ZigBee packet
- Prev by Date: [Wireshark-bugs] [Bug 11361] After change method for decoding some sort of packets Wireshark become "unaccessible"
- Next by Date: [Wireshark-bugs] [Bug 10890] Qt Wireshark - On OS X Launching Wireshark from bash displays "Menu item is already in a menu, remove it from the other menu first before inserting"
- Previous by thread: [Wireshark-bugs] [Bug 11389] Segmentation fault on malformed ZigBee packet
- Next by thread: [Wireshark-bugs] [Bug 11389] Segmentation fault on malformed ZigBee packet
- Index(es):