[Wireshark-bugs] [Bug 15414] New: tshark segvs when combining smb2 fields in read filter

bugzilla-daemon Fri, 11 Jan 2019 06:04:33 -0800

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15414


            Bug ID: 15414
           Summary: tshark segvs when combining smb2 fields in read filter
           Product: Wireshark
           Version: Git
          Hardware: x86-64
                OS: Ubuntu
            Status: UNCONFIRMED
          Severity: Major
          Priority: Low
         Component: TShark
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: magnus.h...@usit.uio.no
  Target Milestone: ---

Build Information:
Shark (Wireshark) 2.9.1 (v2.9.1rc0-336-gd6b187e4)

Copyright 1998-2019 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), without libnl,
with GLib 2.56.3, with zlib 1.2.11, without SMI, without c-ares, without Lua,
without GnuTLS, with Gcrypt 1.8.1, without Kerberos, without MaxMind DB
resolver, without nghttp2, without LZ4, without Snappy, without libxml2.

Running on Linux 4.15.0-43-generic, with Intel(R) Xeon(R) Gold 6154 CPU @
3.00GHz (with SSE4.2), with 385589 MB of physical memory, with locale
en_US.UTF-8, with libpcap version 1.8.1, with Gcrypt 1.8.1, with zlib 1.2.11,
binary plugins supported (0 loaded).

Built using gcc 7.3.0.

--
Capture data:
tcpdump -i eno2np1 host $smbserver and port 445 -s 65535 -w $(date
'+%Y%m%d_%H%M%S').pcap

tshark -r cap.pcap -Tfields -e smb2.msg_id -R "(smb2.nt_status ==
STATUS_PENDING) and (smb2.cmd == Create)" -2

ASAN:DEADLYSIGNAL
=================================================================
==64350==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc
0x7fa52687bebb bp 0x7ffed8425c30 sp 0x7ffed8425c10 T0)
==64350==The signal is caused by a READ memory access.
==64350==Hint: address points to the zero page.
    #0 0x7fa52687beba in compute_offset /data/wireshark/epan/tvbuff.c:237
    #1 0x7fa52687c320 in check_offset_length_no_exception
/data/wireshark/epan/tvbuff.c:307
    #2 0x7fa52687e731 in ensure_contiguous_no_exception
/data/wireshark/epan/tvbuff.c:758
    #3 0x7fa52687eab2 in ensure_contiguous /data/wireshark/epan/tvbuff.c:793
    #4 0x7fa52687f644 in tvb_get_ptr /data/wireshark/epan/tvbuff.c:914
    #5 0x7fa5268473b0 in fragment_add_work
/data/wireshark/epan/reassemble.c:1288
    #6 0x7fa526847d2b in fragment_add_common
/data/wireshark/epan/reassemble.c:1501
    #7 0x7fa526847d90 in fragment_add /data/wireshark/epan/reassemble.c:1521
    #8 0x7fa527c43451 in desegment_tcp
/data/wireshark/epan/dissectors/packet-tcp.c:3223
    #9 0x7fa527c50d98 in dissect_tcp_payload
/data/wireshark/epan/dissectors/packet-tcp.c:5865
    #10 0x7fa527c58b18 in dissect_tcp
/data/wireshark/epan/dissectors/packet-tcp.c:6710
    #11 0x7fa5267b9ea0 in call_dissector_through_handle
/data/wireshark/epan/packet.c:706
    #12 0x7fa5267ba406 in call_dissector_work /data/wireshark/epan/packet.c:791
    #13 0x7fa5267bc7da in dissector_try_uint_new
/data/wireshark/epan/packet.c:1383
    #14 0x7fa5272b4cd2 in ip_try_dissect
/data/wireshark/epan/dissectors/packet-ip.c:1832
    #15 0x7fa5272b86a5 in dissect_ip_v4
/data/wireshark/epan/dissectors/packet-ip.c:2289
    #16 0x7fa5267b9ea0 in call_dissector_through_handle
/data/wireshark/epan/packet.c:706
    #17 0x7fa5267ba406 in call_dissector_work /data/wireshark/epan/packet.c:791
    #18 0x7fa5267bc7da in dissector_try_uint_new
/data/wireshark/epan/packet.c:1383
    #19 0x7fa5267bc871 in dissector_try_uint /data/wireshark/epan/packet.c:1407
    #20 0x7fa526f806fc in dissect_ethertype
/data/wireshark/epan/dissectors/packet-ethertype.c:261
    #21 0x7fa5267b9ea0 in call_dissector_through_handle
/data/wireshark/epan/packet.c:706
    #22 0x7fa5267ba406 in call_dissector_work /data/wireshark/epan/packet.c:791
    #23 0x7fa5267c2639 in call_dissector_only
/data/wireshark/epan/packet.c:3141
    #24 0x7fa5267c267c in call_dissector_with_data
/data/wireshark/epan/packet.c:3154
    #25 0x7fa527dd5f1d in dissect_vlan
/data/wireshark/epan/dissectors/packet-vlan.c:350
    #26 0x7fa5267b9ea0 in call_dissector_through_handle
/data/wireshark/epan/packet.c:706
    #27 0x7fa5267ba406 in call_dissector_work /data/wireshark/epan/packet.c:791
    #28 0x7fa5267bc7da in dissector_try_uint_new
/data/wireshark/epan/packet.c:1383
    #29 0x7fa5267bc871 in dissector_try_uint /data/wireshark/epan/packet.c:1407
    #30 0x7fa526f806fc in dissect_ethertype
/data/wireshark/epan/dissectors/packet-ethertype.c:261
    #31 0x7fa5267b9ea0 in call_dissector_through_handle
/data/wireshark/epan/packet.c:706
    #32 0x7fa5267ba406 in call_dissector_work /data/wireshark/epan/packet.c:791
    #33 0x7fa5267c2639 in call_dissector_only
/data/wireshark/epan/packet.c:3141
    #34 0x7fa5267c267c in call_dissector_with_data
/data/wireshark/epan/packet.c:3154
    #35 0x7fa526f7e27d in dissect_eth_common
/data/wireshark/epan/dissectors/packet-eth.c:527
    #36 0x7fa526f7f482 in dissect_eth
/data/wireshark/epan/dissectors/packet-eth.c:803
    #37 0x7fa5267b9ea0 in call_dissector_through_handle
/data/wireshark/epan/packet.c:706
    #38 0x7fa5267ba406 in call_dissector_work /data/wireshark/epan/packet.c:791
    #39 0x7fa5267bc7da in dissector_try_uint_new
/data/wireshark/epan/packet.c:1383
    #40 0x7fa527005841 in dissect_frame
/data/wireshark/epan/dissectors/packet-frame.c:580
    #41 0x7fa5267b9ea0 in call_dissector_through_handle
/data/wireshark/epan/packet.c:706
    #42 0x7fa5267ba406 in call_dissector_work /data/wireshark/epan/packet.c:791
    #43 0x7fa5267c2639 in call_dissector_only
/data/wireshark/epan/packet.c:3141
    #44 0x7fa5267c267c in call_dissector_with_data
/data/wireshark/epan/packet.c:3154
    #45 0x7fa5267b8750 in dissect_record /data/wireshark/epan/packet.c:580
    #46 0x7fa52679d5ad in epan_dissect_run /data/wireshark/epan/epan.c:537
    #47 0x559225668e0c in process_packet_first_pass
/data/wireshark/tshark.c:2927
    #48 0x559225669eec in process_cap_file /data/wireshark/tshark.c:3153
    #49 0x559225665cc7 in main /data/wireshark/tshark.c:2026
    #50 0x7fa51e66eb96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #51 0x559225659029 in _start
(/data/wireshark-build3-debug/run/tshark+0x30029)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /data/wireshark/epan/tvbuff.c:237 in
compute_offset
==64350==ABORTING

Both
tshark -r cap.pcap -Tfields -e smb2.msg_id -R "(smb2.nt_status ==
STATUS_PENDING)" -2

and

tshark -r cap.pcap -Tfields -e smb2.msg_id -R "(smb2.cmd == Create)" -2

run as expected. It's the combination that makes tshark segfault.

-- 
You are receiving this mail because:
You are watching all bug changes.

___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15414] New: tshark segvs when combining smb2 fields in read filter

Reply via email to