0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Wireshark - dissect_nbap_MACdPDU_Size SIGSEGV
Author
Risk
[
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
Source: https://code.google.com/p/google-security-research/issues/detail?id=652 The following SIGSEGV crash due to an invalid memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): --- cut --- ==31034==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc24e20fa84 (pc 0x7fbe445bb082 bp 0x7fff030fefb0 sp 0x7fff030fef00 T0) #0 0x7fbe445bb081 in dissect_nbap_MACdPDU_Size wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1622:79 #1 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12 #2 0x7fbe445c760d in dissect_nbap_HSDSCH_Initial_Capacity_AllocationItem wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1650:12 #3 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10 #4 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9 #5 0x7fbe445c7569 in dissect_nbap_HSDSCH_Initial_Capacity_Allocation wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1663:12 #6 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12 #7 0x7fbe445da43d in dissect_nbap_CommonMACFlow_Specific_InfoItem_Response wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1682:12 #8 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10 #9 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9 #10 0x7fbe445da399 in dissect_nbap_CommonMACFlow_Specific_InfoList_Response wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1695:12 #11 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12 #12 0x7fbe445da2bd in dissect_nbap_HSDSCH_Common_System_Information_ResponseFDD wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:2120:12 #13 0x7fbe44546230 in dissect_HSDSCH_Common_System_Information_ResponseFDD_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:2430:12 #14 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #15 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9 #16 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 #17 0x7fbe4456f40e in dissect_ProtocolExtensionFieldExtensionValue wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:320:11 #18 0x7fbe433addf0 in dissect_per_open_type_internal wireshark/epan/dissectors/packet-per.c:242:5 #19 0x7fbe433ae10d in dissect_per_open_type_pdu_new wireshark/epan/dissectors/packet-per.c:263:9 #20 0x7fbe4456f370 in dissect_nbap_T_extensionValue wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:200:12 #21 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12 #22 0x7fbe4456f12d in dissect_nbap_ProtocolExtensionField wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:215:12 #23 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10 #24 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9 #25 0x7fbe4456ef09 in dissect_nbap_ProtocolExtensionContainer wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:228:12 #26 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12 #27 0x7fbe445f23bf in dissect_nbap_CommonMeasurementInitiationRequest wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:263:12 #28 0x7fbe445644d0 in dissect_CommonMeasurementInitiationRequest_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:5030:12 #29 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #30 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9 #31 0x7fbe41b3802d in dissector_try_string wireshark/epan/packet.c:1443:9 #32 0x7fbe4456e3ce in dissect_InitiatingMessageValue wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:326:11 #33 0x7fbe433addf0 in dissect_per_open_type_internal wireshark/epan/dissectors/packet-per.c:242:5 #34 0x7fbe433ae10d in dissect_per_open_type_pdu_new wireshark/epan/dissectors/packet-per.c:263:9 #35 0x7fbe4456df10 in dissect_nbap_InitiatingMessage_value wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:702:12 #36 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12 #37 0x7fbe4456d91d in dissect_nbap_InitiatingMessage wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:719:12 #38 0x7fbe433cc861 in dissect_per_choice wireshark/epan/dissectors/packet-per.c:1714:13 #39 0x7fbe4456d881 in dissect_nbap_NBAP_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:825:12 #40 0x7fbe4456d740 in dissect_NBAP_PDU_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:8430:12 #41 0x7fbe444e889b in dissect_nbap wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:457:9 #42 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #43 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9 #44 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 #45 0x7fbe4378f98b in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2517:9 #46 0x7fbe43786b88 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3443:16 #47 0x7fbe4377fd99 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c:4360:14 #48 0x7fbe4377cd03 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4515:9 #49 0x7fbe4377acdf in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4678:3 #50 0x7fbe43778cba in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4732:3 #51 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #52 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9 #53 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 #54 0x7fbe428455f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11 #55 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 #56 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9 #57 0x7fbe41b402be in call_dissector_only wireshark/epan/packet.c:2662:8 #58 0x7fbe41b31ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 #59 0x7fbe41b3133b in dissect_record wireshark/epan/packet.c:501:3 #60 0x7fbe41adf3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2 #61 0x5264eb in process_packet wireshark/tshark.c:3728:5 #62 0x51f960 in load_cap_file wireshark/tshark.c:3484:11 #63 0x515daf in main wireshark/tshark.c:2197:13 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1622:79 in dissect_nbap_MACdPDU_Size ==31034==ABORTING --- cut --- The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11815. Attached are three files which trigger the crash. Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38999.zip # 0day.today [2024-12-24] #