Bug 154589

Summary: Malformed IAX2 packet crashes ethereal
Product: [Fedora] Fedora Reporter: Armijn Hemel <armijn>
Component: etherealAssignee: Radek Vokál <rvokal>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-27 09:04:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ethereal dump file with malformed IAX2 packet that crashes ethereal
none
Mono program to generate faulty IAX2 packet that crashes Ethereal none

Description Armijn Hemel 2005-04-12 20:38:36 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1

Description of problem:
I'm poking around a bit in the IAX protocol and one of the things I do is send
packets to Asterisk to see how it responds. One of the packets I send is malformed
on purpose, but this has as a side effect that after sniffing with ethereal when I want to open it Ethereal crashes with:

** ERROR **: file proto.c: line 607 (get_uint_value): should not be reached
aborting...


Version-Release number of selected component (if applicable):
ethereal-0.10.10-1.FC3.1

How reproducible:
Always

Steps to Reproduce:
1. launch asterisk on a server
2. let a program send a malformed IAX2 packet (full frame, new conversation, with a malformed IAX information element)
3. snif the traffic with Ethereal
4. click on the packet in ethereal-gnome and see the program crash
  

Actual Results:  Ethereal crashes with:

** ERROR **: file proto.c: line 607 (get_uint_value): should not be reached
aborting...


Expected Results:  I expected Ethereal not to crash, but to display the packet's content.

Additional info:

This is probably a bug in the IAX2 plugin. It's not specific to Linux, I can also let it crash on FreeBSD. I will add a Mono program I used to generate the packet,
as well the packet itself in ethereal dump format.
Comment 1 Armijn Hemel 2005-04-12 20:43:05 UTC 
Created attachment 113057 [details]
ethereal dump file with malformed IAX2 packet that crashes ethereal

This file contains the packet that crashes ethereal. As said in the bugreport
it is malformed on purpose to see how Asterisk reacts. After the header of the
packet there is an information element. The first byte in the information
element says the data is about which "capabilities" (codecs) the source program
can do, the
second byte describes the length of the data, but there is no actual data in
the packet itself.
Comment 2 Armijn Hemel 2005-04-12 20:45:43 UTC 
Created attachment 113058 [details]
Mono program to generate faulty IAX2 packet that crashes Ethereal

The attached program (written in C#, run it with Mono) sends a faulty packet to

an Asterisk server. Before running it the IP address of the server should be
changed (now 10.0.0.152). Don't look at the rest of the code, it's pretty ugly
and not for production use ;-)) (and that's an understatement!). If C# is not
your cup of tea, it is trivial to rewrite it to any other language.
Comment 3 Armijn Hemel 2005-04-13 14:42:45 UTC 
The latest subversion version of Ethereal contains a patch that "fixes" this
bug. Even though there is a "dissector bug", it is workable. I think this bug
can belowered from "high" to "normal".
Comment 4 Radek Vokál 2005-04-27 09:04:26 UTC 
There's a new ethereal version comming out soon, the will be included there.