Bug 154589 - Malformed IAX2 packet crashes ethereal
Malformed IAX2 packet crashes ethereal
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: ethereal (Show other bugs)
3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Radek Vokal
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-12 16:38 EDT by Armijn Hemel
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-27 05:04:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
ethereal dump file with malformed IAX2 packet that crashes ethereal (96 bytes, application/octet-stream)
2005-04-12 16:43 EDT, Armijn Hemel
no flags Details
Mono program to generate faulty IAX2 packet that crashes Ethereal (789 bytes, text/plain)
2005-04-12 16:45 EDT, Armijn Hemel
no flags Details

  None (edit)
Description Armijn Hemel 2005-04-12 16:38:36 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1

Description of problem:
I'm poking around a bit in the IAX protocol and one of the things I do is send
packets to Asterisk to see how it responds. One of the packets I send is malformed
on purpose, but this has as a side effect that after sniffing with ethereal when I want to open it Ethereal crashes with:

** ERROR **: file proto.c: line 607 (get_uint_value): should not be reached
aborting...


Version-Release number of selected component (if applicable):
ethereal-0.10.10-1.FC3.1

How reproducible:
Always

Steps to Reproduce:
1. launch asterisk on a server
2. let a program send a malformed IAX2 packet (full frame, new conversation, with a malformed IAX information element)
3. snif the traffic with Ethereal
4. click on the packet in ethereal-gnome and see the program crash
  

Actual Results:  Ethereal crashes with:

** ERROR **: file proto.c: line 607 (get_uint_value): should not be reached
aborting...


Expected Results:  I expected Ethereal not to crash, but to display the packet's content.

Additional info:

This is probably a bug in the IAX2 plugin. It's not specific to Linux, I can also let it crash on FreeBSD. I will add a Mono program I used to generate the packet,
as well the packet itself in ethereal dump format.
Comment 1 Armijn Hemel 2005-04-12 16:43:05 EDT
Created attachment 113057 [details]
ethereal dump file with malformed IAX2 packet that crashes ethereal

This file contains the packet that crashes ethereal. As said in the bugreport
it is malformed on purpose to see how Asterisk reacts. After the header of the
packet there is an information element. The first byte in the information
element says the data is about which "capabilities" (codecs) the source program
can do, the
second byte describes the length of the data, but there is no actual data in
the packet itself.
Comment 2 Armijn Hemel 2005-04-12 16:45:43 EDT
Created attachment 113058 [details]
Mono program to generate faulty IAX2 packet that crashes Ethereal

The attached program (written in C#, run it with Mono) sends a faulty packet to

an Asterisk server. Before running it the IP address of the server should be
changed (now 10.0.0.152). Don't look at the rest of the code, it's pretty ugly
and not for production use ;-)) (and that's an understatement!). If C# is not
your cup of tea, it is trivial to rewrite it to any other language.
Comment 3 Armijn Hemel 2005-04-13 10:42:45 EDT
The latest subversion version of Ethereal contains a patch that "fixes" this
bug. Even though there is a "dissector bug", it is workable. I think this bug
can belowered from "high" to "normal".
Comment 4 Radek Vokal 2005-04-27 05:04:26 EDT
There's a new ethereal version comming out soon, the will be included there. 

Note You need to log in before you can comment on or make changes to this bug.