1219409 – (CVE-2015-3182) CVE-2015-3182 wireshark: crash on sample file genbroad.snoop

Bug 1219409 (CVE-2015-3182) - CVE-2015-3182 wireshark: crash on sample file genbroad.snoop

Summary: CVE-2015-3182 wireshark: crash on sample file genbroad.snoop

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-3182
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1219410 1245763
Blocks:	1210268 1268749
TreeView+	depends on / blocked

Reported:	2015-05-07 09:20 UTC by Martin Prpič
Modified:	2021-08-04 13:52 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-20 04:51:05 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:2393	0	normal	SHIPPED_LIVE	Moderate: wireshark security, bug fix, and enhancement update	2015-11-19 11:03:11 UTC

Description Martin Prpič 2015-05-07 09:20:32 UTC

It was found that Wireshark crashes when processing (with "tshark -nr genbroad.snoop") a sample file from the Wireshark wiki page:

wget 'http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=genbroad.snoop' -O genbroad.snoop

Additional details:

* crash reason: strlen() called on invalid pointer (value 0x56998680 == 1452902016)
* the function set_dnet_address at packet-dec-dnart.c:355
* it is called 4 times
* the 2nd time is the one when the value is set
* the variable is called addr in the context of /epan/dissectors/packet-dec-dnart.c:357, function set_dnet_address
* the variable is called pinfo->src->data in the upper frames
* in this function, this macro modifies the value:
SET_ADDRESS(paddr_tgt, AT_STRINGZ, 1,
wmem_strdup(pinfo->pool, addr));
* it should set paddr_tgt->data = addr, but the value gets garbled by the ctlq instruction:
..
|0x7ffff4d85522 dnet_address+50> callq 0x7ffff4b0d4b0 <wmem_strdup@plt>
|0x7ffff4d85527 dnet_address+55> cltq
..

Acknowledgements:

This issue was discovered by Martin Žember of Red Hat.

Comment 1 Martin Prpič 2015-05-07 09:20:59 UTC

Created wireshark tracking bugs for this issue:

Affects: fedora-all [bug 1219410]

Comment 3 Guy Harris 2015-05-26 23:16:10 UTC

This bug is due to a failure by the epan/dissectors/packet-dec-dnart.c dissector to include the <epan/wmem/wmem.h> header to properly declare the wmem_strdup() routine as returning a pointer, so, on LP64 platforms, its 64-bit pointer result gets shortened to an int and then widened back to a pointer.

This bug should not exist in Wireshark 1.12.x, for all values of x, as the change that introduced the call to wmem_strdup() in packet-dec-dnart.c also added an include of <epan/wmem/wmem.h>.

However, it *does* exist in 1.10.x, for at least some values of x, as, when the change in question was backported, the include was *not* added.

I have checked in a change to fix this:

    https://code.wireshark.org/review/8661

That fix, along with

    https://code.wireshark.org/review/8660

which is a fix for *another* problem revealed by compiling with -Werror (-Werror is your friend!), and possibly other fixes I check in as I fix more -Werror-detected problems, should be in the next 1.10.x Wireshark release, which should be 1.10.15.  It has not yet been scheduled.

If you want to pick up individual fixes, go ahead.

Comment 4 Guy Harris 2015-05-26 23:28:48 UTC

(In reply to Guy Harris from comment #3)
> However, it *does* exist in 1.10.x, for at least some values of x

In particular, for x >= 12.

Comment 6 errata-xmlrpc 2015-11-19 12:37:09 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2393 https://rhn.redhat.com/errata/RHSA-2015-2393.html

Note You need to log in before you can comment on or make changes to this bug.