seg fault in snmp_print () caused by malformed pcap file #436
Comments
|
Thanks for the report. Is this occurs with the latest libpcap from git ? |
|
The segfault does not reproduce in my environment: |
|
I just recompiled tcpdump with the latest libpcap from git and the crash doesn't happen. Sorry about that, I'll know better next time. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This bug was found with afl (http://lcamtuf.coredump.cx/afl). I cloned the git repo (current as of commit ac5b96c) and compiled as follows:
CC=/path/to/afl-gcc ./configure
AFL_HARDEN=1 make -j12
Debian 7, Kernel 2.13-38+deb7u7, GCC 4.9.2, libpcap 1.3.0-1, libc 2.13-38+deb7u7,
GDB:
gdb-peda$ set args -nnr test00
gdb-peda$ r
reading from file test00, link-type SUNATM (Sun raw ATM)
09:40:46.767916 IPX 16515304.3f:55:0a:02:01:01.0000 > 3f550806.00:01:08:00:21:04.0001: ipx-#1 5683
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x840bac3
RCX: 0x0
RDX: 0x8dfeb8b
RSI: 0x0
RDI: 0x0
RBP: 0x14
RSP: 0x7fffffffce60 --> 0x67 ('g')
RIP: 0x5aa533 (<snmp_print+11315>: movzx r8d,BYTE PTR [r14-0x3])
R8 : 0x0
R9 : 0x0
R10: 0x0
R11: 0x0
R12: 0x9f07c0 --> 0x0
R13: 0x22000026 ('&')
R14: 0xa13003
R15: 0x0
EFLAGS: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x5aa525 <snmp_print+11301>: movzx r10d,BYTE PTR [r14+0x3]
0x5aa52a <snmp_print+11306>: add r14,0x8
0x5aa52e <snmp_print+11310>: movzx r11d,BYTE PTR [r14-0x4]
=> 0x5aa533 <snmp_print+11315>: movzx r8d,BYTE PTR [r14-0x3]
0x5aa538 <snmp_print+11320>: movzx ecx,BYTE PTR [r14-0x2]
0x5aa53d <snmp_print+11325>: movzx r15d,BYTE PTR [r14-0x1]
0x5aa542 <snmp_print+11330>: or eax,esi
0x5aa544 <snmp_print+11332>: shl eax,0x8
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffce60 --> 0x67 ('g')
0008| 0x7fffffffce68 --> 0x5a7922 (<snmp_print+34>: mov rax,QWORD PTR [rsp+0x10])
0016| 0x7fffffffce70 --> 0x840bac3
0024| 0x7fffffffce78 --> 0x63638a --> 0x72705f6c6c614300 ('')
0032| 0x7fffffffce80 --> 0x400000002
0040| 0x7fffffffce88 --> 0x0
0048| 0x7fffffffce90 --> 0x40c610 (<tcpdump_printf>: lea rsp,[rsp-0x98])
0056| 0x7fffffffce98 --> 0x40c75d (<tcpdump_printf+333>: mov rdi,QWORD PTR [rsp+0x18])
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000005aa533 in snmp_print ()
Valgrind:
reading from file test00, link-type SUNATM (Sun raw ATM)
09:40:46.767916 IPX 16515304.3f:55:0a:02:01:01.0000 > 3f550806.00:01:08:00:21:04.0001: ipx-#1 5683
==28639== Invalid read of size 1
==28639== at 0x5AA533: snmp_print (print-snmp.c:521)
==28639== by 0x4415DD: atm_print (print-atm.c:328)
==28639== by 0x5B190D: sunatm_if_print (print-sunatm.c:104)
==28639== by 0x40E11D: print_packet (tcpdump.c:2396)
==28639== by 0x405746F: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4048ECE: pcap_loop (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x409389: main (tcpdump.c:1921)
==28639== Address 0x59df4d0 is 0 bytes after a block of size 65,536 alloc'd
==28639== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==28639== by 0x4057F1B: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4057722: pcap_fopen_offline (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x40578EF: pcap_open_offline (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x407B73: main (tcpdump.c:1485)
==28639==
==28639== Invalid read of size 1
==28639== at 0x5AA538: snmp_print (print-snmp.c:521)
==28639== by 0x4415DD: atm_print (print-atm.c:328)
==28639== by 0x5B190D: sunatm_if_print (print-sunatm.c:104)
==28639== by 0x40E11D: print_packet (tcpdump.c:2396)
==28639== by 0x405746F: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4048ECE: pcap_loop (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x409389: main (tcpdump.c:1921)
==28639== Address 0x59df4d1 is 1 bytes after a block of size 65,536 alloc'd
==28639== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==28639== by 0x4057F1B: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4057722: pcap_fopen_offline (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x40578EF: pcap_open_offline (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x407B73: main (tcpdump.c:1485)
==28639==
==28639== Invalid read of size 1
==28639== at 0x5AA53D: snmp_print (print-snmp.c:521)
==28639== by 0x4415DD: atm_print (print-atm.c:328)
==28639== by 0x5B190D: sunatm_if_print (print-sunatm.c:104)
==28639== by 0x40E11D: print_packet (tcpdump.c:2396)
==28639== by 0x405746F: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4048ECE: pcap_loop (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x409389: main (tcpdump.c:1921)
==28639== Address 0x59df4d2 is 2 bytes after a block of size 65,536 alloc'd
==28639== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==28639== by 0x4057F1B: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4057722: pcap_fopen_offline (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x40578EF: pcap_open_offline (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x407B73: main (tcpdump.c:1485)
==28639==
==28639== Invalid read of size 1
==28639== at 0x5AA514: snmp_print (print-snmp.c:521)
==28639== by 0x4415DD: atm_print (print-atm.c:328)
==28639== by 0x5B190D: sunatm_if_print (print-sunatm.c:104)
==28639== by 0x40E11D: print_packet (tcpdump.c:2396)
==28639== by 0x405746F: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4048ECE: pcap_loop (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x409389: main (tcpdump.c:1921)
==28639== Address 0x59df4d3 is 3 bytes after a block of size 65,536 alloc'd
==28639== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==28639== by 0x4057F1B: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4057722: pcap_fopen_offline (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x40578EF: pcap_open_offline (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x407B73: main (tcpdump.c:1485)
==28639==
==28639== Invalid read of size 1
==28639== at 0x5AA518: snmp_print (print-snmp.c:521)
==28639== by 0x4415DD: atm_print (print-atm.c:328)
==28639== by 0x5B190D: sunatm_if_print (print-sunatm.c:104)
==28639== by 0x40E11D: print_packet (tcpdump.c:2396)
==28639== by 0x405746F: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4048ECE: pcap_loop (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x409389: main (tcpdump.c:1921)
==28639== Address 0x59df4d4 is 4 bytes after a block of size 65,536 alloc'd
==28639== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==28639== by 0x4057F1B: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4057722: pcap_fopen_offline (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x40578EF: pcap_open_offline (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x407B73: main (tcpdump.c:1485)
==28639==
==28639== Invalid read of size 1
==28639== at 0x5AA520: snmp_print (print-snmp.c:521)
==28639== by 0x4415DD: atm_print (print-atm.c:328)
==28639== by 0x5B190D: sunatm_if_print (print-sunatm.c:104)
==28639== by 0x40E11D: print_packet (tcpdump.c:2396)
==28639== by 0x405746F: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4048ECE: pcap_loop (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x409389: main (tcpdump.c:1921)
==28639== Address 0x59df4d5 is 5 bytes after a block of size 65,536 alloc'd
==28639== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==28639== by 0x4057F1B: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4057722: pcap_fopen_offline (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x40578EF: pcap_open_offline (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x407B73: main (tcpdump.c:1485)
==28639==
==28639== Invalid read of size 1
==28639== at 0x5AA525: snmp_print (print-snmp.c:521)
==28639== by 0x4415DD: atm_print (print-atm.c:328)
==28639== by 0x5B190D: sunatm_if_print (print-sunatm.c:104)
==28639== by 0x40E11D: print_packet (tcpdump.c:2396)
==28639== by 0x405746F: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4048ECE: pcap_loop (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x409389: main (tcpdump.c:1921)
==28639== Address 0x59df4d6 is 6 bytes after a block of size 65,536 alloc'd
==28639== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==28639== by 0x4057F1B: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4057722: pcap_fopen_offline (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x40578EF: pcap_open_offline (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x407B73: main (tcpdump.c:1485)
==28639==
==28639== Invalid read of size 1
==28639== at 0x5AA52E: snmp_print (print-snmp.c:521)
==28639== by 0x4415DD: atm_print (print-atm.c:328)
==28639== by 0x5B190D: sunatm_if_print (print-sunatm.c:104)
==28639== by 0x40E11D: print_packet (tcpdump.c:2396)
==28639== by 0x405746F: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4048ECE: pcap_loop (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x409389: main (tcpdump.c:1921)
==28639== Address 0x59df4d7 is 7 bytes after a block of size 65,536 alloc'd
==28639== at 0x4C28BED: malloc (vg_replace_malloc.c:263)
==28639== by 0x4057F1B: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4057722: pcap_fopen_offline (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x40578EF: pcap_open_offline (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x407B73: main (tcpdump.c:1485)
==28639==
==28639==
==28639== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==28639== Access not within mapped region at address 0x5DCE000
==28639== at 0x5AA533: snmp_print (print-snmp.c:521)
==28639== by 0x4415DD: atm_print (print-atm.c:328)
==28639== by 0x5B190D: sunatm_if_print (print-sunatm.c:104)
==28639== by 0x40E11D: print_packet (tcpdump.c:2396)
==28639== by 0x405746F: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x4048ECE: pcap_loop (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.3.0)
==28639== by 0x409389: main (tcpdump.c:1921)
==28639== If you believe this happened as a result of a stack
==28639== overflow in your program's main thread (unlikely but
==28639== possible), you can try to increase the size of the
==28639== main thread stack using the --main-stacksize= flag.
==28639== The main thread stack size used in this run was 8388608.
09:40:42.16234461 ilmi: Segmentation fault
Test case: https://db.tt/HYvEfwMH
Hexdump of test case:
0000000 c3d4 a1b2 0002 0004 0000 0000 0000 0000
0000010 ffff f049 007b 0000 85fe 512b b7ac 000b
0000020 002a 0000 002a 0000 ffff ffff ffff 5116
0000030 0453 553f 0608 0100 0008 0421 0100 5116
0000040 0453 553f 020a 0101 0000 0000 0000 020a
0000050 0201 85fa 512b b7dd 00f7 002a 0000 002a
0000060 2200 0000 1000 9202 0767 56d2 0000 ed00
0000070 0300 8000 0080 4008 c3ba a1b2 3fec d655
0000080 0006 354a 087a 0006 0801 0600 0004 d602
0000090 3c06 354a 0a7a 0102 1602 0251 0101 0000
00000a0 0000 fa13 2b85 bb51 0bb8 3b00 0000 0000
00000b0 063f d4ed b2c3 02a1 020a 0201 6792 d207
00000c0 0056 0000 0100 0003 8080 0800 d440 b2c3
00000d0 eca1 0000 0101 0008 0045 4000 ffff 12a2
00000e0 0c1e 0070 05d0 abb1 ba34 44d3 85ff 512b
00000f0 e755 000b 004a ee00 004a 0000 3c16 8d36
0000100 0040 0640 28ee 020a 0201 000a
000010b
The text was updated successfully, but these errors were encountered: