Project

General

Profile

Actions

Bug #34

closed

Engine lockup inside of DCERPCParse when processing the attached pcap

Added by Will Metcalf almost 13 years ago. Updated almost 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

0x080ae857 in DCERPCParse (f=0x91cea80, dcerpc_state=0x215c2b98, pstate=0x215c2b80, input=0x1573c5a0 "\005", input_len=<value optimized out>, output=0xb69fda00) at app-layer-dcerpc.c:429
429 while (sstate->numctxitems && sstate->bytesprocessed < sstate->dcerpc.frag_length) {
(gdb) bt full
#0 0x080ae857 in DCERPCParse (f=0x91cea80, dcerpc_state=0x215c2b98, pstate=0x215c2b80, input=0x1573c5a0 "\005", input_len=<value optimized out>, output=0xb69fda00) at app-layer-dcerpc.c:429
retval = <value optimized out>
parsed = 512
#1 0x080a8f45 in AppLayerDoParse (f=0x91cea80, app_layer_state=0x215c2b98, parser_state=0x215c2b98, input=0x1573c5a0 "\005", input_len=512, parser_idx=11, proto=12, need_lock=0 '\0') at app-layer-parser.c:612
retval = <value optimized out>
result = {head = 0x0, tail = 0x0, cnt = 0}
r = <value optimized out>
e = <value optimized out>
PRETTY_FUNCTION = "AppLayerDoParse"
#2 0x080a91a1 in AppLayerParse (f=0x91cea80, proto=12 '\f', flags=5 '\005', input=0x1573c5a0 "\005", input_len=512, need_lock=0 '\0') at app-layer-parser.c:778
parser_idx = 11
p = (AppLayerProto *) 0x80e65d0
parser_state_store = <value optimized out>
parser_state = (AppLayerParserState *) 0x215c2b80
app_layer_state = (void *) 0x215c2b98
r = <value optimized out>
FUNCTION = "AppLayerParse"
#3 0x080a7872 in AppLayerHandleMsg (smsg=0x1573c568, need_lock=0 '\0') at app-layer-detect-proto.c:371
alproto = <value optimized out>
r = <value optimized out>
ssn = (TcpSession *) 0x1bfe5d18
#4 0x0809d1cc in StreamTcpReassembleProcessAppLayer (ra_ctx=0xb40934e8) at stream-tcp-reassemble.c:1457
smsg = (StreamMsg *) 0x0
r = 0
#5 0x0809bccc in StreamTcp (tv=0xc9a1ee0, p=0x8f3d168, data=0xb4093390, pq=0xc9a1f70) at stream-tcp.c:2304
stt = <value optimized out>
#6 0x080933c6 in TmThreadsSlot1 (td=0xc9a1ee0) at tm-threads.c:325
s = (Tm1Slot *) 0xc9a1f58
p = (Packet *) 0x8f3d168
r = <value optimized out>
#7 0x008825ab in start_thread () from /lib/libpthread.so.0
No symbol table info available.
#8 0x00d9ecfe in clone () from /lib/libc.so.6
No symbol table info available.
(gdb) frame 6
#6 0x080933c6 in TmThreadsSlot1 (td=0xc9a1ee0) at tm-threads.c:325
325 r = s->s.SlotFunc(tv, p, s->s.slot_data, &s->s.slot_pq);
(gdb) print *p
$1 = {src = {family = 2 '\002', address = {address_un_data32 = {21866688, 0, 0, 0}, address_un_data16 = {43200, 333, 0, 0, 0, 0, 0, 0}, address_un_data8 = "��M\001", '\0' <repeats 11 times>}}, dst = {family = 2 '\002', address = {
address_un_data32 = {2773330112, 0, 0, 0}, address_un_data16 = {43200, 42317, 0, 0, 0, 0, 0, 0}, address_un_data8 = "��M�", '\0' <repeats 11 times>}}, {sp = 42616, type = 120 'x'}, {dp = 135, code = 135 '\207'}, proto = 6 '\006',
recursion_level = 0 '\0', ts = {tv_sec = 1258470135, tv_usec = 670428}, rtv_cnt = 0 '\0', tpr_cnt = 0 '\0', mutex_rtv_cnt = {__data = {__lock = 0, _count = 0, __owner = 0, __kind = 0, __nusers = 0, {_spins = 0, _list = {
__next = 0x0}}}, __size = '\0' <repeats 23 times>, __align = 0}, tunnel_proto = 0 '\0', tunnel_pkt = 0 '\0', tunnel_verdicted = 0 '\0', pcap_v = {<No data fields>}, datalink = 1,
pkt = "TR\000
\033\211\006a�6\0325\b\000E\000\0004��\000\006b\000��M\001��M��x\000\207E�\v�\210ڴ�\200\020\0006<�\000\000\001\001\b\n\000D��\000\0001\034\026\003\000\000R\001\000\000N\003\000K\002��yy\003�ͧ�K[P1\210�\213��~`\004\032�*�\217\r\205jR\000\000&\0009\0008\0005\000\026\000\023\000\n\0003\0002\000/\000\005\000\004\000\025\000\022\000\t\000\024\000\021\000\b\000\006\000\003\002\001\000xWMhGHRnnRPHq3ZvLGyaLXNCOK46MROFNvNlwKByaMMXWYP"..., pktlen = 66,
flow = 0x91cea80, flowflags = 5 '\005', flags = 0 '\0', pktvar = 0x0, ethh = 0x0, ppph = 0x0, pppoesh = 0x0, pppoedh = 0x0, greh = 0x0, ip4h = 0x8f3d1d2, ip4vars = {ip_opt_len = 0 '\0', ip_opts = {{type = 0 '\0', len = 0 '\0',
data = 0x0} <repeats 40 times>}, ip_opt_cnt = 0 '\0', o_rr = 0x0, o_qs = 0x0, o_ts = 0x0, o_sec = 0x0, o_lsrr = 0x0, o_cipso = 0x0, o_sid = 0x0, o_ssrr = 0x0, o_rtralt = 0x0}, ip4c = {flags = 2666, ver = 0 '\0', hl = 20 '\024',
ip_tos = 0 '\0', ip_len = 52, ip_id = 0, ip_off = 0, _ip_off = 16384, rf = 0 '\0', df = 0 '\0', mf = 0 '\0', ip_ttl = 0 '\0', ip_proto = 6 '\006', ip_csum = 0, comp_csum = -1, ip_src_u32 = 0, ip_dst_u32 = 0}, ip6h = 0x0, ip6vars = {
ip_opts_len = 0 '\0', l4proto = 0 '\0'}, ip6c = {flags = 0, ver = 0 '\0', cl = 0 '\0', flow = 0 '\0', nh = 0 '\0', plen = 0, hlim = 0 '\0'}, ip6eh = {ip6fh = 0x0, fh_offset = 0, ip6rh = 0x0, ip6ah = 0x0, ip6eh = 0x0, ip6dh1 = 0x0,
ip6dh2 = 0x0, ip6hh = 0x0, ip6hh_opt_hao = {ip6hao_type = 0 '\0', ip6hao_len = 0 '\0', ip6hao_hoa = {in6_u = {u6_addr8 = '\0' <repeats 15 times>, u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, u6_addr32 = {0, 0, 0, 0}}}}, ip6hh_opt_ra = {
ip6ra_type = 0 '\0', ip6ra_len = 0 '\0', ip6ra_value = 0}, ip6hh_opt_jumbo = {ip6j_type = 0 '\0', ip6j_len = 0 '\0', ip6j_payload_len = 0}, ip6dh1_opt_hao = {ip6hao_type = 0 '\0', ip6hao_len = 0 '\0', ip6hao_hoa = {in6_u = {
u6_addr8 = '\0' <repeats 15 times>, u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, u6_addr32 = {0, 0, 0, 0}}}}, ip6dh1_opt_ra = {ip6ra_type = 0 '\0', ip6ra_len = 0 '\0', ip6ra_value = 0}, ip6dh1_opt_jumbo = {ip6j_type = 0 '\0',
ip6j_len = 0 '\0', ip6j_payload_len = 0}, ip6dh2_opt_hao = {ip6hao_type = 0 '\0', ip6hao_len = 0 '\0', ip6hao_hoa = {in6_u = {u6_addr8 = '\0' <repeats 15 times>, u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, u6_addr32 = {0, 0, 0, 0}}}},
ip6dh2_opt_ra = {ip6ra_type = 0 '\0', ip6ra_len = 0 '\0', ip6ra_value = 0}, ip6dh2_opt_jumbo = {ip6j_type = 0 '\0', ip6j_len = 0 '\0', ip6j_payload_len = 0}, ip6_exthdrs = {{type = 0 '\0', next = 0 '\0', len = 0 '\0',
data = 0x0} <repeats 40 times>}, ip6_exthdrs_cnt = 0 '\0'}, icmpv4h = 0x0, icmpv4c = {comp_csum = -1}, icmpv4vars = {type = 0 '\0', code = 0 '\0', csum = 0, id = 0, seq = 0, mtu = 0, error_ptr = 0, emb_ipv4h = 0x0,
emb_tcph = 0x0, emb_udph = 0x0, emb_icmpv4h = 0x0, emb_ip4_src = {s_addr = 0}, emb_ip4_dst = {s_addr = 0}, emb_ip4_hlen = 0 '\0', emb_sport = 0, emb_dport = 0}, icmpv6h = 0x0, icmpv6c = {comp_csum = -1}, icmpv6vars = {
type = 0 '\0', code = 0 '\0', csum = 0, id = 0, seq = 0, mtu = 0, error_ptr = 0, emb_ipv6h = 0x0, emb_tcph = 0x0, emb_udph = 0x0, emb_icmpv6h = 0x0, emb_ip6_src = {0, 0, 0, 0}, emb_ip6_dst = {0, 0, 0, 0},
emb_ip6_proto_next = 0 '\0', emb_sport = 0, emb_dport = 0}, tcph = 0x8f3d1e6, tcpvars = {hlen = 32 ' ', tcp_opt_len = 12 '\f', tcp_opts = {{type = 8 '\b', len = 10 '\n', data = 0x8f3d1fe ""}, {type = 4 '\004', len = 2 '\002',
data = 0x8f3d200 "��"}, {type = 8 '\b', len = 10 '\n', data = 0x8f3d202 ""}, {type = 3 '\003', len = 3 '\003', data = 0x8f3d20d ""}, {type = 0 '\0', len = 0 '\0', data = 0x0} <repeats 16 times>}, tcp_opt_cnt = 1 '\001',
sackok = 0x0, ws = 0x0, ts = 0x8f4d5e0, mss = 0x0}, tcpc = {comp_csum = -1, ts1 = 4503007, ts2 = 0}, udph = 0x0, udpvars = {hlen = 0 '\0'}, udpc = {comp_csum = -1}, payload = 0x8f3d206 "\026\003", payload_len = 0,
events = '\0' <repeats 8190 times>, http_uri = {raw = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, raw_size = {11, 0, 0, 0, 0, 0, 0, 0}, norm = {'\0' <repeats 1023 times>, '\0' <repeats 1023 times>, '\0' <repeats 1023 times>,
'\0' <repeats 1023 times>, '\0' <repeats 1023 times>, '\0' <repeats 1023 times>, '\0' <repeats 1023 times>, '\0' <repeats 1023 times>}, norm_size = {0, 0, 0, 0, 0, 0, 0, 0}, cnt = 0 '\0'}, alerts = {cnt = 0, alerts = {{gid = 0,
sid = 0, rev = 0 '\0', class = 0 '\0', prio = 0 '\0', msg = 0x0} <repeats 256 times>}}, action = 0, next = 0x0, prev = 0x0, root = 0x0}


Files

dcerpcparsepcap2.pcap (3.95 KB) dcerpcparsepcap2.pcap DCERPCParse lockup Will Metcalf, 12/31/2009 08:01 AM
Actions #1

Updated by Victor Julien almost 13 years ago

Fixed by latest master.

Actions #2

Updated by Victor Julien almost 13 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF