wireshark crashes with segfault when capturing WPA packet with pre-shared key configured

Bug #1407662 reported by zebul666
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
wireshark (Ubuntu)
New
Undecided
Unassigned

Bug Description

First, enable WPA key decryption: in Edit > Preferences > Protocoles > IEEE 802.11 > Enable decryption and add a decryption key
In the same dialog, click Edit... then add a new wpa pre-shared key (or a wpa password). Go to https://www.wireshark.org/tools/wpa-psk.html to generate you pre-shared key from password if needed

Then, start capturing on a monitor mode enabled interface to capture WPA wifi packet. As soon the capture start and that WPA crypted packet are captured, wireshark crashes with a sefgault.

Here is a backtrace

Program received signal SIGSEGV, Segmentation fault.
dissect_ieee80211_common (tvb=0x345bca0, pinfo=0x7fffffffaee8, tree=0x0, fixed_length_header=0, fcs_len=0, wlan_broken_fc=109, datapad=0, is_ht=0, is_centrino=0)
    at /build/buildd/wireshark-1.12.1+g01b65bf/epan/dissectors/packet-ieee80211.c:17053
17053 /build/buildd/wireshark-1.12.1+g01b65bf/epan/dissectors/packet-ieee80211.c: Aucun fichier ou dossier de ce type.
(gdb) bt
#0 dissect_ieee80211_common (tvb=0x345bca0, pinfo=0x7fffffffaee8, tree=0x0, fixed_length_header=0, fcs_len=0, wlan_broken_fc=109, datapad=0, is_ht=0,
    is_centrino=0) at /build/buildd/wireshark-1.12.1+g01b65bf/epan/dissectors/packet-ieee80211.c:17053
#1 0x00007ffff34b37fb in dissect_ieee80211 (tvb=<optimized out>, pinfo=<optimized out>, tree=<optimized out>)
    at /build/buildd/wireshark-1.12.1+g01b65bf/epan/dissectors/packet-ieee80211.c:17599
#2 0x00007ffff30f6ed4 in call_dissector_through_handle (handle=handle@entry=0x1450880, tvb=tvb@entry=0x345bca0, pinfo=pinfo@entry=0x7fffffffaee8,
    tree=tree@entry=0x0, data=data@entry=0x0) at /build/buildd/wireshark-1.12.1+g01b65bf/epan/packet.c:626
#3 0x00007ffff30f7805 in call_dissector_work (handle=0x1450880, tvb=0x345bca0, pinfo_arg=0x7fffffffaee8, tree=0x0, add_proto_name=1, data=0x0)
    at /build/buildd/wireshark-1.12.1+g01b65bf/epan/packet.c:713
#4 0x00007ffff30f9462 in call_dissector_with_data (handle=<optimized out>, tvb=0x345bca0, pinfo=0x7fffffffaee8, tree=0x0, data=<optimized out>)
    at /build/buildd/wireshark-1.12.1+g01b65bf/epan/packet.c:2295
#5 0x00007ffff3492551 in dissect_radiotap (tvb=0x2669b00, pinfo=0x7fffffffaee8, tree=0x0)
    at /build/buildd/wireshark-1.12.1+g01b65bf/epan/dissectors/packet-ieee80211-radiotap.c:1974
#6 0x00007ffff30f6ed4 in call_dissector_through_handle (handle=handle@entry=0x13530b0, tvb=tvb@entry=0x2669b00, pinfo=pinfo@entry=0x7fffffffaee8,
    tree=tree@entry=0x0, data=data@entry=0x0) at /build/buildd/wireshark-1.12.1+g01b65bf/epan/packet.c:626
#7 0x00007ffff30f7805 in call_dissector_work (handle=0x13530b0, tvb=0x2669b00, pinfo_arg=0x7fffffffaee8, tree=0x0, add_proto_name=1, data=0x0)
    at /build/buildd/wireshark-1.12.1+g01b65bf/epan/packet.c:713
#8 0x00007ffff30f7ebc in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=23, tvb=0x2669b00, pinfo=0x7fffffffaee8, tree=0x0,
    add_proto_name=add_proto_name@entry=1, data=0x0) at /build/buildd/wireshark-1.12.1+g01b65bf/epan/packet.c:1144
#9 0x00007ffff30f7f11 in dissector_try_uint (sub_dissectors=<optimized out>, uint_val=<optimized out>, tvb=<optimized out>, pinfo=<optimized out>,
    tree=<optimized out>) at /build/buildd/wireshark-1.12.1+g01b65bf/epan/packet.c:1170
#10 0x00007ffff33d7c0c in dissect_frame (tvb=0x7ffff6274c58 <airpdcap_ctx+152>, pinfo=0x0, parent_tree=0x0)
    at /build/buildd/wireshark-1.12.1+g01b65bf/epan/dissectors/packet-frame.c:508
#11 0x00007ffff30f6ed4 in call_dissector_through_handle (handle=handle@entry=0x12cc6d0, tvb=tvb@entry=0x2669b00, pinfo=pinfo@entry=0x7fffffffaee8,
    tree=tree@entry=0x0, data=data@entry=0x0) at /build/buildd/wireshark-1.12.1+g01b65bf/epan/packet.c:626
#12 0x00007ffff30f7805 in call_dissector_work (handle=0x12cc6d0, tvb=0x2669b00, pinfo_arg=0x7fffffffaee8, tree=0x0, add_proto_name=1, data=0x0)
    at /build/buildd/wireshark-1.12.1+g01b65bf/epan/packet.c:713
#13 0x00007ffff30f9462 in call_dissector_with_data (handle=<optimized out>, tvb=0x2669b00, pinfo=0x7fffffffaee8, tree=0x0, data=<optimized out>)
    at /build/buildd/wireshark-1.12.1+g01b65bf/epan/packet.c:2295
#14 0x00007ffff30f9870 in dissect_record (edt=0x7ffff6274c58 <airpdcap_ctx+152>, edt@entry=0x7fffffffaed0, file_type_subtype=2, phdr=0x0, tvb=0x2669b00, fd=0x0,
    fd@entry=0x35b1278, cinfo=0x7fffffffaee8) at /build/buildd/wireshark-1.12.1+g01b65bf/epan/packet.c:497
#15 0x00007ffff30ecc64 in epan_dissect_run_with_taps (edt=edt@entry=0x7fffffffaed0, file_type_subtype=2, phdr=phdr@entry=0x1d8c8a0, tvb=0x2669b00,
    fd=fd@entry=0x35b1278, cinfo=cinfo@entry=0x0) at /build/buildd/wireshark-1.12.1+g01b65bf/epan/epan.c:350
#16 0x0000000000428816 in add_packet_to_packet_list (fdata=0x35b1278, cf=0x813900 <cfile>, edt=0x7fffffffaed0, dfcode=0x0, cinfo=0x0, phdr=0x1d8c8a0,
    buf=0x2c71c00 "", add_to_packet_list=1) at /build/buildd/wireshark-1.12.1+g01b65bf/file.c:1181
#17 0x0000000000429c58 in read_packet (cf=0x813900 <cfile>, dfcode=0x0, edt=0x0, edt@entry=0x7fffffffaed0, cinfo=0x87, cinfo@entry=0x0, offset=1882)
    at /build/buildd/wireshark-1.12.1+g01b65bf/file.c:1283
#18 0x000000000042ab83 in cf_continue_tail (cf=0x813900 <cfile>, to_read=to_read@entry=126, err=err@entry=0x7fffffffb0f4)
    at /build/buildd/wireshark-1.12.1+g01b65bf/file.c:889
#19 0x0000000000424c31 in capture_input_new_packets (cap_session=cap_session@entry=0x813ce0 <global_capture_session>, to_read=to_read@entry=126)
    at /build/buildd/wireshark-1.12.1+g01b65bf/capture.c:404
#20 0x0000000000434f26 in sync_pipe_input_cb (source=<optimized out>, user_data=0x813ce0 <global_capture_session>)
    at /build/buildd/wireshark-1.12.1+g01b65bf/capture_sync.c:1779
---Type <return> to continue, or q <return> to quit---
#21 0x0000000000442fa5 in pipe_input_cb (source=<optimized out>, condition=<optimized out>, data=0x80c100 <pipe_input>)
    at /build/buildd/wireshark-1.12.1+g01b65bf/ui/gtk/gui_utils.c:667
#22 0x00007ffff653bb6d in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#23 0x00007ffff653bf48 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#24 0x00007ffff653bffc in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#25 0x00007ffff78440e5 in gtk_main_iteration () from /usr/lib/x86_64-linux-gnu/libgtk-3.so.0
#26 0x0000000000443b75 in main_window_update () at /build/buildd/wireshark-1.12.1+g01b65bf/ui/gtk/gui_utils.c:547
#27 0x0000000000432f9a in sync_pipe_open_command (argv=argv@entry=0x1d51ee0, data_read_fd=data_read_fd@entry=0x7fffffffc760,
    message_read_fd=message_read_fd@entry=0x7fffffffc764, fork_child=fork_child@entry=0x7fffffffc768, msg=msg@entry=0x7fffffffc770,
    update_cb=update_cb@entry=0x443b60 <main_window_update>) at /build/buildd/wireshark-1.12.1+g01b65bf/capture_sync.c:932
#28 0x00000000004339be in sync_pipe_run_command_actual (argv=argv@entry=0x1d51ee0, data=data@entry=0x7fffffffdcb0, primary_msg=primary_msg@entry=0x7fffffffdcb8,
    secondary_msg=secondary_msg@entry=0x7fffffffdcc0, update_cb=update_cb@entry=0x443b60 <main_window_update>)
    at /build/buildd/wireshark-1.12.1+g01b65bf/capture_sync.c:993
#29 0x0000000000433cb2 in sync_pipe_run_command (argv=0x1d51ee0, data=data@entry=0x7fffffffdcb0, primary_msg=primary_msg@entry=0x7fffffffdcb8,
    secondary_msg=secondary_msg@entry=0x7fffffffdcc0, update_cb=update_cb@entry=0x443b60 <main_window_update>)
    at /build/buildd/wireshark-1.12.1+g01b65bf/capture_sync.c:1171
#30 0x00000000004349a1 in sync_if_capabilities_open (ifname=ifname@entry=0x1d74780 "wlan0", monitor_mode=monitor_mode@entry=0, data=data@entry=0x7fffffffdcb0,
    primary_msg=primary_msg@entry=0x7fffffffdcb8, secondary_msg=secondary_msg@entry=0x7fffffffdcc0, update_cb=update_cb@entry=0x443b60 <main_window_update>)
    at /build/buildd/wireshark-1.12.1+g01b65bf/capture_sync.c:1316
#31 0x0000000000432bdd in capture_get_if_capabilities (ifname=0x1d74780 "wlan0", monitor_mode=monitor_mode@entry=0, err_str=err_str@entry=0x0,
    update_cb=update_cb@entry=0x443b60 <main_window_update>) at /build/buildd/wireshark-1.12.1+g01b65bf/capture_ifinfo.c:216
#32 0x0000000000520424 in scan_local_interfaces (update_cb=0x443b60 <main_window_update>) at /build/buildd/wireshark-1.12.1+g01b65bf/ui/iface_lists.c:162
#33 0x00000000004cd990 in refresh_local_interface_lists () at /build/buildd/wireshark-1.12.1+g01b65bf/ui/gtk/capture_dlg.c:6133
#34 0x0000000000430a3b in iface_mon_handler2 (obj=0x45b6800, arg=0x4edfa0 <gtk_iface_mon_event_cb>) at /build/buildd/wireshark-1.12.1+g01b65bf/iface_monitor.c:108
#35 0x00007ffff0e5596e in ?? () from /lib/x86_64-linux-gnu/libnl-3.so.200
#36 0x00007ffff107e09c in ?? () from /usr/lib/x86_64-linux-gnu/libnl-route-3.so.200
#37 0x00007ffff0e52cd9 in nl_cache_parse () from /lib/x86_64-linux-gnu/libnl-3.so.200
#38 0x00007ffff0e571cb in nl_msg_parse () from /lib/x86_64-linux-gnu/libnl-3.so.200
#39 0x00000000004309e3 in iface_mon_handler (msg=<optimized out>, arg=<optimized out>) at /build/buildd/wireshark-1.12.1+g01b65bf/iface_monitor.c:118
#40 0x00007ffff0e584cf in nl_recvmsgs_report () from /lib/x86_64-linux-gnu/libnl-3.so.200
#41 0x00007ffff0e58899 in nl_recvmsgs () from /lib/x86_64-linux-gnu/libnl-3.so.200
#42 0x00000000004edf89 in gtk_iface_mon_event (source=<optimized out>, condition=<optimized out>, data=<optimized out>)
    at /build/buildd/wireshark-1.12.1+g01b65bf/ui/gtk/gtk_iface_monitor.c:85
#43 0x00007ffff653bb6d in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#44 0x00007ffff653bf48 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#45 0x00007ffff653c272 in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#46 0x00007ffff7844045 in gtk_main () from /usr/lib/x86_64-linux-gnu/libgtk-3.so.0
#47 0x0000000000423e9d in main (argc=0, argv=0x7fffffffe610) at /build/buildd/wireshark-1.12.1+g01b65bf/ui/gtk/main.c:3248

Running latest upstream wireshark 1.12.2, compiled from source, there is no crash in the same situation

Instead of trying to debug and fix it, please upgraded to latest upstream 1.12.2 as it works, without ubuntu patches if there is any

ProblemType: Bug
DistroRelease: Ubuntu 14.10
Package: wireshark 1.12.1+g01b65bf-2~ubuntu14.10.1
ProcVersionSignature: Ubuntu 3.16.0-28.38-generic 3.16.7-ckt1
Uname: Linux 3.16.0-28-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.14.7-0ubuntu8
Architecture: amd64
Date: Mon Jan 5 13:40:20 2015
InstallationDate: Installed on 2014-01-22 (347 days ago)
InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016.1)
ProcEnviron:
 LANGUAGE=fr_FR
 TERM=xterm
 PATH=(custom, no user)
 LANG=fr_FR.UTF-8
 SHELL=/bin/bash
SourcePackage: wireshark
UpgradeStatus: Upgraded to utopic on 2014-10-24 (72 days ago)

Revision history for this message
zebul666 (zebul666) wrote :
Revision history for this message
Evan Huus (eapache) wrote :

Thanks for the report, I've uploaded a potential fix to https://code.wireshark.org/review/6330 although I haven't had a chance to try reproducing myself.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.