CVE-2022-3724: Crash in USB-HID dissector on Windows (#18384) · Issues · Wireshark Foundation / wireshark · GitLab

Skip to content

Open Issue created Sep 27, 2022 by myrdyr@myrdyr

Crash in USB-HID dissector on Windows

Summary

When dissecting a PCAP with USB-HID data, a crash can happen if the string “Keyboard 5 and %” is loaded from https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-usb-hid.c#L827. On Windows, the spurious ‘%’ is treated as a format string identifier and crashes further down the line.

Steps to reproduce

Using version 3.6.8 (64-bit) on Windows 10:

tshark.exe -V -r minimal.pcap

OR

wireshark.exe minimal.pcap

What is the current bug behavior?

Tshark parses the first 5 frames, but crashes silently before finishing to output the 5th frame. Frame 6 doesn’t get printed. Wireshark will crash without any error message or error report.

What is the expected correct behavior?

Some weird, but somewhat valid, dissected USB-HID data. The example is minimized from a much larger file in order to reproduce. Wireshark should not crash.

Sample capture file

minimal.pcap

Relevant logs and/or screenshots

gdb: unknown target exception 0xc0000409 at 0x7ffeee4a1208

Thread 1 received signal ?, Unknown signal.
0x00007ffeee4a1208 in ucrtbase!_invoke_watson () from Windows/System32/ucrtbase.dll
(gdb) info stack
#0  0x00007ffeee4a1208 in ucrtbase!_invoke_watson () from Windows/System32/ucrtbase.dll
#1  0x00007ffeee4524b1 in ucrtbase!_invalid_parameter_noinfo () from Windows/System32/ucrtbase.dll
#2  0x00007ffeee452379 in ucrtbase!_invalid_parameter_noinfo () from Windows/System32/ucrtbase.dll
#3  0x00007ffeee4829fc in ucrtbase!.intrinsic_setjmpex () from Windows/System32/ucrtbase.dll
#4  0x00007ffeee441b49 in ucrtbase!_wtol () from Windows/System32/ucrtbase.dll
#5  0x00007ffeee442304 in ucrtbase!_wctomb_s_l () from Windows/System32/ucrtbase.dll
#6  0x00007ffeee442ed1 in ucrtbase!.stdio_common_vsprintf_s () from Windows/System32/ucrtbase.dll
#7  0x00007ffee9356c4b in wmem_strdup_vprintf () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwsutil.dll
#8  0x00007ffee9356bad in wmem_strdup_printf () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwsutil.dll
#9  0x00007ffe21146d33 in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#10 0x00007ffe211484f2 in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#11 0x00007ffe205d1546 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#12 0x00007ffe205d1771 in libwireshark!call_dissector_with_data () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#13 0x00007ffe205d4c0d in libwireshark!dissector_try_uint_new () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#14 0x00007ffe211575fe in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#15 0x00007ffe21154b2b in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#16 0x00007ffe21152d89 in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#17 0x00007ffe21151c2d in udp_dissect_pdus () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#18 0x00007ffe205d1546 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#19 0x00007ffe205d1771 in libwireshark!call_dissector_with_data () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#20 0x00007ffe205d14b0 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#21 0x00007ffe20a04d85 in libwireshark!dissect_e212_utf8_imsi () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#22 0x00007ffe205d1546 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#23 0x00007ffe205d1771 in libwireshark!call_dissector_with_data () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#24 0x00007ffe205d14b0 in libwireshark!call_dissector_only () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#25 0x00007ffe205d15e7 in libwireshark!call_dissector_with_data () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#26 0x00007ffe205d2a23 in libwireshark!deregister_depend_dissector () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll
#27 0x00007ffe205c76e0 in libwireshark!epan_dissect_run_with_taps () from Users/user/Downloads/WiresharkPortable64/App/Wireshark/libwireshark.dll

Build information

The crash initially happened on v3.6.8-0-gd25900c51508 Backtrace above is from Version 3.6.6 (v3.6.6-0-g7d96674e2a30)

3.6.6 (v3.6.6-0-g7d96674e2a30)

Compiled (64-bit) using Microsoft Visual Studio 2019 (VC++ 14.31, build 31107),
with Qt 5.15.2, with libpcap, with GLib 2.66.4, with zlib 1.2.11, with Lua
5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.44.0, with brotli, with LZ4,
with Zstandard, with Snappy, with libxml2 2.9.10, with libsmi 0.4.8, with
QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with
SpeexDSP (using bundled resampler), with Minizip.

Running on 64-bit Windows 10 (21H2), build 19044, with Intel(R) Core(TM)
i7-10750H CPU @ 2.60GHz (with SSE4.2), with 65281 MB of physical memory, with
GLib 2.66.4, with Qt 5.15.2, without Npcap or WinPcap, with c-ares 1.17.0, with
GnuTLS 3.6.3, with Gcrypt 1.8.3, with nghttp2 1.44.0, with brotli 1.0.9, with
LZ4 1.9.3, with Zstandard 1.4.0, with AirPcap 4.1.0 build 1622, with light
display mode, without HiDPI, with LC_TYPE=Norwegian Bokmål_Norway.utf8, binary
plugins supported (21 loaded).