[Wireshark-bugs] [Bug 16461] New: Read of uninitialized memory in find_signature

Thu, 26 Mar 2020 03:38:11 -0700 

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16461

            Bug ID: 16461
           Summary: Read of uninitialized memory in find_signature
           Product: Wireshark
           Version: Git
          Hardware: x86
                OS: Linux
            Status: UNCONFIRMED
          Severity: Major
          Priority: Low
         Component: Capture file support (libwiretap)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: fabien.lheur...@trust-in-soft.com
  Target Milestone: ---

Created attachment 17697
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17697&action=edit
This pcap file was generated by AFL and should allow to reproduce the issue

Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
## Analysis Context

*The verification was performed with TrustInSoft Analyzer, a formal
static analyzer for C and C++.*

*The result is part of a larger security assessment performed by
TrustInSoft for* ***Naval Group***.

The analysis of wireshark was performed in the following environment:

----------------- ----------------------------------------------
Platform          Ubuntu Linux 18.04
Tool              TrustInSoft Analyzer, a formal static analyzer
Input Files       Fuzzing of 10 000 pcap file using AFL
Verification      Analysis of `process_cap_file` with the AFL corpus
------------- ----------------------------------------------

------------ ------------------- ---------------------- ----------------
Wireshark    version v2.6.16rc0  git commit dcd65a4012 
https://github.com/wireshark/wireshark.git
glib         version 2.62.6      git commit eb0f73a39  
https://github.com/GNOME/glib.git
libgcrypt    version 1.8.5       git commit ada758e3   
https://github.com/gpg/libgcrypt.git
libgpg-error version 1.37        git commit 85b5006    
https://github.com/gpg/libgpg-error.git
libpcap      version 1.9.1       git commit 1547215c   
https://github.com/the-tcpdump-group/libpcap.git
pcre         version 8.43-RC1    git commit 10e4adb    
https://github.com/svn2github/pcre.git
pcre2        version 10.10       git commit a677f5b    
https://github.com/luvit/pcre2.git
zlib         version 10.10       git commit a677f5b    
https://github.com/madler/zlib.git
------------ ------------------- ---------------------- ----------------

- valgrind is deactivated in glib
- PCRE library is deactivated in glib
- `cap_files_hashes` is deactivated in wireshark

## Uninitialized Variable in *find_signature*

In the function `find_signature`, the variable `m_ptr[pay_off]` where
`pay_off` is equal to `56` may be pointing to uninitialized data.

File: wireshark/wiretap/vwr.c

```c
if (m_ptr[pay_off] == 0xdd)    /* if magic byte is present */
    return pay_off;
```

The variable `m_ptr` is pointing to an offset of a global variable of
type `char [32768]` that was allocated in the function
`vwr_process_rec_data`. Its content is written by the function
`wtap_read_bytes` and, after this call, the buffer is uninitialized
starting from the offset `52`.

-- 
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

Reply via email to