[Wireshark-bugs] [Bug 15210] ieee80211: Extend FILS support (802.11ai)

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15210

Michael Mann  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|IN_PROGRESS |RESOLVED

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

Michael Mann  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|CONFIRMED   |RESOLVED

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #16 from Gerrit Code Review  ---
Change 30483 merged by Michael Mann:
IAX: Don't try and convert an invalid codec to a mask

https://code.wireshark.org/review/30483

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15258] New: ntpdc sent mode 7 packet wireshark parsing error

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15258

Bug ID: 15258
   Summary: ntpdc sent mode 7 packet wireshark parsing error
   Product: Wireshark
   Version: 2.6.3
  Hardware: x86
OS: Linux
Status: UNCONFIRMED
  Severity: Normal
  Priority: Low
 Component: Dissection engine (libwireshark)
  Assignee: bugzilla-ad...@wireshark.org
  Reporter: a...@protonmail.com
  Target Milestone: ---

Build Information:
Wireshark 2.6.3 (Git v2.6.3 packaged as 2.6.3-1)

Copyright 1998-2018 Gerald Combs  and contributors.
License GPLv2+: GNU GPL version 2 or later

This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.11.1, with libpcap, with POSIX capabilities
(Linux),
with libnl 3, with GLib 2.56.1, with zlib 1.2.11, with SMI 0.4.8, with c-ares
1.14.0, with Lua 5.2.4, with GnuTLS 3.5.19, with Gcrypt 1.8.3, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.32.0, with LZ4, with Snappy,
with libxml2 2.9.4, with QtMultimedia, with SBC, with SpanDSP, without bcg729.

Running on Linux 4.18.0-kali1-amd64, withIntel(R) Core(TM) i5-2500K CPU
@ 3.30GHz (with SSE4.2), with 7887 MB of physical memory, with locale
zh_CN.UTF-8, with libpcap version 1.8.1, with GnuTLS 3.5.19, with Gcrypt 1.8.3,
with zlib 1.2.11, binary plugins supported (0 loaded).

Built using gcc 8.2.0.

--
 *0   1   2   3
 *0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 *   |R|M| VN  | Mode|A|  Sequence   | Implementation|   Req Code|
 *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 *   |  Err  | Number of data items  |  MBZ  |   Size of data item   |
 *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 *   |   |
 *   |Data (Minimum 0 octets, maximum 500 octets)|
 *   |   |
 *[...]
 *   |   |
 *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 *   |   Encryption Keyid (when A bit set)   |
 *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 *   |   |
 *   |  Message Authentication Code (when A bit set) |
 *   |   |
 *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 *

The above is the packet format under mode 7.

struct req_pkt {
u_char rm_vn_mode;  /* response, more, version, mode */
u_char auth_seq;/* key, sequence number */
u_char implementation;  /* implementation number */
u_char request; /* request number */
u_short err_nitems; /* error code/number of data items */
u_short mbz_itemsize;   /* item size */
char data[MAXFILENAME + 48];/* data area [32 prev](176 byte max) */
/* struct conf_peer must fit */
l_fp tstamp;/* time stamp, for authentication */
keyid_t keyid;  /* (optional) encryption key */
char mac[MAX_MAC_LEN-sizeof(keyid_t)]; /* (optional) auth code */
};

The above is the data structure in C language

|R|M| VN  | Mode| Fields and | A | Sequence | Fields are resolved to the same
byte in wireshark, but they are not in the same byte.

Due to the above parsing error Data, Encryption Keyid, Message Authentication
Code,tstamp  can not be parsed

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15255] TDS Parameter Value (content) improvement

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15255

--- Comment #9 from Gerrit Code Review  ---
Change 30468 merged by Roland Knall:
TDS: Display value of data on top of field

https://code.wireshark.org/review/30468

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #15 from Tom Hughes  ---
Ah I didn't realise I actually had a fuzzshark to run.

I've opened https://code.wireshark.org/review/30483 for the second issue.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #14 from Gerrit Code Review  ---
Change 30483 had a related patch set uploaded by Tom Hughes:
IAX: Don't try and convert an invalid codec to a mask

https://code.wireshark.org/review/30483

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #13 from Johannes Altmanninger  ---
(In reply to Tom Hughes from comment #12)
> If I'm reading comment #2 right then he actually ran fuzzshark on the
> truncated packet which presumably made more changes to it?

Apparently it's not fuzzing the input but just reproducing the failure

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #12 from Tom Hughes  ---
If I'm reading comment #2 right then he actually ran fuzzshark on the truncated
packet which presumably made more changes to it?

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #11 from Tom Hughes  ---
I tried that but tshark just said it was an invalid capture file and refused to
read it:

% ./run/tshark -r
/tmp/clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-5680214932193280 
tshark: The file
"/tmp/clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-5680214932193280"
isn't a capture file in a format TShark understands.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #10 from Johannes Altmanninger  ---
(In reply to Tom Hughes from comment #9)
> I've opened https://code.wireshark.org/review/30481 for the null argument
> issue.
> 
> Do we have a capture of the packet which triggered the second (shift) issue?

Yes, if we take the last twenty bytes of the .pcap as described by Peter
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251#c2

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #9 from Tom Hughes  ---
I've opened https://code.wireshark.org/review/30481 for the null argument
issue.

Do we have a capture of the packet which triggered the second (shift) issue?

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #8 from Gerrit Code Review  ---
Change 30481 had a related patch set uploaded by Tom Hughes:
IAX: Don't try and copy a non-existent address

https://code.wireshark.org/review/30481

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #7 from Tom Hughes  ---
I'm not sure the null argument thing is actually anything to do with my edits -
the problem seems to be that the packet has no source address because there is
no IP header on it and iax_circuit_lookup is not able to cope with that when it
tries to create a hash to identify the circuit.

I should be able to fix it but I don't think it was introduced by my edit.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #6 from Johannes Altmanninger  ---
Just in case you find it helpful, this is what I used
note that the environment variables have to be present when you run
wireshark/fuzzshark
WS_BIN_PATH is only necessary for running the tests I set detect_leaks=0 so
that the tests pass. 


export ASAN_OPTIONS abort_on_error=1:detect_leaks=0
export UBSAN_OPTIONS print_stacktrace=1
export WS_BIN_PATH cmake-build-sanitizers/run

mkdir cmake-build-sanitizers
cd cmake-build-sanitizers

cmake .. -GNinja
 -DCMAKE_C_COMPILER=clang \
 -DCMAKE_CXX_COMPILER=clang++ \
 -DENABLE_ASAN=1 -DENABLE_UBSAN=1 \
 -DCMAKE_BUILD_TYPE=Debug \
 -DCMAKE_EXPORT_COMPILE_COMMANDS=1 \
 -DDISABLE_WERROR=1

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #5 from Tom Hughes  ---
I found ENABLE_UBSAN now ;-)

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #4 from Tom Hughes  ---
So firstly the RFC is quite old and has never been updated to reflect
extensions like codecs outside the original 32 bit range so to some extent we
have to consider what users of the protocol are actually doing and asterisk is
the de facto source for the most part.

The reality has always been that while codecs are in principle just numbers,
and the compression scheme was written to support arbitrary numbers, in reality
there were always single bits because other parts of the protocol or them
together as a mask to represent a set of protocols.

As far as I know compressed codec numbers are only ever used in contexts where
only a single codec, and hence a single bit, will be set.

So the idea (which actually came from the reviewer) was to make the codec
dissection dispatch table use the shift number rather than the mask to avoid
having to create a 64 bit version of the dissector dispatch logic. That is why
uncompress treats anything with multiple bits set as invalid and returns -1 for
them.

Note that there were previously other cases which returned -1 so that wasn't a
new idea.

I think there are at least two problems I need to fix though...

One is that we can return a number far in excess of 63 which will cause the bad
shift warning.

The second is that we probably need to explicitly ignore -1 and not try and
dispatch a dissection based on it or something but I need to look at that in
more detail.

Is there a good way to get a ubsan build of wireshark so that I can reproduce
this?

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

Johannes Altmanninger  changed:

   What|Removed |Added

 CC||aclo...@gmail.com,
   ||t...@compton.nu

--- Comment #3 from Johannes Altmanninger  ---
CCing Tom Hughes as the undefined shift was introduced last week in [1].
I tried to find out how to properly fix this but I haven't had any luck so far.
I don't understand some things, in particular, RFC 5456 states that the
subclass field should be interpreted as an unsigned 7-bit integer if the 'C'
bit is 0, but the code in uncompress_subclass returns -1 for a lot of those
cases. Is there a place where the format is documented? Perhaps [3] acts as
canonical source?

Also I'm pretty sure we should use 0x40 instead of 40 in [4]. This seems to be
another unrelated issue.


[1]
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blobdiff;f=epan/dissectors/packet-iax2.c;h=471d582bddf295c4379df12083ba9ebd801a4f3a;hp=589f1f0298292841a24f6b42d9f3026315d67d8e;hb=27070dd05964823adefbd159595e61b515c52e49;hpb=99c62bf79710a8fa97d368fa0b2c54b9d1cc6484

[2] https://tools.ietf.org/html/rfc5456#page-44

[3] https://github.com/asterisk/asterisk/blob/master/channels/chan_iax2.c#L1828

[4]
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-iax2.c;h=aafd9eae3bc1f2ee907b19baf56082b04c5dc1ea;hb=HEAD#l1896

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15253] SEP_* does not work as expected for FT_BYTES

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15253

Pascal Quantin  changed:

   What|Removed |Added

 Status|UNCONFIRMED |RESOLVED
 Resolution|--- |FIXED

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15156] packet-bthci.c incorrectly parses allowed SCO packet bitfield for synchronous request commands/reponses

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15156

Alexis La Goutte  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|IN_PROGRESS |RESOLVED

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe