https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14466
Bug ID: 14466
Summary: Crafted H.225 packets causing read
heap-buffer-overflow
Product: Wireshark
Version: Git
Hardware: x86
OS: Linux
Status: UNCONFIRMED
Severity: Major
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: otto.air...@gmail.com
Target Milestone: ---
Created attachment 16173
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16173&action=edit
capture file
Build Information:
TShark (Wireshark) 2.5.1 (v2.5.1rc0-417-g24b5a553)
Built using clang 4.2.1 Compatible Clang 3.8.0 (tags/RELEASE_380/final).
--
=================================================================
==130831==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6290000c723c at pc 0x7f27df8b86f2 bp 0x7ffc42fb6f10 sp 0x7ffc42fb6f08
READ of size 1 at 0x6290000c723c thread T0
#0 0x7f27df8b86f1 in print_hex_data_buffer
/home/fuzzer/wireshark/wireshark/epan/print.c:2038
#2 0x7f27df8a9055 in proto_tree_print_node
/home/fuzzer/wireshark/wireshark/epan/print.c:224
#4 0x7f27df8c8b7c in proto_tree_children_foreach
/home/fuzzer/wireshark/wireshark/epan/proto.c:691
#6 0x7f27df8a92b1 in proto_tree_print_node
/home/fuzzer/wireshark/wireshark/epan/print.c:241
#8 0x7f27df8c8b7c in proto_tree_children_foreach
/home/fuzzer/wireshark/wireshark/epan/proto.c:691
#10 0x7f27df8a92b1 in proto_tree_print_node
/home/fuzzer/wireshark/wireshark/epan/print.c:241
#12 0x7f27df8c8b7c in proto_tree_children_foreach
/home/fuzzer/wireshark/wireshark/epan/proto.c:691
#14 0x7f27df8a92b1 in proto_tree_print_node
/home/fuzzer/wireshark/wireshark/epan/print.c:241
#16 0x7f27df8c8b7c in proto_tree_children_foreach
/home/fuzzer/wireshark/wireshark/epan/proto.c:691
#18 0x7f27df8a92b1 in proto_tree_print_node
/home/fuzzer/wireshark/wireshark/epan/print.c:241
#20 0x7f27df8c8b7c in proto_tree_children_foreach
/home/fuzzer/wireshark/wireshark/epan/proto.c:691
#22 0x7f27df8a92b1 in proto_tree_print_node
/home/fuzzer/wireshark/wireshark/epan/print.c:241
#24 0x7f27df8c8b7c in proto_tree_children_foreach
/home/fuzzer/wireshark/wireshark/epan/proto.c:691
#26 0x7f27df8a86c7 in proto_tree_print
/home/fuzzer/wireshark/wireshark/epan/print.c:155
#28 0x52432d in print_packet /home/fuzzer/wireshark/wireshark/tshark.c:3910
#30 0x51932d in process_packet_second_pass
/home/fuzzer/wireshark/wireshark/tshark.c:3024
#31 0x51932d in process_cap_file
/home/fuzzer/wireshark/wireshark/tshark.c:3268
#32 0x51932d in main /home/fuzzer/wireshark/wireshark/tshark.c:2033
#34 0x7f27d60f482f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#36 0x424098 in _start ??:?
0x6290000c723c is located 0 bytes to the right of 16444-byte region
[0x6290000c3200,0x6290000c723c)
allocated by thread T0 here:
#0 0x4c41c8 in __interceptor_malloc ??:?
#2 0x7f27d7491718 in g_malloc ??:?
#4 0x7f27df9b420e in ensure_contiguous_no_exception
/home/fuzzer/wireshark/wireshark/epan/tvbuff.c:691
#5 0x7f27df9b420e in ensure_contiguous
/home/fuzzer/wireshark/wireshark/epan/tvbuff.c:703
#6 0x7f27df9b420e in tvb_get_ptr
/home/fuzzer/wireshark/wireshark/epan/tvbuff.c:826
#8 0x7f27df8d8b85 in proto_tree_set_bytes_tvb
/home/fuzzer/wireshark/wireshark/epan/proto.c:3650
#9 0x7f27df8d8b85 in proto_tree_new_item
/home/fuzzer/wireshark/wireshark/epan/proto.c:2095
#11 0x7f27df8e5ce9 in proto_tree_add_item_new
/home/fuzzer/wireshark/wireshark/epan/proto.c:3166
#13 0x7f27dff4d516 in dissect_data
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-data.c:82
#15 0x7f27df86a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#17 0x7f27df85b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#19 0x7f27df856f0b in call_dissector_only
/home/fuzzer/wireshark/wireshark/epan/packet.c:3092
#20 0x7f27df856f0b in call_dissector_with_data
/home/fuzzer/wireshark/wireshark/epan/packet.c:3105
#22 0x7f27e15c124e in dissect_h225_T_nsp_data
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/h225/h225.cnf:823
#24 0x7f27e0baf338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
#26 0x7f27e15b9c37 in dissect_h225_NonStandardParameter
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/h225/h225.cnf:817
#28 0x7f27e0baf338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
#30 0x7f27e15ba0cc in dissect_h225_EndpointType
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/h225/h225.cnf:797
#32 0x7f27e0baf338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
#34 0x7f27e15c585c in dissect_h225_GatekeeperRequest
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/h225/h225.cnf:1226
#36 0x7f27e0bad3ac in dissect_per_choice
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1758
#38 0x7f27e15bb182 in dissect_h225_RasMessage
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/h225/h225.cnf:298
#40 0x7f27e15be3b0 in dissect_RasMessage_PDU
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/h225/h225.cnf:339
#41 0x7f27e15be3b0 in dissect_h225_h225_RasMessage
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/h225/packet-h225-template.c:385
#43 0x7f27df86a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#45 0x7f27df85b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#47 0x7f27df85b8de in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
#48 0x7f27df85b8de in dissector_try_uint
/home/fuzzer/wireshark/wireshark/epan/packet.c:1385
#50 0x7f27e11a67cd in decode_udp_ports
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-udp.c:666
#52 0x7f27e11ac780 in dissect
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-udp.c:1127
#54 0x7f27e11a953f in dissect_udp
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-udp.c:1133
#56 0x7f27df86a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#58 0x7f27df85b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#60 0x7f27df85ab62 in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
#62 0x7f27e0595501 in ip_try_dissect
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-ip.c:1845
#63 0x7f27e0595501 in dissect_ip_v4
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-ip.c:2303
#65 0x7f27df86a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/fuzzer/wireshark/wireshark/epan/.libs/libwireshark.so.0+0x7cfa6f1)
Shadow bytes around the buggy address:
0x0c5280010df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5280010e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5280010e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5280010e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5280010e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5280010e40: 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa
0x0c5280010e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280010e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280010e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280010e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280010e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==130831==ABORTING
Credit goes to: Otto Airamo and Antti Levomäki, Forcepoint
--
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe