[Wireshark-bugs] [Bug 14466] New: Crafted H.225 packets causing read heap-buffer-overflow

bugzilla-daemon Fri, 02 Mar 2018 01:15:07 -0800

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14466


            Bug ID: 14466
           Summary: Crafted H.225 packets causing read
                    heap-buffer-overflow
           Product: Wireshark
           Version: Git
          Hardware: x86
                OS: Linux
            Status: UNCONFIRMED
          Severity: Major
          Priority: Low
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: otto.air...@gmail.com
  Target Milestone: ---

Created attachment 16173
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16173&action=edit
capture file

Build Information:
TShark (Wireshark) 2.5.1 (v2.5.1rc0-417-g24b5a553)
Built using clang 4.2.1 Compatible Clang 3.8.0 (tags/RELEASE_380/final).
--
=================================================================
==130831==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6290000c723c at pc 0x7f27df8b86f2 bp 0x7ffc42fb6f10 sp 0x7ffc42fb6f08
READ of size 1 at 0x6290000c723c thread T0
    #0 0x7f27df8b86f1 in print_hex_data_buffer
/home/fuzzer/wireshark/wireshark/epan/print.c:2038
    #2 0x7f27df8a9055 in proto_tree_print_node
/home/fuzzer/wireshark/wireshark/epan/print.c:224
    #4 0x7f27df8c8b7c in proto_tree_children_foreach
/home/fuzzer/wireshark/wireshark/epan/proto.c:691
    #6 0x7f27df8a92b1 in proto_tree_print_node
/home/fuzzer/wireshark/wireshark/epan/print.c:241
    #8 0x7f27df8c8b7c in proto_tree_children_foreach
/home/fuzzer/wireshark/wireshark/epan/proto.c:691
    #10 0x7f27df8a92b1 in proto_tree_print_node
/home/fuzzer/wireshark/wireshark/epan/print.c:241
    #12 0x7f27df8c8b7c in proto_tree_children_foreach
/home/fuzzer/wireshark/wireshark/epan/proto.c:691
    #14 0x7f27df8a92b1 in proto_tree_print_node
/home/fuzzer/wireshark/wireshark/epan/print.c:241
    #16 0x7f27df8c8b7c in proto_tree_children_foreach
/home/fuzzer/wireshark/wireshark/epan/proto.c:691
    #18 0x7f27df8a92b1 in proto_tree_print_node
/home/fuzzer/wireshark/wireshark/epan/print.c:241
    #20 0x7f27df8c8b7c in proto_tree_children_foreach
/home/fuzzer/wireshark/wireshark/epan/proto.c:691
    #22 0x7f27df8a92b1 in proto_tree_print_node
/home/fuzzer/wireshark/wireshark/epan/print.c:241
    #24 0x7f27df8c8b7c in proto_tree_children_foreach
/home/fuzzer/wireshark/wireshark/epan/proto.c:691
    #26 0x7f27df8a86c7 in proto_tree_print
/home/fuzzer/wireshark/wireshark/epan/print.c:155
    #28 0x52432d in print_packet /home/fuzzer/wireshark/wireshark/tshark.c:3910
    #30 0x51932d in process_packet_second_pass
/home/fuzzer/wireshark/wireshark/tshark.c:3024
    #31 0x51932d in process_cap_file
/home/fuzzer/wireshark/wireshark/tshark.c:3268
    #32 0x51932d in main /home/fuzzer/wireshark/wireshark/tshark.c:2033
    #34 0x7f27d60f482f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #36 0x424098 in _start ??:?

0x6290000c723c is located 0 bytes to the right of 16444-byte region
[0x6290000c3200,0x6290000c723c)
allocated by thread T0 here:
    #0 0x4c41c8 in __interceptor_malloc ??:?
    #2 0x7f27d7491718 in g_malloc ??:?
    #4 0x7f27df9b420e in ensure_contiguous_no_exception
/home/fuzzer/wireshark/wireshark/epan/tvbuff.c:691
    #5 0x7f27df9b420e in ensure_contiguous
/home/fuzzer/wireshark/wireshark/epan/tvbuff.c:703
    #6 0x7f27df9b420e in tvb_get_ptr
/home/fuzzer/wireshark/wireshark/epan/tvbuff.c:826
    #8 0x7f27df8d8b85 in proto_tree_set_bytes_tvb
/home/fuzzer/wireshark/wireshark/epan/proto.c:3650
    #9 0x7f27df8d8b85 in proto_tree_new_item
/home/fuzzer/wireshark/wireshark/epan/proto.c:2095
    #11 0x7f27df8e5ce9 in proto_tree_add_item_new
/home/fuzzer/wireshark/wireshark/epan/proto.c:3166
    #13 0x7f27dff4d516 in dissect_data
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-data.c:82
    #15 0x7f27df86a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
    #17 0x7f27df85b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
    #19 0x7f27df856f0b in call_dissector_only
/home/fuzzer/wireshark/wireshark/epan/packet.c:3092
    #20 0x7f27df856f0b in call_dissector_with_data
/home/fuzzer/wireshark/wireshark/epan/packet.c:3105
    #22 0x7f27e15c124e in dissect_h225_T_nsp_data
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/h225/h225.cnf:823
    #24 0x7f27e0baf338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
    #26 0x7f27e15b9c37 in dissect_h225_NonStandardParameter
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/h225/h225.cnf:817
    #28 0x7f27e0baf338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
    #30 0x7f27e15ba0cc in dissect_h225_EndpointType
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/h225/h225.cnf:797
    #32 0x7f27e0baf338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
    #34 0x7f27e15c585c in dissect_h225_GatekeeperRequest
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/h225/h225.cnf:1226
    #36 0x7f27e0bad3ac in dissect_per_choice
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1758
    #38 0x7f27e15bb182 in dissect_h225_RasMessage
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/h225/h225.cnf:298
    #40 0x7f27e15be3b0 in dissect_RasMessage_PDU
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/h225/h225.cnf:339
    #41 0x7f27e15be3b0 in dissect_h225_h225_RasMessage
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/h225/packet-h225-template.c:385
    #43 0x7f27df86a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
    #45 0x7f27df85b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
    #47 0x7f27df85b8de in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
    #48 0x7f27df85b8de in dissector_try_uint
/home/fuzzer/wireshark/wireshark/epan/packet.c:1385
    #50 0x7f27e11a67cd in decode_udp_ports
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-udp.c:666
    #52 0x7f27e11ac780 in dissect
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-udp.c:1127
    #54 0x7f27e11a953f in dissect_udp
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-udp.c:1133
    #56 0x7f27df86a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
    #58 0x7f27df85b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
    #60 0x7f27df85ab62 in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
    #62 0x7f27e0595501 in ip_try_dissect
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-ip.c:1845
    #63 0x7f27e0595501 in dissect_ip_v4
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-ip.c:2303
    #65 0x7f27df86a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/fuzzer/wireshark/wireshark/epan/.libs/libwireshark.so.0+0x7cfa6f1)
Shadow bytes around the buggy address:
  0x0c5280010df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5280010e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5280010e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5280010e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5280010e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5280010e40: 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa
  0x0c5280010e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280010e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280010e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280010e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280010e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==130831==ABORTING

Credit goes to: Otto Airamo and Antti Levomäki, Forcepoint

-- 
You are receiving this mail because:
You are watching all bug changes.

___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 14466] New: Crafted H.225 packets causing read heap-buffer-overflow

Reply via email to