[Wireshark-bugs] [Bug 14471] New: Crafted Stream Control Transmission Protocol packet causes heap-buffer-overflow write

bugzilla-daemon Fri, 02 Mar 2018 01:29:35 -0800

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14471


            Bug ID: 14471
           Summary: Crafted Stream Control Transmission Protocol packet
                    causes heap-buffer-overflow write
           Product: Wireshark
           Version: Git
          Hardware: x86
                OS: Linux
            Status: UNCONFIRMED
          Severity: Major
          Priority: Low
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: otto.air...@gmail.com
  Target Milestone: ---

Created attachment 16179
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16179&action=edit
capture file

Build Information:
TShark (Wireshark) 2.5.1 (v2.5.1rc0-417-g24b5a553)
Built using clang 4.2.1 Compatible Clang 3.8.0 (tags/RELEASE_380/final).
--
=================================================================
==130973==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7f302b97080c at pc 0x7f31c8d0385b bp 0x7ffdc40bb570 sp 0x7ffdc40bb568
WRITE of size 4 at 0x7f302b97080c thread T0
    #0 0x7f31c8d0385a in dissect_nbap_RL_Specific_DCH_Info_Item
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:1544
    #2 0x7f31c8055eb2 in dissect_per_sequence_of_helper
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:564
    #3 0x7f31c8055eb2 in dissect_per_constrained_sequence_of
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:939
    #5 0x7f31c8c9993d in dissect_nbap_RL_Specific_DCH_Info
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:1584
    #6 0x7f31c8c9993d in dissect_RL_Specific_DCH_Info_PDU
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:3460
    #8 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
    #10 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
    #12 0x7f31c6d0ab62 in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
    #14 0x7f31c8cd0067 in dissect_ProtocolExtensionFieldExtensionValue
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/packet-nbap-template.c:830
    #16 0x7f31c804c211 in dissect_per_open_type_internal
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:232
    #18 0x7f31c804c8e2 in dissect_per_open_type_pdu_new
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:253
    #20 0x7f31c805f338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
    #22 0x7f31c8ccfc9c in dissect_nbap_ProtocolExtensionField
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:239
    #24 0x7f31c8055eb2 in dissect_per_sequence_of_helper
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:564
    #25 0x7f31c8055eb2 in dissect_per_constrained_sequence_of
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:939
    #27 0x7f31c8ccfb27 in dissect_nbap_ProtocolExtensionContainer
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:252
    #29 0x7f31c805f338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
    #31 0x7f31c8c72025 in dissect_nbap_RL_InformationItem_RL_SetupRqstFDD
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:399
    #32 0x7f31c8c72025 in dissect_RL_InformationItem_RL_SetupRqstFDD_PDU
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:5924
    #34 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
    #36 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
    #38 0x7f31c6d0ab62 in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
    #40 0x7f31c8cd2c97 in dissect_ProtocolIEFieldValue
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/packet-nbap-template.c:823
    #42 0x7f31c804c211 in dissect_per_open_type_internal
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:232
    #44 0x7f31c804c8e2 in dissect_per_open_type_pdu_new
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:253
    #46 0x7f31c805f338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
    #48 0x7f31c8cd2b3c in dissect_nbap_ProtocolIE_Field
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:191
    #49 0x7f31c8cd2b3c in dissect_nbap_ProtocolIE_Single_Container
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:215
    #51 0x7f31c8055eb2 in dissect_per_sequence_of_helper
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:564
    #52 0x7f31c8055eb2 in dissect_per_constrained_sequence_of
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:939
    #54 0x7f31c8c71aed in dissect_nbap_RL_InformationList_RL_SetupRqstFDD
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:371
    #55 0x7f31c8c71aed in dissect_RL_InformationList_RL_SetupRqstFDD_PDU
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:5916
    #57 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
    #59 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
    #61 0x7f31c6d0ab62 in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
    #63 0x7f31c8cd2c97 in dissect_ProtocolIEFieldValue
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/packet-nbap-template.c:823
    #65 0x7f31c804c211 in dissect_per_open_type_internal
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:232
    #67 0x7f31c804c8e2 in dissect_per_open_type_pdu_new
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:253
    #69 0x7f31c805f338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
    #71 0x7f31c8cd2bac in dissect_nbap_ProtocolIE_Field
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:191
    #73 0x7f31c8055eb2 in dissect_per_sequence_of_helper
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:564
    #74 0x7f31c8055eb2 in dissect_per_constrained_sequence_of
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:939
    #76 0x7f31c8d18b47 in dissect_nbap_ProtocolIE_Container
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:204
    #78 0x7f31c805f338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
    #80 0x7f31c8cc3bf7 in dissect_nbap_RadioLinkSetupRequestFDD
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:261
    #81 0x7f31c8cc3bf7 in dissect_RadioLinkSetupRequestFDD_PDU
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:5884
    #83 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
    #85 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
    #87 0x7f31c6d0cd5b in dissector_try_string_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1660
    #88 0x7f31c6d0cd5b in dissector_try_string
/home/fuzzer/wireshark/wireshark/epan/packet.c:1685
    #90 0x7f31c8ccf4dc in dissect_InitiatingMessageValue
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/packet-nbap-template.c:836
    #92 0x7f31c804c211 in dissect_per_open_type_internal
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:232
    #94 0x7f31c804c8e2 in dissect_per_open_type_pdu_new
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:253
    #96 0x7f31c805f338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
    #98 0x7f31c8cce31c in dissect_nbap_InitiatingMessage
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:757
    #100 0x7f31c805d3ac in dissect_per_choice
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1758
    #102 0x7f31c8c4fb01 in dissect_nbap_NBAP_PDU
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:863
    #103 0x7f31c8c4fb01 in dissect_NBAP_PDU_PDU
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:8468
    #104 0x7f31c8c4fb01 in dissect_nbap
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/packet-nbap-template.c:1023
    #106 0x7f31c8c591a2 in dissect_nbap_heur
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/packet-nbap-template.c:1094
    #108 0x7f31c6d11c50 in dissector_try_heuristic
/home/fuzzer/wireshark/wireshark/epan/packet.c:2701
    #110 0x7f31c82e8b83 in dissect_payload
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-sctp.c:2547
    #112 0x7f31c82df730 in dissect_data_chunk
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-sctp.c:3449
    #114 0x7f31c82d89de in dissect_sctp_chunk
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-sctp.c:4417
    #116 0x7f31c82d6d6a in dissect_sctp_chunks
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-sctp.c:4575
    #117 0x7f31c82d6d6a in dissect_sctp_packet
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-sctp.c:4716
    #119 0x7f31c82d2545 in dissect_sctp
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-sctp.c:4780
    #121 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
    #123 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
    #125 0x7f31c6d0ab62 in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
    #127 0x7f31c7a45501 in ip_try_dissect
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-ip.c:1845
    #128 0x7f31c7a45501 in dissect_ip_v4
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-ip.c:2303
    #130 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
    #132 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
    #134 0x7f31c6d0b8de in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
    #135 0x7f31c6d0b8de in dissector_try_uint
/home/fuzzer/wireshark/wireshark/epan/packet.c:1385
    #137 0x7f31c76c87b0 in dissect_ethertype
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-ethertype.c:259
    #139 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
    #141 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
    #143 0x7f31c6d06f0b in call_dissector_only
/home/fuzzer/wireshark/wireshark/epan/packet.c:3092
    #144 0x7f31c6d06f0b in call_dissector_with_data
/home/fuzzer/wireshark/wireshark/epan/packet.c:3105
    #146 0x7f31c76c551e in dissect_eth_common
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-eth.c:526
    #148 0x7f31c76c3087 in dissect_eth
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-eth.c:801
(discriminator 3)
    #150 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
    #152 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
    #154 0x7f31c6d0ab62 in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
    #156 0x7f31c7748901 in dissect_frame
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-frame.c:579
    #158 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
    #160 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
    #162 0x7f31c6d06f0b in call_dissector_only
/home/fuzzer/wireshark/wireshark/epan/packet.c:3092
    #163 0x7f31c6d06f0b in call_dissector_with_data
/home/fuzzer/wireshark/wireshark/epan/packet.c:3105
    #165 0x7f31c6d05fd7 in dissect_record
/home/fuzzer/wireshark/wireshark/epan/packet.c:568
    #167 0x7f31c6ce1d15 in epan_dissect_run
/home/fuzzer/wireshark/wireshark/epan/epan.c:527
    #169 0x5185b3 in process_packet_first_pass
/home/fuzzer/wireshark/wireshark/tshark.c:2917
    #170 0x5185b3 in process_cap_file
/home/fuzzer/wireshark/wireshark/tshark.c:3186
    #171 0x5185b3 in main /home/fuzzer/wireshark/wireshark/tshark.c:2033
    #173 0x7f31bd5a482f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #175 0x424098 in _start ??:?

0x7f302b97080c is located 12 bytes to the right of 8388608-byte region
[0x7f302b170800,0x7f302b970800)
allocated by thread T0 here:
    #0 0x4c41c8 in __interceptor_malloc ??:?
    #2 0x7f31be941718 in g_malloc ??:?
    #4 0x7f31c938135a in wmem_block_new_block
/home/fuzzer/wireshark/wireshark/epan/wmem/wmem_allocator_block.c:765
    #5 0x7f31c938135a in wmem_block_alloc
/home/fuzzer/wireshark/wireshark/epan/wmem/wmem_allocator_block.c:873
    #7 0x7f31c937e40b in wmem_alloc
/home/fuzzer/wireshark/wireshark/epan/wmem/wmem_core.c:46
    #9 0x7f31c938ab13 in wmem_list_new
/home/fuzzer/wireshark/wireshark/epan/wmem/wmem_list.c:224
    #11 0x7f31c7fd4b68 in setup_dissector
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-opensafety.c:312
(discriminator 1)
    #13 0x7f31be95a09c in g_slist_foreach ??:?

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/fuzzer/wireshark/wireshark/epan/.libs/libwireshark.so.0+0x9c9585a)
Shadow bytes around the buggy address:
  0x0fe6857260b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe6857260c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe6857260d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe6857260e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe6857260f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe685726100: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe685726110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe685726120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe685726130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe685726140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe685726150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==130973==ABORTING

Credit goes to: Otto Airamo and Antti Levomäki, Forcepoint

-- 
You are receiving this mail because:
You are watching all bug changes.

___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 14471] New: Crafted Stream Control Transmission Protocol packet causes heap-buffer-overflow write

Reply via email to