https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14471
Bug ID: 14471
Summary: Crafted Stream Control Transmission Protocol packet
causes heap-buffer-overflow write
Product: Wireshark
Version: Git
Hardware: x86
OS: Linux
Status: UNCONFIRMED
Severity: Major
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: otto.air...@gmail.com
Target Milestone: ---
Created attachment 16179
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16179&action=edit
capture file
Build Information:
TShark (Wireshark) 2.5.1 (v2.5.1rc0-417-g24b5a553)
Built using clang 4.2.1 Compatible Clang 3.8.0 (tags/RELEASE_380/final).
--
=================================================================
==130973==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7f302b97080c at pc 0x7f31c8d0385b bp 0x7ffdc40bb570 sp 0x7ffdc40bb568
WRITE of size 4 at 0x7f302b97080c thread T0
#0 0x7f31c8d0385a in dissect_nbap_RL_Specific_DCH_Info_Item
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:1544
#2 0x7f31c8055eb2 in dissect_per_sequence_of_helper
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:564
#3 0x7f31c8055eb2 in dissect_per_constrained_sequence_of
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:939
#5 0x7f31c8c9993d in dissect_nbap_RL_Specific_DCH_Info
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:1584
#6 0x7f31c8c9993d in dissect_RL_Specific_DCH_Info_PDU
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:3460
#8 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#10 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#12 0x7f31c6d0ab62 in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
#14 0x7f31c8cd0067 in dissect_ProtocolExtensionFieldExtensionValue
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/packet-nbap-template.c:830
#16 0x7f31c804c211 in dissect_per_open_type_internal
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:232
#18 0x7f31c804c8e2 in dissect_per_open_type_pdu_new
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:253
#20 0x7f31c805f338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
#22 0x7f31c8ccfc9c in dissect_nbap_ProtocolExtensionField
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:239
#24 0x7f31c8055eb2 in dissect_per_sequence_of_helper
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:564
#25 0x7f31c8055eb2 in dissect_per_constrained_sequence_of
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:939
#27 0x7f31c8ccfb27 in dissect_nbap_ProtocolExtensionContainer
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:252
#29 0x7f31c805f338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
#31 0x7f31c8c72025 in dissect_nbap_RL_InformationItem_RL_SetupRqstFDD
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:399
#32 0x7f31c8c72025 in dissect_RL_InformationItem_RL_SetupRqstFDD_PDU
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:5924
#34 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#36 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#38 0x7f31c6d0ab62 in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
#40 0x7f31c8cd2c97 in dissect_ProtocolIEFieldValue
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/packet-nbap-template.c:823
#42 0x7f31c804c211 in dissect_per_open_type_internal
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:232
#44 0x7f31c804c8e2 in dissect_per_open_type_pdu_new
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:253
#46 0x7f31c805f338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
#48 0x7f31c8cd2b3c in dissect_nbap_ProtocolIE_Field
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:191
#49 0x7f31c8cd2b3c in dissect_nbap_ProtocolIE_Single_Container
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:215
#51 0x7f31c8055eb2 in dissect_per_sequence_of_helper
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:564
#52 0x7f31c8055eb2 in dissect_per_constrained_sequence_of
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:939
#54 0x7f31c8c71aed in dissect_nbap_RL_InformationList_RL_SetupRqstFDD
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:371
#55 0x7f31c8c71aed in dissect_RL_InformationList_RL_SetupRqstFDD_PDU
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:5916
#57 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#59 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#61 0x7f31c6d0ab62 in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
#63 0x7f31c8cd2c97 in dissect_ProtocolIEFieldValue
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/packet-nbap-template.c:823
#65 0x7f31c804c211 in dissect_per_open_type_internal
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:232
#67 0x7f31c804c8e2 in dissect_per_open_type_pdu_new
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:253
#69 0x7f31c805f338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
#71 0x7f31c8cd2bac in dissect_nbap_ProtocolIE_Field
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:191
#73 0x7f31c8055eb2 in dissect_per_sequence_of_helper
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:564
#74 0x7f31c8055eb2 in dissect_per_constrained_sequence_of
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:939
#76 0x7f31c8d18b47 in dissect_nbap_ProtocolIE_Container
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:204
#78 0x7f31c805f338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
#80 0x7f31c8cc3bf7 in dissect_nbap_RadioLinkSetupRequestFDD
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:261
#81 0x7f31c8cc3bf7 in dissect_RadioLinkSetupRequestFDD_PDU
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:5884
#83 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#85 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#87 0x7f31c6d0cd5b in dissector_try_string_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1660
#88 0x7f31c6d0cd5b in dissector_try_string
/home/fuzzer/wireshark/wireshark/epan/packet.c:1685
#90 0x7f31c8ccf4dc in dissect_InitiatingMessageValue
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/packet-nbap-template.c:836
#92 0x7f31c804c211 in dissect_per_open_type_internal
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:232
#94 0x7f31c804c8e2 in dissect_per_open_type_pdu_new
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:253
#96 0x7f31c805f338 in dissect_per_sequence
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1908
#98 0x7f31c8cce31c in dissect_nbap_InitiatingMessage
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:757
#100 0x7f31c805d3ac in dissect_per_choice
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-per.c:1758
#102 0x7f31c8c4fb01 in dissect_nbap_NBAP_PDU
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:863
#103 0x7f31c8c4fb01 in dissect_NBAP_PDU_PDU
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/nbap.cnf:8468
#104 0x7f31c8c4fb01 in dissect_nbap
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/packet-nbap-template.c:1023
#106 0x7f31c8c591a2 in dissect_nbap_heur
/home/fuzzer/wireshark/wireshark/epan/dissectors/./asn1/nbap/packet-nbap-template.c:1094
#108 0x7f31c6d11c50 in dissector_try_heuristic
/home/fuzzer/wireshark/wireshark/epan/packet.c:2701
#110 0x7f31c82e8b83 in dissect_payload
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-sctp.c:2547
#112 0x7f31c82df730 in dissect_data_chunk
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-sctp.c:3449
#114 0x7f31c82d89de in dissect_sctp_chunk
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-sctp.c:4417
#116 0x7f31c82d6d6a in dissect_sctp_chunks
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-sctp.c:4575
#117 0x7f31c82d6d6a in dissect_sctp_packet
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-sctp.c:4716
#119 0x7f31c82d2545 in dissect_sctp
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-sctp.c:4780
#121 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#123 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#125 0x7f31c6d0ab62 in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
#127 0x7f31c7a45501 in ip_try_dissect
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-ip.c:1845
#128 0x7f31c7a45501 in dissect_ip_v4
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-ip.c:2303
#130 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#132 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#134 0x7f31c6d0b8de in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
#135 0x7f31c6d0b8de in dissector_try_uint
/home/fuzzer/wireshark/wireshark/epan/packet.c:1385
#137 0x7f31c76c87b0 in dissect_ethertype
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-ethertype.c:259
#139 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#141 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#143 0x7f31c6d06f0b in call_dissector_only
/home/fuzzer/wireshark/wireshark/epan/packet.c:3092
#144 0x7f31c6d06f0b in call_dissector_with_data
/home/fuzzer/wireshark/wireshark/epan/packet.c:3105
#146 0x7f31c76c551e in dissect_eth_common
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-eth.c:526
#148 0x7f31c76c3087 in dissect_eth
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-eth.c:801
(discriminator 3)
#150 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#152 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#154 0x7f31c6d0ab62 in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
#156 0x7f31c7748901 in dissect_frame
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-frame.c:579
#158 0x7f31c6d1a291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#160 0x7f31c6d0b0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#162 0x7f31c6d06f0b in call_dissector_only
/home/fuzzer/wireshark/wireshark/epan/packet.c:3092
#163 0x7f31c6d06f0b in call_dissector_with_data
/home/fuzzer/wireshark/wireshark/epan/packet.c:3105
#165 0x7f31c6d05fd7 in dissect_record
/home/fuzzer/wireshark/wireshark/epan/packet.c:568
#167 0x7f31c6ce1d15 in epan_dissect_run
/home/fuzzer/wireshark/wireshark/epan/epan.c:527
#169 0x5185b3 in process_packet_first_pass
/home/fuzzer/wireshark/wireshark/tshark.c:2917
#170 0x5185b3 in process_cap_file
/home/fuzzer/wireshark/wireshark/tshark.c:3186
#171 0x5185b3 in main /home/fuzzer/wireshark/wireshark/tshark.c:2033
#173 0x7f31bd5a482f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#175 0x424098 in _start ??:?
0x7f302b97080c is located 12 bytes to the right of 8388608-byte region
[0x7f302b170800,0x7f302b970800)
allocated by thread T0 here:
#0 0x4c41c8 in __interceptor_malloc ??:?
#2 0x7f31be941718 in g_malloc ??:?
#4 0x7f31c938135a in wmem_block_new_block
/home/fuzzer/wireshark/wireshark/epan/wmem/wmem_allocator_block.c:765
#5 0x7f31c938135a in wmem_block_alloc
/home/fuzzer/wireshark/wireshark/epan/wmem/wmem_allocator_block.c:873
#7 0x7f31c937e40b in wmem_alloc
/home/fuzzer/wireshark/wireshark/epan/wmem/wmem_core.c:46
#9 0x7f31c938ab13 in wmem_list_new
/home/fuzzer/wireshark/wireshark/epan/wmem/wmem_list.c:224
#11 0x7f31c7fd4b68 in setup_dissector
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-opensafety.c:312
(discriminator 1)
#13 0x7f31be95a09c in g_slist_foreach ??:?
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/fuzzer/wireshark/wireshark/epan/.libs/libwireshark.so.0+0x9c9585a)
Shadow bytes around the buggy address:
0x0fe6857260b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe6857260c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe6857260d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe6857260e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe6857260f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe685726100: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe685726110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe685726120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe685726130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe685726140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe685726150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==130973==ABORTING
Credit goes to: Otto Airamo and Antti Levomäki, Forcepoint
--
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe