[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #17 from Gerrit Code Review  ---
Change 30481 merged by Michael Mann:
IAX: Don't try and copy a non-existent address

https://code.wireshark.org/review/30481

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

Michael Mann  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|CONFIRMED   |RESOLVED

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #16 from Gerrit Code Review  ---
Change 30483 merged by Michael Mann:
IAX: Don't try and convert an invalid codec to a mask

https://code.wireshark.org/review/30483

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #15 from Tom Hughes  ---
Ah I didn't realise I actually had a fuzzshark to run.

I've opened https://code.wireshark.org/review/30483 for the second issue.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #14 from Gerrit Code Review  ---
Change 30483 had a related patch set uploaded by Tom Hughes:
IAX: Don't try and convert an invalid codec to a mask

https://code.wireshark.org/review/30483

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #13 from Johannes Altmanninger  ---
(In reply to Tom Hughes from comment #12)
> If I'm reading comment #2 right then he actually ran fuzzshark on the
> truncated packet which presumably made more changes to it?

Apparently it's not fuzzing the input but just reproducing the failure

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #12 from Tom Hughes  ---
If I'm reading comment #2 right then he actually ran fuzzshark on the truncated
packet which presumably made more changes to it?

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #11 from Tom Hughes  ---
I tried that but tshark just said it was an invalid capture file and refused to
read it:

% ./run/tshark -r
/tmp/clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-5680214932193280 
tshark: The file
"/tmp/clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-5680214932193280"
isn't a capture file in a format TShark understands.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #10 from Johannes Altmanninger  ---
(In reply to Tom Hughes from comment #9)
> I've opened https://code.wireshark.org/review/30481 for the null argument
> issue.
> 
> Do we have a capture of the packet which triggered the second (shift) issue?

Yes, if we take the last twenty bytes of the .pcap as described by Peter
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251#c2

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #9 from Tom Hughes  ---
I've opened https://code.wireshark.org/review/30481 for the null argument
issue.

Do we have a capture of the packet which triggered the second (shift) issue?

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #8 from Gerrit Code Review  ---
Change 30481 had a related patch set uploaded by Tom Hughes:
IAX: Don't try and copy a non-existent address

https://code.wireshark.org/review/30481

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #7 from Tom Hughes  ---
I'm not sure the null argument thing is actually anything to do with my edits -
the problem seems to be that the packet has no source address because there is
no IP header on it and iax_circuit_lookup is not able to cope with that when it
tries to create a hash to identify the circuit.

I should be able to fix it but I don't think it was introduced by my edit.

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #6 from Johannes Altmanninger  ---
Just in case you find it helpful, this is what I used
note that the environment variables have to be present when you run
wireshark/fuzzshark
WS_BIN_PATH is only necessary for running the tests I set detect_leaks=0 so
that the tests pass. 


export ASAN_OPTIONS abort_on_error=1:detect_leaks=0
export UBSAN_OPTIONS print_stacktrace=1
export WS_BIN_PATH cmake-build-sanitizers/run

mkdir cmake-build-sanitizers
cd cmake-build-sanitizers

cmake .. -GNinja
 -DCMAKE_C_COMPILER=clang \
 -DCMAKE_CXX_COMPILER=clang++ \
 -DENABLE_ASAN=1 -DENABLE_UBSAN=1 \
 -DCMAKE_BUILD_TYPE=Debug \
 -DCMAKE_EXPORT_COMPILE_COMMANDS=1 \
 -DDISABLE_WERROR=1

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #5 from Tom Hughes  ---
I found ENABLE_UBSAN now ;-)

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #4 from Tom Hughes  ---
So firstly the RFC is quite old and has never been updated to reflect
extensions like codecs outside the original 32 bit range so to some extent we
have to consider what users of the protocol are actually doing and asterisk is
the de facto source for the most part.

The reality has always been that while codecs are in principle just numbers,
and the compression scheme was written to support arbitrary numbers, in reality
there were always single bits because other parts of the protocol or them
together as a mask to represent a set of protocols.

As far as I know compressed codec numbers are only ever used in contexts where
only a single codec, and hence a single bit, will be set.

So the idea (which actually came from the reviewer) was to make the codec
dissection dispatch table use the shift number rather than the mask to avoid
having to create a 64 bit version of the dissector dispatch logic. That is why
uncompress treats anything with multiple bits set as invalid and returns -1 for
them.

Note that there were previously other cases which returned -1 so that wasn't a
new idea.

I think there are at least two problems I need to fix though...

One is that we can return a number far in excess of 63 which will cause the bad
shift warning.

The second is that we probably need to explicitly ignore -1 and not try and
dispatch a dissection based on it or something but I need to look at that in
more detail.

Is there a good way to get a ubsan build of wireshark so that I can reproduce
this?

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

Johannes Altmanninger  changed:

   What|Removed |Added

 CC||aclo...@gmail.com,
   ||t...@compton.nu

--- Comment #3 from Johannes Altmanninger  ---
CCing Tom Hughes as the undefined shift was introduced last week in [1].
I tried to find out how to properly fix this but I haven't had any luck so far.
I don't understand some things, in particular, RFC 5456 states that the
subclass field should be interpreted as an unsigned 7-bit integer if the 'C'
bit is 0, but the code in uncompress_subclass returns -1 for a lot of those
cases. Is there a place where the format is documented? Perhaps [3] acts as
canonical source?

Also I'm pretty sure we should use 0x40 instead of 40 in [4]. This seems to be
another unrelated issue.


[1]
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blobdiff;f=epan/dissectors/packet-iax2.c;h=471d582bddf295c4379df12083ba9ebd801a4f3a;hp=589f1f0298292841a24f6b42d9f3026315d67d8e;hb=27070dd05964823adefbd159595e61b515c52e49;hpb=99c62bf79710a8fa97d368fa0b2c54b9d1cc6484

[2] https://tools.ietf.org/html/rfc5456#page-44

[3] https://github.com/asterisk/asterisk/blob/master/channels/chan_iax2.c#L1828

[4]
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-iax2.c;h=aafd9eae3bc1f2ee907b19baf56082b04c5dc1ea;hb=HEAD#l1896

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #2 from Peter Wu  ---
The oss-fuzz warning was about a different issue (undefined shift) and can be
reproduced with the original file:

tail -c 20
clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-5680214932193280.pcap >
clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-5680214932193280 &&
HOME=/x FUZZSHARK_TARGET=udp fuzzshark
clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-5680214932193280

epan/dissectors/packet-iax2.c:721:35: runtime error: null pointer passed as
argument 2, which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
#0 0x7fba27a8b96e in iax_circuit_lookup epan/dissectors/packet-iax2.c:721:5
#1 0x7fba27a86851 in iax_lookup_call epan/dissectors/packet-iax2.c:973:20
#2 0x7fba27a8064b in dissect_fullpacket
epan/dissectors/packet-iax2.c:1790:18
#3 0x7fba27a7fbb4 in dissect_iax2 epan/dissectors/packet-iax2.c:1232:13
#4 0x7fba2aa2f685 in call_dissector_through_handle epan/packet.c:706:9
#5 0x7fba2aa1a388 in call_dissector_work epan/packet.c:791:9
#6 0x7fba2aa19428 in dissector_try_uint_new epan/packet.c:1383:8
#7 0x7fba2aa1ac1b in dissector_try_uint epan/packet.c:1407:9
#8 0x7fba290510ab in decode_udp_ports epan/dissectors/packet-udp.c:666:7
#9 0x7fba2906429f in dissect epan/dissectors/packet-udp.c:1127:5
#10 0x7fba29055c8d in dissect_udp epan/dissectors/packet-udp.c:1133:3
#11 0x7fba2aa2f685 in call_dissector_through_handle epan/packet.c:706:9
#12 0x7fba2aa1a388 in call_dissector_work epan/packet.c:791:9
#13 0x7fba2aa2896a in call_dissector_only epan/packet.c:3141:8
#14 0x7fba2aa2c70b in call_all_postdissectors epan/packet.c:3516:3
#15 0x7fba277735e9 in dissect_frame epan/dissectors/packet-frame.c:681:5
#16 0x7fba2aa2f685 in call_dissector_through_handle epan/packet.c:706:9
#17 0x7fba2aa1a388 in call_dissector_work epan/packet.c:791:9
#18 0x7fba2aa2896a in call_dissector_only epan/packet.c:3141:8
#19 0x7fba2aa120b4 in call_dissector_with_data epan/packet.c:3154:8
#20 0x7fba2aa11408 in dissect_record epan/packet.c:580:3
#21 0x7fba2a9c0bd8 in epan_dissect_run epan/epan.c:534:2
#22 0x55afeb65c61e in LLVMFuzzerTestOneInput fuzz/fuzzshark.c:360:2
#23 0x55afeb65f017 in main fuzz/StandaloneFuzzTargetMain.c:122:5
#24 0x7fba1c43b222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
#25 0x55afeb5484cd in _start (run/fuzzshark+0x234cd)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
epan/dissectors/packet-iax2.c:721:35 in 
epan/dissectors/packet-iax2.c:1902:93: runtime error: shift exponent 4294967295
is too large for 64-bit type 'unsigned long'
#0 0x7fba27a82616 in dissect_fullpacket
epan/dissectors/packet-iax2.c:1902:93
#1 0x7fba27a7fbb4 in dissect_iax2 epan/dissectors/packet-iax2.c:1232:13
#2 0x7fba2aa2f685 in call_dissector_through_handle epan/packet.c:706:9
#3 0x7fba2aa1a388 in call_dissector_work epan/packet.c:791:9
#4 0x7fba2aa19428 in dissector_try_uint_new epan/packet.c:1383:8
#5 0x7fba2aa1ac1b in dissector_try_uint epan/packet.c:1407:9
#6 0x7fba290510ab in decode_udp_ports epan/dissectors/packet-udp.c:666:7
#7 0x7fba2906429f in dissect epan/dissectors/packet-udp.c:1127:5
#8 0x7fba29055c8d in dissect_udp epan/dissectors/packet-udp.c:1133:3
#9 0x7fba2aa2f685 in call_dissector_through_handle epan/packet.c:706:9
#10 0x7fba2aa1a388 in call_dissector_work epan/packet.c:791:9
#11 0x7fba2aa2896a in call_dissector_only epan/packet.c:3141:8
#12 0x7fba2aa2c70b in call_all_postdissectors epan/packet.c:3516:3
#13 0x7fba277735e9 in dissect_frame epan/dissectors/packet-frame.c:681:5
#14 0x7fba2aa2f685 in call_dissector_through_handle epan/packet.c:706:9
#15 0x7fba2aa1a388 in call_dissector_work epan/packet.c:791:9
#16 0x7fba2aa2896a in call_dissector_only epan/packet.c:3141:8
#17 0x7fba2aa120b4 in call_dissector_with_data epan/packet.c:3154:8
#18 0x7fba2aa11408 in dissect_record epan/packet.c:580:3
#19 0x7fba2a9c0bd8 in epan_dissect_run epan/epan.c:534:2
#20 0x55afeb65c61e in LLVMFuzzerTestOneInput fuzz/fuzzshark.c:360:2
#21 0x55afeb65f017 in main fuzz/StandaloneFuzzTargetMain.c:122:5
#22 0x7fba1c43b222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
#23 0x55afeb5484cd in _start (run/fuzzshark+0x234cd)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
epan/dissectors/packet-iax2.c:1902:93 in

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251

--- Comment #1 from Peter Wu  ---
Created attachment 16688
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16688=edit
Packet capture file

-- 
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list 
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
 mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe