[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 --- Comment #17 from Gerrit Code Review --- Change 30481 merged by Michael Mann: IAX: Don't try and copy a non-existent address https://code.wireshark.org/review/30481 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 Michael Mann changed: What|Removed |Added Resolution|--- |FIXED Status|CONFIRMED |RESOLVED -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 --- Comment #16 from Gerrit Code Review --- Change 30483 merged by Michael Mann: IAX: Don't try and convert an invalid codec to a mask https://code.wireshark.org/review/30483 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 --- Comment #15 from Tom Hughes --- Ah I didn't realise I actually had a fuzzshark to run. I've opened https://code.wireshark.org/review/30483 for the second issue. -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 --- Comment #14 from Gerrit Code Review --- Change 30483 had a related patch set uploaded by Tom Hughes: IAX: Don't try and convert an invalid codec to a mask https://code.wireshark.org/review/30483 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 --- Comment #13 from Johannes Altmanninger --- (In reply to Tom Hughes from comment #12) > If I'm reading comment #2 right then he actually ran fuzzshark on the > truncated packet which presumably made more changes to it? Apparently it's not fuzzing the input but just reproducing the failure -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 --- Comment #12 from Tom Hughes --- If I'm reading comment #2 right then he actually ran fuzzshark on the truncated packet which presumably made more changes to it? -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 --- Comment #11 from Tom Hughes --- I tried that but tshark just said it was an invalid capture file and refused to read it: % ./run/tshark -r /tmp/clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-5680214932193280 tshark: The file "/tmp/clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-5680214932193280" isn't a capture file in a format TShark understands. -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 --- Comment #10 from Johannes Altmanninger --- (In reply to Tom Hughes from comment #9) > I've opened https://code.wireshark.org/review/30481 for the null argument > issue. > > Do we have a capture of the packet which triggered the second (shift) issue? Yes, if we take the last twenty bytes of the .pcap as described by Peter https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251#c2 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 --- Comment #9 from Tom Hughes --- I've opened https://code.wireshark.org/review/30481 for the null argument issue. Do we have a capture of the packet which triggered the second (shift) issue? -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 --- Comment #8 from Gerrit Code Review --- Change 30481 had a related patch set uploaded by Tom Hughes: IAX: Don't try and copy a non-existent address https://code.wireshark.org/review/30481 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 --- Comment #7 from Tom Hughes --- I'm not sure the null argument thing is actually anything to do with my edits - the problem seems to be that the packet has no source address because there is no IP header on it and iax_circuit_lookup is not able to cope with that when it tries to create a hash to identify the circuit. I should be able to fix it but I don't think it was introduced by my edit. -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 --- Comment #6 from Johannes Altmanninger --- Just in case you find it helpful, this is what I used note that the environment variables have to be present when you run wireshark/fuzzshark WS_BIN_PATH is only necessary for running the tests I set detect_leaks=0 so that the tests pass. export ASAN_OPTIONS abort_on_error=1:detect_leaks=0 export UBSAN_OPTIONS print_stacktrace=1 export WS_BIN_PATH cmake-build-sanitizers/run mkdir cmake-build-sanitizers cd cmake-build-sanitizers cmake .. -GNinja -DCMAKE_C_COMPILER=clang \ -DCMAKE_CXX_COMPILER=clang++ \ -DENABLE_ASAN=1 -DENABLE_UBSAN=1 \ -DCMAKE_BUILD_TYPE=Debug \ -DCMAKE_EXPORT_COMPILE_COMMANDS=1 \ -DDISABLE_WERROR=1 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 --- Comment #5 from Tom Hughes --- I found ENABLE_UBSAN now ;-) -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 --- Comment #4 from Tom Hughes --- So firstly the RFC is quite old and has never been updated to reflect extensions like codecs outside the original 32 bit range so to some extent we have to consider what users of the protocol are actually doing and asterisk is the de facto source for the most part. The reality has always been that while codecs are in principle just numbers, and the compression scheme was written to support arbitrary numbers, in reality there were always single bits because other parts of the protocol or them together as a mask to represent a set of protocols. As far as I know compressed codec numbers are only ever used in contexts where only a single codec, and hence a single bit, will be set. So the idea (which actually came from the reviewer) was to make the codec dissection dispatch table use the shift number rather than the mask to avoid having to create a 64 bit version of the dissector dispatch logic. That is why uncompress treats anything with multiple bits set as invalid and returns -1 for them. Note that there were previously other cases which returned -1 so that wasn't a new idea. I think there are at least two problems I need to fix though... One is that we can return a number far in excess of 63 which will cause the bad shift warning. The second is that we probably need to explicitly ignore -1 and not try and dispatch a dissection based on it or something but I need to look at that in more detail. Is there a good way to get a ubsan build of wireshark so that I can reproduce this? -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 Johannes Altmanninger changed: What|Removed |Added CC||aclo...@gmail.com, ||t...@compton.nu --- Comment #3 from Johannes Altmanninger --- CCing Tom Hughes as the undefined shift was introduced last week in [1]. I tried to find out how to properly fix this but I haven't had any luck so far. I don't understand some things, in particular, RFC 5456 states that the subclass field should be interpreted as an unsigned 7-bit integer if the 'C' bit is 0, but the code in uncompress_subclass returns -1 for a lot of those cases. Is there a place where the format is documented? Perhaps [3] acts as canonical source? Also I'm pretty sure we should use 0x40 instead of 40 in [4]. This seems to be another unrelated issue. [1] https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blobdiff;f=epan/dissectors/packet-iax2.c;h=471d582bddf295c4379df12083ba9ebd801a4f3a;hp=589f1f0298292841a24f6b42d9f3026315d67d8e;hb=27070dd05964823adefbd159595e61b515c52e49;hpb=99c62bf79710a8fa97d368fa0b2c54b9d1cc6484 [2] https://tools.ietf.org/html/rfc5456#page-44 [3] https://github.com/asterisk/asterisk/blob/master/channels/chan_iax2.c#L1828 [4] https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-iax2.c;h=aafd9eae3bc1f2ee907b19baf56082b04c5dc1ea;hb=HEAD#l1896 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 --- Comment #2 from Peter Wu --- The oss-fuzz warning was about a different issue (undefined shift) and can be reproduced with the original file: tail -c 20 clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-5680214932193280.pcap > clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-5680214932193280 && HOME=/x FUZZSHARK_TARGET=udp fuzzshark clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-5680214932193280 epan/dissectors/packet-iax2.c:721:35: runtime error: null pointer passed as argument 2, which is declared to never be null /usr/include/string.h:43:28: note: nonnull attribute specified here #0 0x7fba27a8b96e in iax_circuit_lookup epan/dissectors/packet-iax2.c:721:5 #1 0x7fba27a86851 in iax_lookup_call epan/dissectors/packet-iax2.c:973:20 #2 0x7fba27a8064b in dissect_fullpacket epan/dissectors/packet-iax2.c:1790:18 #3 0x7fba27a7fbb4 in dissect_iax2 epan/dissectors/packet-iax2.c:1232:13 #4 0x7fba2aa2f685 in call_dissector_through_handle epan/packet.c:706:9 #5 0x7fba2aa1a388 in call_dissector_work epan/packet.c:791:9 #6 0x7fba2aa19428 in dissector_try_uint_new epan/packet.c:1383:8 #7 0x7fba2aa1ac1b in dissector_try_uint epan/packet.c:1407:9 #8 0x7fba290510ab in decode_udp_ports epan/dissectors/packet-udp.c:666:7 #9 0x7fba2906429f in dissect epan/dissectors/packet-udp.c:1127:5 #10 0x7fba29055c8d in dissect_udp epan/dissectors/packet-udp.c:1133:3 #11 0x7fba2aa2f685 in call_dissector_through_handle epan/packet.c:706:9 #12 0x7fba2aa1a388 in call_dissector_work epan/packet.c:791:9 #13 0x7fba2aa2896a in call_dissector_only epan/packet.c:3141:8 #14 0x7fba2aa2c70b in call_all_postdissectors epan/packet.c:3516:3 #15 0x7fba277735e9 in dissect_frame epan/dissectors/packet-frame.c:681:5 #16 0x7fba2aa2f685 in call_dissector_through_handle epan/packet.c:706:9 #17 0x7fba2aa1a388 in call_dissector_work epan/packet.c:791:9 #18 0x7fba2aa2896a in call_dissector_only epan/packet.c:3141:8 #19 0x7fba2aa120b4 in call_dissector_with_data epan/packet.c:3154:8 #20 0x7fba2aa11408 in dissect_record epan/packet.c:580:3 #21 0x7fba2a9c0bd8 in epan_dissect_run epan/epan.c:534:2 #22 0x55afeb65c61e in LLVMFuzzerTestOneInput fuzz/fuzzshark.c:360:2 #23 0x55afeb65f017 in main fuzz/StandaloneFuzzTargetMain.c:122:5 #24 0x7fba1c43b222 in __libc_start_main (/usr/lib/libc.so.6+0x24222) #25 0x55afeb5484cd in _start (run/fuzzshark+0x234cd) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior epan/dissectors/packet-iax2.c:721:35 in epan/dissectors/packet-iax2.c:1902:93: runtime error: shift exponent 4294967295 is too large for 64-bit type 'unsigned long' #0 0x7fba27a82616 in dissect_fullpacket epan/dissectors/packet-iax2.c:1902:93 #1 0x7fba27a7fbb4 in dissect_iax2 epan/dissectors/packet-iax2.c:1232:13 #2 0x7fba2aa2f685 in call_dissector_through_handle epan/packet.c:706:9 #3 0x7fba2aa1a388 in call_dissector_work epan/packet.c:791:9 #4 0x7fba2aa19428 in dissector_try_uint_new epan/packet.c:1383:8 #5 0x7fba2aa1ac1b in dissector_try_uint epan/packet.c:1407:9 #6 0x7fba290510ab in decode_udp_ports epan/dissectors/packet-udp.c:666:7 #7 0x7fba2906429f in dissect epan/dissectors/packet-udp.c:1127:5 #8 0x7fba29055c8d in dissect_udp epan/dissectors/packet-udp.c:1133:3 #9 0x7fba2aa2f685 in call_dissector_through_handle epan/packet.c:706:9 #10 0x7fba2aa1a388 in call_dissector_work epan/packet.c:791:9 #11 0x7fba2aa2896a in call_dissector_only epan/packet.c:3141:8 #12 0x7fba2aa2c70b in call_all_postdissectors epan/packet.c:3516:3 #13 0x7fba277735e9 in dissect_frame epan/dissectors/packet-frame.c:681:5 #14 0x7fba2aa2f685 in call_dissector_through_handle epan/packet.c:706:9 #15 0x7fba2aa1a388 in call_dissector_work epan/packet.c:791:9 #16 0x7fba2aa2896a in call_dissector_only epan/packet.c:3141:8 #17 0x7fba2aa120b4 in call_dissector_with_data epan/packet.c:3154:8 #18 0x7fba2aa11408 in dissect_record epan/packet.c:580:3 #19 0x7fba2a9c0bd8 in epan_dissect_run epan/epan.c:534:2 #20 0x55afeb65c61e in LLVMFuzzerTestOneInput fuzz/fuzzshark.c:360:2 #21 0x55afeb65f017 in main fuzz/StandaloneFuzzTargetMain.c:122:5 #22 0x7fba1c43b222 in __libc_start_main (/usr/lib/libc.so.6+0x24222) #23 0x55afeb5484cd in _start (run/fuzzshark+0x234cd) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior epan/dissectors/packet-iax2.c:1902:93 in -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 15251] [oss-fuzz] UBSAN: null pointer passed as argument 2, which is declared to never be null in packet-iax2.c:721:35
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15251 --- Comment #1 from Peter Wu --- Created attachment 16688 --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16688=edit Packet capture file -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe