[Wireshark-bugs] [Bug 15632] New: [oss-fuzz] UBSAN: shift exponent 64 is too large for 64-bit type 'unsigned long' in packet-ieee80211.c:22714:51

bugzilla-daemon Fri, 22 Mar 2019 18:49:34 -0700

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15632


            Bug ID: 15632
           Summary: [oss-fuzz] UBSAN: shift exponent 64 is too large for
                    64-bit type 'unsigned long' in
                    packet-ieee80211.c:22714:51
           Product: Wireshark
           Version: Git
          Hardware: x86-64
               URL: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=
                    13580
                OS: Linux
            Status: CONFIRMED
          Severity: Major
          Priority: High
         Component: Dissection engine (libwireshark)
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Build Information:
TShark (Wireshark) 3.1.0 (v3.1.0rc0-362-g5a98368a)

Copyright 1998-2019 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.60.0, with zlib 1.2.11, without SMI, with c-ares 1.15.0, with Lua
5.2.4, with GnuTLS 3.6.6 and PKCS #11 support, with Gcrypt 1.8.4, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.36.0, with LZ4, with Snappy,
with libxml2 2.9.9.

Running on Linux 4.20.12-arch1-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @
2.60GHz (with SSE4.2), with 31984 MB of physical memory, with locale C, with
libpcap version 1.9.0-PRE-GIT (with TPACKET_V3), with GnuTLS 3.6.6, with Gcrypt
1.8.4, with zlib 1.2.11, binary plugins supported (0 loaded).

Built using clang 4.2.1 Compatible Clang 7.0.1 (tags/RELEASE_701/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13580

Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark:
tshark -Vxr
clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-5729610101161984.pcap
--
epan/dissectors/packet-ieee80211.c:22714:51: runtime error: shift exponent 64
is too large for 64-bit type 'unsigned long'
    #0 0x7fe3f3064e61 in dissect_ieee80211_block_ack_details
epan/dissectors/packet-ieee80211.c:22714:51
    #1 0x7fe3f3063716 in add_mu_bar_trigger_dependent_user_info
epan/dissectors/packet-ieee80211.c:23010:12
    #2 0x7fe3f30632e9 in add_he_trigger_user_info
epan/dissectors/packet-ieee80211.c:23137:18
    #3 0x7fe3f305c6e6 in dissect_ieee80211_he_trigger
epan/dissectors/packet-ieee80211.c:23196:3
    #4 0x7fe3f304a462 in dissect_ieee80211_common
epan/dissectors/packet-ieee80211.c:23936:21
    #5 0x7fe3f302149c in dissect_ieee80211_centrino
epan/dissectors/packet-ieee80211.c:25159:3
    #6 0x7fe3f6032bf5 in call_dissector_through_handle epan/packet.c:706:9
    #7 0x7fe3f601d8f8 in call_dissector_work epan/packet.c:791:9
    #8 0x7fe3f601c998 in dissector_try_uint_new epan/packet.c:1383:8
    #9 0x7fe3f601e18b in dissector_try_uint epan/packet.c:1407:9
    #10 0x7fe3f2ae866b in dissect_ethertype
epan/dissectors/packet-ethertype.c:263:21
    #11 0x7fe3f6032bf5 in call_dissector_through_handle epan/packet.c:706:9
    #12 0x7fe3f601d8f8 in call_dissector_work epan/packet.c:791:9
    #13 0x7fe3f602beda in call_dissector_only epan/packet.c:3141:8
    #14 0x7fe3f6015704 in call_dissector_with_data epan/packet.c:3154:8
    #15 0x7fe3f2ae4a98 in dissect_eth_common epan/dissectors/packet-eth.c:527:5
    #16 0x7fe3f2ada07c in dissect_eth_withoutfcs
epan/dissectors/packet-eth.c:813:3
    #17 0x7fe3f6032bf5 in call_dissector_through_handle epan/packet.c:706:9
    #18 0x7fe3f601d8f8 in call_dissector_work epan/packet.c:791:9
    #19 0x7fe3f602beda in call_dissector_only epan/packet.c:3141:8
    #20 0x7fe3f6015704 in call_dissector_with_data epan/packet.c:3154:8
    #21 0x7fe3f602bf21 in call_dissector epan/packet.c:3171:9
    #22 0x7fe3f3c18b67 in dissect_pw_eth_cw
epan/dissectors/packet-pw-eth.c:75:9
    #23 0x7fe3f6032bf5 in call_dissector_through_handle epan/packet.c:706:9
    #24 0x7fe3f601d8f8 in call_dissector_work epan/packet.c:791:9
    #25 0x7fe3f602beda in call_dissector_only epan/packet.c:3141:8
    #26 0x7fe3f6015704 in call_dissector_with_data epan/packet.c:3154:8
    #27 0x7fe3f602bf21 in call_dissector epan/packet.c:3171:9
    #28 0x7fe3f3c19084 in dissect_pw_eth_heuristic
epan/dissectors/packet-pw-eth.c:130:9
    #29 0x7fe3f6032bf5 in call_dissector_through_handle epan/packet.c:706:9
    #30 0x7fe3f601d8f8 in call_dissector_work epan/packet.c:791:9
    #31 0x7fe3f602beda in call_dissector_only epan/packet.c:3141:8
    #32 0x7fe3f6015704 in call_dissector_with_data epan/packet.c:3154:8
    #33 0x7fe3f602bf21 in call_dissector epan/packet.c:3171:9
    #34 0x7fe3f368e912 in dissect_mpls epan/dissectors/packet-mpls.c:542:9
    #35 0x7fe3f6032bf5 in call_dissector_through_handle epan/packet.c:706:9
    #36 0x7fe3f601d8f8 in call_dissector_work epan/packet.c:791:9
    #37 0x7fe3f601c998 in dissector_try_uint_new epan/packet.c:1383:8
    #38 0x7fe3f601e18b in dissector_try_uint epan/packet.c:1407:9
    #39 0x7fe3f4599aa1 in decode_udp_ports epan/dissectors/packet-udp.c:685:7
    #40 0x7fe3f45ace39 in dissect epan/dissectors/packet-udp.c:1222:5
    #41 0x7fe3f459e6cd in dissect_udp epan/dissectors/packet-udp.c:1228:3
    #42 0x7fe3f6032bf5 in call_dissector_through_handle epan/packet.c:706:9
    #43 0x7fe3f601d8f8 in call_dissector_work epan/packet.c:791:9
    #44 0x7fe3f601c998 in dissector_try_uint_new epan/packet.c:1383:8
    #45 0x7fe3f2aff095 in dissect_exported_pdu
epan/dissectors/packet-exported_pdu.c:370:17
    #46 0x7fe3f6032bf5 in call_dissector_through_handle epan/packet.c:706:9
    #47 0x7fe3f601d8f8 in call_dissector_work epan/packet.c:791:9
    #48 0x7fe3f602beda in call_dissector_only epan/packet.c:3141:8
    #49 0x7fe3f2c23880 in dissect_frame epan/dissectors/packet-frame.c:623:6
    #50 0x7fe3f6032bf5 in call_dissector_through_handle epan/packet.c:706:9
    #51 0x7fe3f601d8f8 in call_dissector_work epan/packet.c:791:9
    #52 0x7fe3f602beda in call_dissector_only epan/packet.c:3141:8
    #53 0x7fe3f6015704 in call_dissector_with_data epan/packet.c:3154:8
    #54 0x7fe3f6014abc in dissect_record epan/packet.c:580:3
    #55 0x7fe3f5fc1ba8 in epan_dissect_run_with_taps epan/epan.c:563:2
    #56 0x5613148be37b in process_packet_single_pass tshark.c:3499:5
    #57 0x5613148b7585 in process_cap_file tshark.c:3332:11
    #58 0x5613148af555 in main tshark.c:2025:17
    #59 0x7fe3e7381222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
    #60 0x56131475358d in _start (run/tshark+0xdd58d)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
epan/dissectors/packet-ieee80211.c:22714:51 in

-- 
You are receiving this mail because:
You are watching all bug changes.

___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <[email protected]>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:[email protected]?subject=unsubscribe

[Wireshark-bugs] [Bug 15632] New: [oss-fuzz] UBSAN: shift exponent 64 is too large for 64-bit type 'unsigned long' in packet-ieee80211.c:22714:51

Reply via email to