https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15961
--- Comment #1 from Gerald Combs <ger...@wireshark.org> ---
Configuring with ENABLE_ASAN=ON and running
$ WIRESHARK_DEBUG_WMEM_OVERRIDE=strict ./run/tshark -nVx -r
/tmp/fuzz-2019-08-01-27827.pcap
here produces
=================================================================
==12969==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060007b47e0
at pc 0x7fbfcc26e66e bp 0x7ffee444f800 sp 0x7ffee444efa8
READ of size 30 at 0x6060007b47e0 thread T0
#0 0x7fbfcc26e66d (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d)
#1 0x7fbfb6f21432 in g_strdup
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6b432)
#2 0x7fbfc12c2d7e in find_string_dtbl_entry ../epan/packet.c:1481
#3 0x7fbfc12c349b in dissector_try_string_new ../epan/packet.c:1676
#4 0x7fbfc12c35e4 in dissector_try_string ../epan/packet.c:1723
#5 0x7fbfbf12ea75 in call_ber_oid_callback
../epan/dissectors/packet-ber.c:1103
#6 0x7fbfc0969850 in dissect_cms_T_content asn1/cms/cms.cnf:141
#7 0x7fbfbf1362de in dissect_ber_sequence
../epan/dissectors/packet-ber.c:2438
#8 0x7fbfc09698ad in dissect_cms_ContentInfo asn1/cms/cms.cnf:123
#9 0x7fbfbf138d47 in dissect_ber_choice
../epan/dissectors/packet-ber.c:2954
#10 0x7fbfc0d72481 in dissect_pkinit_PaPkAsRep
asn1/pkinit/packet-pkinit-fn.c:148
#11 0x7fbfbf131bcf in dissect_ber_octet_string_wcb
../epan/dissectors/packet-ber.c:1810
#12 0x7fbfc0ab2220 in dissect_kerberos_T_padata_value
asn1/kerberos/kerberos.cnf:151
#13 0x7fbfbf1362de in dissect_ber_sequence
../epan/dissectors/packet-ber.c:2438
#14 0x7fbfc0ab2707 in dissect_kerberos_PA_DATA
asn1/kerberos/kerberos.cnf:217
#15 0x7fbfbf13c059 in dissect_ber_sq_of
../epan/dissectors/packet-ber.c:3552
#16 0x7fbfbf13c370 in dissect_ber_sequence_of
../epan/dissectors/packet-ber.c:3580
#17 0x7fbfc0ab275d in dissect_kerberos_SEQUENCE_OF_PA_DATA
asn1/kerberos/kerberos.cnf:230
#18 0x7fbfbf1362de in dissect_ber_sequence
../epan/dissectors/packet-ber.c:2438
#19 0x7fbfc0ab2e0d in dissect_kerberos_KDC_REP
asn1/kerberos/kerberos.cnf:319
#20 0x7fbfbf12be83 in dissect_ber_tagged_type
../epan/dissectors/packet-ber.c:688
#21 0x7fbfc0ab2eac in dissect_kerberos_AS_REP
asn1/kerberos/kerberos.cnf:441
#22 0x7fbfbf138d47 in dissect_ber_choice
../epan/dissectors/packet-ber.c:2954
#23 0x7fbfc0ab43de in dissect_kerberos_Applications
asn1/kerberos/kerberos.cnf:476
#24 0x7fbfc0ab55e5 in dissect_kerberos_common
asn1/kerberos/packet-kerberos-template.c:1993
#25 0x7fbfc0ab5c8f in dissect_kerberos_udp
asn1/kerberos/packet-kerberos-template.c:2055
#26 0x7fbfc12c01ad in call_dissector_through_handle ../epan/packet.c:706
#27 0x7fbfc12c0745 in call_dissector_work ../epan/packet.c:799
#28 0x7fbfc12c8a44 in call_dissector_only ../epan/packet.c:3183
#29 0x7fbfc128eb06 in try_conversation_call_dissector_helper
../epan/conversation.c:1352
#30 0x7fbfc128ecf2 in try_conversation_dissector
../epan/conversation.c:1382
#31 0x7fbfc040316f in decode_udp_ports ../epan/dissectors/packet-udp.c:640
#32 0x7fbfc0407b28 in dissect ../epan/dissectors/packet-udp.c:1222
#33 0x7fbfc0407bff in dissect_udp ../epan/dissectors/packet-udp.c:1228
#34 0x7fbfc12c01ad in call_dissector_through_handle ../epan/packet.c:706
#35 0x7fbfc12c0745 in call_dissector_work ../epan/packet.c:799
#36 0x7fbfc12c2b1f in dissector_try_uint_new ../epan/packet.c:1399
#37 0x7fbfbf95e58e in ip_try_dissect ../epan/dissectors/packet-ip.c:1835
#38 0x7fbfbf9612cd in dissect_ip_v4 ../epan/dissectors/packet-ip.c:2293
#39 0x7fbfc12c01ad in call_dissector_through_handle ../epan/packet.c:706
#40 0x7fbfc12c0745 in call_dissector_work ../epan/packet.c:799
#41 0x7fbfc12c2b1f in dissector_try_uint_new ../epan/packet.c:1399
#42 0x7fbfc12c2bb6 in dissector_try_uint ../epan/packet.c:1423
#43 0x7fbfbf626fdd in dissect_ethertype
../epan/dissectors/packet-ethertype.c:264
#44 0x7fbfc12c01ad in call_dissector_through_handle ../epan/packet.c:706
#45 0x7fbfc12c0745 in call_dissector_work ../epan/packet.c:799
#46 0x7fbfc12c8a44 in call_dissector_only ../epan/packet.c:3183
#47 0x7fbfc12c8a87 in call_dissector_with_data ../epan/packet.c:3196
#48 0x7fbfbf624b5e in dissect_eth_common
../epan/dissectors/packet-eth.c:555
#49 0x7fbfbf625d63 in dissect_eth ../epan/dissectors/packet-eth.c:831
#50 0x7fbfc12c01ad in call_dissector_through_handle ../epan/packet.c:706
#51 0x7fbfc12c0745 in call_dissector_work ../epan/packet.c:799
#52 0x7fbfc12c8a44 in call_dissector_only ../epan/packet.c:3183
#53 0x7fbfbf698122 in dissect_frame ../epan/dissectors/packet-frame.c:632
#54 0x7fbfc12c01ad in call_dissector_through_handle ../epan/packet.c:706
#55 0x7fbfc12c0745 in call_dissector_work ../epan/packet.c:799
#56 0x7fbfc12c8a44 in call_dissector_only ../epan/packet.c:3183
#57 0x7fbfc12c8a87 in call_dissector_with_data ../epan/packet.c:3196
#58 0x7fbfc12bea5d in dissect_record ../epan/packet.c:580
#59 0x7fbfc129ddef in epan_dissect_run_with_taps ../epan/epan.c:577
#60 0x55a5834f9927 in process_packet_single_pass ../tshark.c:3754
#61 0x55a5834f7ff3 in process_cap_file_single_pass ../tshark.c:3410
#62 0x55a5834f8bf8 in process_cap_file ../tshark.c:3565
#63 0x55a5834f34f1 in main ../tshark.c:2037
#64 0x7fbfb6ae6b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#65 0x55a5834d5ba9 in _start
(/home/gerald/Development/wireshark/cmbuild/run/tshark+0x30ba9)
0x6060007b47fd is located 0 bytes to the right of 61-byte region
[0x6060007b47c0,0x6060007b47fd)
freed by thread T0 here:
#0 0x7fbfcc2fb7b8 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
#1 0x7fbfc11e7f2e in wmem_free ../epan/wmem/wmem_core.c:65
#2 0x7fbfc11ede95 in wmem_strict_free
../epan/wmem/wmem_allocator_strict.c:127
#3 0x7fbfc11ee0bc in wmem_strict_free_all
../epan/wmem/wmem_allocator_strict.c:182
#4 0x7fbfc11e81e8 in wmem_free_all_real ../epan/wmem/wmem_core.c:104
#5 0x7fbfc11e8208 in wmem_free_all ../epan/wmem/wmem_core.c:110
#6 0x7fbfc11f21c5 in wmem_leave_packet_scope ../epan/wmem/wmem_scopes.c:69
#7 0x7fbfc129de00 in epan_dissect_run_with_taps ../epan/epan.c:581
#8 0x55a5834f9927 in process_packet_single_pass ../tshark.c:3754
#9 0x55a5834f7ff3 in process_cap_file_single_pass ../tshark.c:3410
#10 0x55a5834f8bf8 in process_cap_file ../tshark.c:3565
#11 0x55a5834f34f1 in main ../tshark.c:2037
#12 0x7fbfb6ae6b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
previously allocated by thread T0 here:
#0 0x7fbfcc2fbb50 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x7fbfb6f07ab8 in g_malloc
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51ab8)
#2 0x7fbfc11eda76 in wmem_strict_alloc
../epan/wmem/wmem_allocator_strict.c:81
#3 0x7fbfc11edecb in wmem_strict_realloc
../epan/wmem/wmem_allocator_strict.c:139
#4 0x7fbfc11e8160 in wmem_realloc ../epan/wmem/wmem_core.c:96
#5 0x7fbfc11f39cc in wmem_strbuf_finalize ../epan/wmem/wmem_strbuf.c:276
#6 0x7fbfc12b8bf9 in rel_oid_subid2string ../epan/oids.c:881
#7 0x7fbfc12b8af4 in oid_subid2string ../epan/oids.c:858
#8 0x7fbfc12ba1a6 in oid_encoded2string ../epan/oids.c:1147
#9 0x7fbfbf13a5cd in dissect_ber_any_oid_str
../epan/dissectors/packet-ber.c:3280
#10 0x7fbfbf13a7b4 in dissect_ber_object_identifier_str
../epan/dissectors/packet-ber.c:3314
#11 0x7fbfc096977c in dissect_cms_ContentType asn1/cms/cms.cnf:133
#12 0x7fbfbf1362de in dissect_ber_sequence
../epan/dissectors/packet-ber.c:2438
#13 0x7fbfc09698ad in dissect_cms_ContentInfo asn1/cms/cms.cnf:123
#14 0x7fbfbf1362de in dissect_ber_sequence
../epan/dissectors/packet-ber.c:2438
#15 0x7fbfc0d7222b in dissect_pkinit_PaPkAsReq
asn1/pkinit/packet-pkinit-fn.c:46
#16 0x7fbfbf131bcf in dissect_ber_octet_string_wcb
../epan/dissectors/packet-ber.c:1810
#17 0x7fbfc0ab21e2 in dissect_kerberos_T_padata_value
asn1/kerberos/kerberos.cnf:148
#18 0x7fbfbf1362de in dissect_ber_sequence
../epan/dissectors/packet-ber.c:2438
#19 0x7fbfc0ab2707 in dissect_kerberos_PA_DATA
asn1/kerberos/kerberos.cnf:217
#20 0x7fbfbf13c059 in dissect_ber_sq_of
../epan/dissectors/packet-ber.c:3552
#21 0x7fbfbf13c370 in dissect_ber_sequence_of
../epan/dissectors/packet-ber.c:3580
#22 0x7fbfc0ab275d in dissect_kerberos_SEQUENCE_OF_PA_DATA
asn1/kerberos/kerberos.cnf:230
#23 0x7fbfbf1362de in dissect_ber_sequence
../epan/dissectors/packet-ber.c:2438
#24 0x7fbfc0ab2c66 in dissect_kerberos_KDC_REQ
asn1/kerberos/kerberos.cnf:429
#25 0x7fbfbf12be83 in dissect_ber_tagged_type
../epan/dissectors/packet-ber.c:688
#26 0x7fbfc0ab2d05 in dissect_kerberos_AS_REQ
asn1/kerberos/kerberos.cnf:437
#27 0x7fbfbf138d47 in dissect_ber_choice
../epan/dissectors/packet-ber.c:2954
#28 0x7fbfc0ab43de in dissect_kerberos_Applications
asn1/kerberos/kerberos.cnf:476
#29 0x7fbfc0ab55e5 in dissect_kerberos_common
asn1/kerberos/packet-kerberos-template.c:1993
SUMMARY: AddressSanitizer: heap-use-after-free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d)
Shadow bytes around the buggy address:
0x0c0c800ee8a0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c800ee8b0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c800ee8c0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c800ee8d0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c800ee8e0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
=>0x0c0c800ee8f0: fd fd fd fa fa fa fa fa fd fd fd fd[fd]fd fd fd
0x0c0c800ee900: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c800ee910: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
0x0c0c800ee920: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c800ee930: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c800ee940: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12969==ABORTING
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
