https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13618
Bug ID: 13618
Summary: [oss-fuzz] UBSAN: shift exponent 32 is too large for
32-bit type 'int' in packet-xot.c:260:23
Product: Wireshark
Version: Git
Hardware: x86-64
URL: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=
1171
OS: Linux (other)
Status: CONFIRMED
Severity: Major
Priority: High
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: pe...@lekensteyn.nl
Target Milestone: ---
Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3201-g913f9fb353)
Copyright 1998-2017 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.10, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.20.0, with LZ4, with Snappy.
Running on Linux 4.10.9-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.10, with Gcrypt 1.7.6, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1171
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
epan/dissectors/packet-xot.c:260:23: runtime error: shift exponent 32 is too
large for 32-bit type 'int'
#0 0x7f167756b4e2 in dissect_xot_pdu epan/dissectors/packet-xot.c:260:23
#1 0x7f1676e24d63 in tcp_dissect_pdus epan/dissectors/packet-tcp.c:3505:13
#2 0x7f167756a8fc in dissect_xot_tcp_heur
epan/dissectors/packet-xot.c:316:7
#3 0x7f16787ab77d in call_dissector_through_handle epan/packet.c:684:8
#4 0x7f16787a9d34 in call_dissector_work_error epan/packet.c:824:9
#5 0x7f1678795ebe in call_dissector_work epan/packet.c:754:9
#6 0x7f1678794efd in dissector_try_uint_new epan/packet.c:1329:8
#7 0x7f1676e270cd in decode_tcp_ports epan/dissectors/packet-tcp.c:5430:9
#8 0x7f1676e32601 in process_tcp_payload
epan/dissectors/packet-tcp.c:5499:13
#9 0x7f1676e2a6ec in dissect_tcp_payload
epan/dissectors/packet-tcp.c:5575:9
#10 0x7f1676e50a45 in dissect_tcp epan/dissectors/packet-tcp.c:6440:13
#11 0x7f16787ab77d in call_dissector_through_handle epan/packet.c:684:8
#12 0x7f16787a9d34 in call_dissector_work_error epan/packet.c:824:9
#13 0x7f1678795ebe in call_dissector_work epan/packet.c:754:9
#14 0x7f1678794efd in dissector_try_uint_new epan/packet.c:1329:8
#15 0x7f1675c8120c in ip_try_dissect epan/dissectors/packet-ip.c:1854:7
#16 0x7f1675c90196 in dissect_ip_v4 epan/dissectors/packet-ip.c:2315:10
#17 0x7f1675c81da3 in dissect_ip epan/dissectors/packet-ip.c:2339:5
#18 0x7f16787ab77d in call_dissector_through_handle epan/packet.c:684:8
#19 0x7f16787a9d34 in call_dissector_work_error epan/packet.c:824:9
#20 0x7f1678795ebe in call_dissector_work epan/packet.c:754:9
#21 0x7f16787a4b07 in call_dissector_only epan/packet.c:2992:8
#22 0x7f167878cc44 in call_dissector_with_data epan/packet.c:3005:8
#23 0x7f16787a4b51 in call_dissector epan/packet.c:3022:9
#24 0x7f1675b218c5 in dissect_icmp epan/dissectors/packet-icmp.c:1448:3
#25 0x7f16787ab77d in call_dissector_through_handle epan/packet.c:684:8
#26 0x7f1678795edf in call_dissector_work epan/packet.c:759:9
#27 0x7f1678794efd in dissector_try_uint_new epan/packet.c:1329:8
#28 0x7f1675c8120c in ip_try_dissect epan/dissectors/packet-ip.c:1854:7
#29 0x7f1675c90196 in dissect_ip_v4 epan/dissectors/packet-ip.c:2315:10
#30 0x7f16787ab77d in call_dissector_through_handle epan/packet.c:684:8
#31 0x7f1678795edf in call_dissector_work epan/packet.c:759:9
#32 0x7f1678794efd in dissector_try_uint_new epan/packet.c:1329:8
#33 0x7f1678796439 in dissector_try_uint epan/packet.c:1353:9
#34 0x7f16756ff44b in dissect_ethertype
epan/dissectors/packet-ethertype.c:267:21
#35 0x7f16787ab77d in call_dissector_through_handle epan/packet.c:684:8
#36 0x7f1678795edf in call_dissector_work epan/packet.c:759:9
#37 0x7f16787a4b07 in call_dissector_only epan/packet.c:2992:8
#38 0x7f167878cc44 in call_dissector_with_data epan/packet.c:3005:8
#39 0x7f16756fb620 in dissect_eth_common epan/dissectors/packet-eth.c:536:5
#40 0x7f16756f0ea7 in dissect_eth epan/dissectors/packet-eth.c:800:5
#41 0x7f16787ab77d in call_dissector_through_handle epan/packet.c:684:8
#42 0x7f1678795edf in call_dissector_work epan/packet.c:759:9
#43 0x7f1678794efd in dissector_try_uint_new epan/packet.c:1329:8
#44 0x7f1675833857 in dissect_frame epan/dissectors/packet-frame.c:521:11
#45 0x7f16787ab77d in call_dissector_through_handle epan/packet.c:684:8
#46 0x7f1678795edf in call_dissector_work epan/packet.c:759:9
#47 0x7f16787a4b07 in call_dissector_only epan/packet.c:2992:8
#48 0x7f167878cc44 in call_dissector_with_data epan/packet.c:3005:8
#49 0x7f167878bc73 in dissect_record epan/packet.c:567:3
#50 0x7f167871c7b8 in epan_dissect_run_with_taps epan/epan.c:462:2
#51 0x559dd6c64d53 in process_packet_single_pass tshark.c:3560:5
#52 0x559dd6c5d233 in load_cap_file tshark.c:3311:11
#53 0x559dd6c545a6 in main tshark.c:1972:13
#54 0x7f166a17a510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
#55 0x559dd6b49359 in _start (run/tshark+0xd1359)
SUMMARY: AddressSanitizer: undefined-behavior
epan/dissectors/packet-xot.c:260:23 in
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
