https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13640
Bug ID: 13640
Summary: [oss-fuzz] UBSAN: shift exponent -3 is negative in
proto.c:10593:38
Product: Wireshark
Version: Git
Hardware: x86-64
URL: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=
1228
OS: Linux (other)
Status: CONFIRMED
Severity: Major
Priority: High
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: pe...@lekensteyn.nl
Target Milestone: ---
Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3251-gf3aaa5cd54)
Copyright 1998-2017 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.20.0, with LZ4, with Snappy, with libxml2 2.9.4.
Running on Linux 4.10.9-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1228
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
/tmp/ws-review/epan/proto.c:10593:38: runtime error: shift exponent -3 is
negative
#0 0x7fae673d41d4 in proto_tree_add_split_bits_item_ret_val
/tmp/ws-review/epan/proto.c:10593:38
#1 0x7fae643ecf0c in dissect_gmprs_rach_type2_kls2
/tmp/ws-review/epan/dissectors/packet-gmr1_rach.c:794:2
#2 0x7fae643eba5e in dissect_gmr1_rach
/tmp/ws-review/epan/dissectors/packet-gmr1_rach.c:932:3
#3 0x7fae6729029d in call_dissector_through_handle
/tmp/ws-review/epan/packet.c:684:8
#4 0x7fae6727aa9f in call_dissector_work /tmp/ws-review/epan/packet.c:759:9
#5 0x7fae672896b7 in call_dissector_only
/tmp/ws-review/epan/packet.c:2992:8
#6 0x7fae67271864 in call_dissector_with_data
/tmp/ws-review/epan/packet.c:3005:8
#7 0x7fae67289701 in call_dissector /tmp/ws-review/epan/packet.c:3022:9
#8 0x7fae645268cf in dissect_gsmtap
/tmp/ws-review/epan/dissectors/packet-gsmtap.c:585:3
#9 0x7fae6729029d in call_dissector_through_handle
/tmp/ws-review/epan/packet.c:684:8
#10 0x7fae6727aa9f in call_dissector_work
/tmp/ws-review/epan/packet.c:759:9
#11 0x7fae67279abd in dissector_try_uint_new
/tmp/ws-review/epan/packet.c:1329:8
#12 0x7fae6727aff9 in dissector_try_uint
/tmp/ws-review/epan/packet.c:1353:9
#13 0x7fae65ae0b0b in decode_udp_ports
/tmp/ws-review/epan/dissectors/packet-udp.c:673:7
#14 0x7fae65af6642 in dissect
/tmp/ws-review/epan/dissectors/packet-udp.c:1131:5
#15 0x7fae65ae596f in dissect_udp
/tmp/ws-review/epan/dissectors/packet-udp.c:1137:3
#16 0x7fae6729029d in call_dissector_through_handle
/tmp/ws-review/epan/packet.c:684:8
#17 0x7fae6727aa9f in call_dissector_work
/tmp/ws-review/epan/packet.c:759:9
#18 0x7fae67279abd in dissector_try_uint_new
/tmp/ws-review/epan/packet.c:1329:8
#19 0x7fae647c455c in ip_try_dissect
/tmp/ws-review/epan/dissectors/packet-ip.c:1854:7
#20 0x7fae647d34e6 in dissect_ip_v4
/tmp/ws-review/epan/dissectors/packet-ip.c:2315:10
#21 0x7fae6729029d in call_dissector_through_handle
/tmp/ws-review/epan/packet.c:684:8
#22 0x7fae6727aa9f in call_dissector_work
/tmp/ws-review/epan/packet.c:759:9
#23 0x7fae67279abd in dissector_try_uint_new
/tmp/ws-review/epan/packet.c:1329:8
#24 0x7fae6727aff9 in dissector_try_uint
/tmp/ws-review/epan/packet.c:1353:9
#25 0x7fae642402c3 in dissect_ethertype
/tmp/ws-review/epan/dissectors/packet-ethertype.c:267:21
#26 0x7fae6729029d in call_dissector_through_handle
/tmp/ws-review/epan/packet.c:684:8
#27 0x7fae6727aa9f in call_dissector_work
/tmp/ws-review/epan/packet.c:759:9
#28 0x7fae672896b7 in call_dissector_only
/tmp/ws-review/epan/packet.c:2992:8
#29 0x7fae67271864 in call_dissector_with_data
/tmp/ws-review/epan/packet.c:3005:8
#30 0x7fae6423c49e in dissect_eth_common
/tmp/ws-review/epan/dissectors/packet-eth.c:536:5
#31 0x7fae64231d27 in dissect_eth
/tmp/ws-review/epan/dissectors/packet-eth.c:800:5
#32 0x7fae6729029d in call_dissector_through_handle
/tmp/ws-review/epan/packet.c:684:8
#33 0x7fae6727aa9f in call_dissector_work
/tmp/ws-review/epan/packet.c:759:9
#34 0x7fae67279abd in dissector_try_uint_new
/tmp/ws-review/epan/packet.c:1329:8
#35 0x7fae643746b7 in dissect_frame
/tmp/ws-review/epan/dissectors/packet-frame.c:521:11
#36 0x7fae6729029d in call_dissector_through_handle
/tmp/ws-review/epan/packet.c:684:8
#37 0x7fae6727aa9f in call_dissector_work
/tmp/ws-review/epan/packet.c:759:9
#38 0x7fae672896b7 in call_dissector_only
/tmp/ws-review/epan/packet.c:2992:8
#39 0x7fae67271864 in call_dissector_with_data
/tmp/ws-review/epan/packet.c:3005:8
#40 0x7fae67270884 in dissect_record /tmp/ws-review/epan/packet.c:567:3
#41 0x7fae67201048 in epan_dissect_run_with_taps
/tmp/ws-review/epan/epan.c:474:2
#42 0x556f5731fc86 in process_packet_single_pass
/tmp/ws-review/tshark.c:3395:5
#43 0x556f57318e0e in load_cap_file /tmp/ws-review/tshark.c:3232:11
#44 0x556f57310b31 in main /tmp/ws-review/tshark.c:1954:13
#45 0x7fae58869510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
#46 0x556f571fe389 in _start (/tmp/ws-review/build/run/tshark+0xd0389)
SUMMARY: AddressSanitizer: undefined-behavior
/tmp/ws-review/epan/proto.c:10593:38 in
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
