https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13642
Bug ID: 13642
Summary: [oss-fuzz] ASAN: heap-buffer-overflow
(run/tshark+0x100447) in __interceptor_strncmp.part.74
Product: Wireshark
Version: Git
Hardware: x86-64
URL: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=
1232
OS: Linux (other)
Status: CONFIRMED
Severity: Major
Priority: High
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: pe...@lekensteyn.nl
Target Milestone: ---
Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3256-g26d5b3dab9)
Copyright 1998-2017 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.20.0, with LZ4, with Snappy, with libxml2 2.9.4.
Running on Linux 4.10.9-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1232
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
=================================================================
==32308==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x613000001149 at pc 0x5638e1b23448 bp 0x7ffe0574b310 sp 0x7ffe0574aac0
READ of size 2 at 0x613000001149 thread T0
#0 0x5638e1b23447 in __interceptor_strncmp.part.74 (run/tshark+0x100447)
#1 0x7fc64efbd068 in bootp_option epan/dissectors/packet-bootp.c:1949:7
#2 0x7fc64efbaf95 in dissect_bootp epan/dissectors/packet-bootp.c:6067:18
#3 0x7fc6528a9a6d in call_dissector_through_handle epan/packet.c:684:8
#4 0x7fc65289426f in call_dissector_work epan/packet.c:759:9
#5 0x7fc65289328d in dissector_try_uint_new epan/packet.c:1329:8
#6 0x7fc64f875962 in dissect_exported_pdu
epan/dissectors/packet-exported_pdu.c:307:17
#7 0x7fc6528a9a6d in call_dissector_through_handle epan/packet.c:684:8
#8 0x7fc65289426f in call_dissector_work epan/packet.c:759:9
#9 0x7fc65289328d in dissector_try_uint_new epan/packet.c:1329:8
#10 0x7fc64f993af7 in dissect_frame epan/dissectors/packet-frame.c:521:11
#11 0x7fc6528a9a6d in call_dissector_through_handle epan/packet.c:684:8
#12 0x7fc65289426f in call_dissector_work epan/packet.c:759:9
#13 0x7fc6528a2e87 in call_dissector_only epan/packet.c:2992:8
#14 0x7fc65288b034 in call_dissector_with_data epan/packet.c:3005:8
#15 0x7fc65288a054 in dissect_record epan/packet.c:567:3
#16 0x7fc65281a818 in epan_dissect_run_with_taps epan/epan.c:474:2
#17 0x5638e1c15fb6 in process_packet_single_pass tshark.c:3395:5
#18 0x5638e1c0f18e in load_cap_file tshark.c:3232:11
#19 0x5638e1c06f6b in main tshark.c:1954:13
#20 0x7fc644353510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
#21 0x5638e1af47f9 in _start (run/tshark+0xd17f9)
0x613000001149 is located 0 bytes to the right of 329-byte region
[0x613000001000,0x613000001149)
allocated by thread T0 here:
#0 0x5638e1baa600 in realloc (run/tshark+0x187600)
#1 0x7fc644d63d47 in g_realloc /build/src/glib/glib/gmem.c:159
#2 0x7fc6457ab388 in wtap_read_packet_bytes wiretap/wtap.c:1349:2
#3 0x7fc6455323f0 in libpcap_read_packet wiretap/libpcap.c:729:7
#4 0x7fc645527527 in libpcap_read wiretap/libpcap.c:620:9
#5 0x7fc6457aa518 in wtap_read wiretap/wtap.c:1242:7
#6 0x5638e1c0ef18 in load_cap_file tshark.c:3227:12
#7 0x5638e1c06f6b in main tshark.c:1954:13
#8 0x7fc644353510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
SUMMARY: AddressSanitizer: heap-buffer-overflow (run/tshark+0x100447) in
__interceptor_strncmp.part.74
Shadow bytes around the buggy address:
0x0c267fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff81e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff81f0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c267fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff8220: 00 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa
0x0c267fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32308==ABORTING
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
