https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13649
Bug ID: 13649
Summary: [oss-fuzz] Allocation too large: 4294967295 >
2147483648 (0xffffffff > 0x80000000)
Product: Wireshark
Version: Git
Hardware: x86-64
URL: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=
1212
OS: Linux (other)
Status: CONFIRMED
Severity: Major
Priority: High
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: pe...@lekensteyn.nl
Target Milestone: ---
Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3267-gdc9127ddff)
Copyright 1998-2017 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.20.0, with LZ4, with Snappy, with libxml2 2.9.4.
Running on Linux 4.10.9-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1212
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
Allocation too large: 4294967295 > 2147483648 (0xffffffff > 0x80000000)
#0 0x562057c3bbf3 in __sanitizer_print_stack_trace (run/tshark+0x193bf3)
#1 0x7f2b077cc8c6 in __sanitizer_malloc_hook (libmemlimit.so+0x8c6)
#2 0x562057b800fb in __asan::asan_malloc(unsigned long,
__sanitizer::BufferedStackTrace*) (run/tshark+0xd80fb)
#3 0x562057c2f1c4 in malloc (run/tshark+0x1871c4)
#4 0x7f2aeed08c88 in g_malloc /build/src/glib/glib/gmem.c:94
#5 0x7f2afca6bc63 in tvb_generic_clone_offset_len epan/tvbuff.c:390:20
#6 0x7f2afca6bbdc in tvb_clone_offset_len epan/tvbuff.c:411:9
#7 0x7f2afca8d7d6 in subset_clone epan/tvbuff_subset.c:94:9
#8 0x7f2afca6bbac in tvb_clone_offset_len epan/tvbuff.c:406:16
#9 0x7f2afca8d7d6 in subset_clone epan/tvbuff_subset.c:94:9
#10 0x7f2afca6bbac in tvb_clone_offset_len epan/tvbuff.c:406:16
#11 0x7f2afca8d7d6 in subset_clone epan/tvbuff_subset.c:94:9
#12 0x7f2afca6bbac in tvb_clone_offset_len epan/tvbuff.c:406:16
#13 0x7f2afca8d7d6 in subset_clone epan/tvbuff_subset.c:94:9
#14 0x7f2afca6bbac in tvb_clone_offset_len epan/tvbuff.c:406:16
#15 0x7f2afca8d7d6 in subset_clone epan/tvbuff_subset.c:94:9
#16 0x7f2afca6bbac in tvb_clone_offset_len epan/tvbuff.c:406:16
#17 0x7f2afca8d7d6 in subset_clone epan/tvbuff_subset.c:94:9
#18 0x7f2afca6bbac in tvb_clone_offset_len epan/tvbuff.c:406:16
#19 0x7f2afc9f03ee in fragment_add_seq_work epan/reassemble.c:1843:18
#20 0x7f2afc9d4ef5 in fragment_add_seq_common epan/reassemble.c:1983:6
#21 0x7f2afc9d574f in fragment_add_seq_check_work epan/reassemble.c:2064:12
#22 0x7f2afc9d5016 in fragment_add_seq_check epan/reassemble.c:2101:9
#23 0x7f2afa5a4179 in dissect_opensafety_ssdo_message
epan/dissectors/packet-opensafety.c:1294:32
#24 0x7f2afa58a0a9 in dissect_opensafety_message
epan/dissectors/packet-opensafety.c:1866:13
#25 0x7f2afa585c7d in opensafety_package_dissector
epan/dissectors/packet-opensafety.c:2219:18
#26 0x7f2afa581c4e in dissect_opensafety_mbtcp
epan/dissectors/packet-opensafety.c:2365:12
#27 0x7f2afc850f0d in call_dissector_through_handle epan/packet.c:684:8
#28 0x7f2afc83b70f in call_dissector_work epan/packet.c:759:9
#29 0x7f2afc83d7af in dissector_try_string epan/packet.c:1628:9
#30 0x7f2afa1d1df4 in dissect_modbus_data
epan/dissectors/packet-mbtcp.c:987:20
#31 0x7f2afa1d10d1 in dissect_modbus_response
epan/dissectors/packet-mbtcp.c:1510:17
#32 0x7f2afa1cda48 in dissect_modbus epan/dissectors/packet-mbtcp.c:1608:13
#33 0x7f2afc850f0d in call_dissector_through_handle epan/packet.c:684:8
#34 0x7f2afc83b70f in call_dissector_work epan/packet.c:759:9
#35 0x7f2afc84a327 in call_dissector_only epan/packet.c:2992:8
#36 0x7f2afc8324d4 in call_dissector_with_data epan/packet.c:3005:8
#37 0x7f2afa1d2c47 in dissect_mbtcp_pdu_common
epan/dissectors/packet-mbtcp.c:517:9
#38 0x7f2afa1cde79 in dissect_mbudp epan/dissectors/packet-mbtcp.c:804:12
#39 0x7f2afc850f0d in call_dissector_through_handle epan/packet.c:684:8
#40 0x7f2afc83b70f in call_dissector_work epan/packet.c:759:9
#41 0x7f2afc83a72d in dissector_try_uint_new epan/packet.c:1329:8
#42 0x7f2afc83bc69 in dissector_try_uint epan/packet.c:1353:9
#43 0x7f2afb0a3f0b in decode_udp_ports epan/dissectors/packet-udp.c:673:7
#44 0x7f2afb0b9a42 in dissect epan/dissectors/packet-udp.c:1131:5
#45 0x7f2afb0a8d6f in dissect_udp epan/dissectors/packet-udp.c:1137:3
#46 0x7f2afc850f0d in call_dissector_through_handle epan/packet.c:684:8
#47 0x7f2afc83b70f in call_dissector_work epan/packet.c:759:9
#48 0x7f2afc83a72d in dissector_try_uint_new epan/packet.c:1329:8
#49 0x7f2af9d874cc in ip_try_dissect epan/dissectors/packet-ip.c:1854:7
#50 0x7f2af9d96456 in dissect_ip_v4 epan/dissectors/packet-ip.c:2315:10
#51 0x7f2afc850f0d in call_dissector_through_handle epan/packet.c:684:8
#52 0x7f2afc83b70f in call_dissector_work epan/packet.c:759:9
#53 0x7f2afc83a72d in dissector_try_uint_new epan/packet.c:1329:8
#54 0x7f2afc83bc69 in dissector_try_uint epan/packet.c:1353:9
#55 0x7f2af9805303 in dissect_ethertype
epan/dissectors/packet-ethertype.c:267:21
#56 0x7f2afc850f0d in call_dissector_through_handle epan/packet.c:684:8
#57 0x7f2afc83b70f in call_dissector_work epan/packet.c:759:9
#58 0x7f2afc84a327 in call_dissector_only epan/packet.c:2992:8
#59 0x7f2afc8324d4 in call_dissector_with_data epan/packet.c:3005:8
#60 0x7f2af98014de in dissect_eth_common epan/dissectors/packet-eth.c:536:5
#61 0x7f2af97f6d67 in dissect_eth epan/dissectors/packet-eth.c:800:5
#62 0x7f2afc850f0d in call_dissector_through_handle epan/packet.c:684:8
#63 0x7f2afc83b70f in call_dissector_work epan/packet.c:759:9
#64 0x7f2afc83a72d in dissector_try_uint_new epan/packet.c:1329:8
#65 0x7f2af99396f7 in dissect_frame epan/dissectors/packet-frame.c:521:11
#66 0x7f2afc850f0d in call_dissector_through_handle epan/packet.c:684:8
#67 0x7f2afc83b70f in call_dissector_work epan/packet.c:759:9
#68 0x7f2afc84a327 in call_dissector_only epan/packet.c:2992:8
#69 0x7f2afc8324d4 in call_dissector_with_data epan/packet.c:3005:8
#70 0x7f2afc8314f4 in dissect_record epan/packet.c:567:3
#71 0x7f2afc7c1cb8 in epan_dissect_run_with_taps epan/epan.c:474:2
#72 0x562057c9ae36 in process_packet_single_pass tshark.c:3396:5
#73 0x562057c9400e in process_cap_file tshark.c:3233:11
#74 0x562057c8bf6b in main tshark.c:1955:17
#75 0x7f2aee2f8510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
#76 0x562057b797f9 in _start (run/tshark+0xd17f9)
SUMMARY: large memory allocation request: 4294967295
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
