[Wireshark-bugs] [Bug 13664] New: [oss-fuzz] ASAN: heap-buffer-overflow (run/tshark+0x103147) in __interceptor_strncmp.part.74

Tue, 25 Apr 2017 13:31:28 -0700 

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13664

            Bug ID: 13664
           Summary: [oss-fuzz] ASAN: heap-buffer-overflow
                    (run/tshark+0x103147) in __interceptor_strncmp.part.74
           Product: Wireshark
           Version: Git
          Hardware: x86-64
               URL: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=
                    1273
                OS: Linux (other)
            Status: CONFIRMED
          Severity: Major
          Priority: High
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: pe...@lekensteyn.nl
  Target Milestone: ---

Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3288-gcd58e676bd)

Copyright 1998-2017 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.20.0, with LZ4, with Snappy, with libxml2 2.9.4.

Running on Linux 4.10.9-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.

Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1273

Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
=================================================================
==18029==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x613000000f8b at pc 0x55af63d1f148 bp 0x7ffd436ff240 sp 0x7ffd436fe9f0
READ of size 2 at 0x613000000f8b thread T0
    #0 0x55af63d1f147 in __interceptor_strncmp.part.74 (run/tshark+0x103147)
    #1 0x7fd77ca0a592 in dissect_packetcable_bsdpd_vendor_info_heur
epan/dissectors/packet-bootp.c:4043:4
    #2 0x7fd7802e6475 in dissector_try_heuristic epan/packet.c:2617:7
    #3 0x7fd77c9ffbab in dissect_bootpopt_vendor_specific_info
epan/dissectors/packet-bootp.c:1962:7
    #4 0x7fd7802ef31d in call_dissector_through_handle epan/packet.c:684:8
    #5 0x7fd7802d9b1f in call_dissector_work epan/packet.c:759:9
    #6 0x7fd7802d8b3d in dissector_try_uint_new epan/packet.c:1329:8
    #7 0x7fd77ca0e024 in bootp_option epan/dissectors/packet-bootp.c:1910:7
    #8 0x7fd77ca007af in dissect_bootpopt_option_overload
epan/dissectors/packet-bootp.c:2001:18
    #9 0x7fd7802ef31d in call_dissector_through_handle epan/packet.c:684:8
    #10 0x7fd7802d9b1f in call_dissector_work epan/packet.c:759:9
    #11 0x7fd7802d8b3d in dissector_try_uint_new epan/packet.c:1329:8
    #12 0x7fd77ca0e024 in bootp_option epan/dissectors/packet-bootp.c:1910:7
    #13 0x7fd77c9fe192 in dissect_bootp epan/dissectors/packet-bootp.c:6283:18
    #14 0x7fd7802ef31d in call_dissector_through_handle epan/packet.c:684:8
    #15 0x7fd7802d9b1f in call_dissector_work epan/packet.c:759:9
    #16 0x7fd7802d8b3d in dissector_try_uint_new epan/packet.c:1329:8
    #17 0x7fd77d2bc722 in dissect_exported_pdu
epan/dissectors/packet-exported_pdu.c:307:17
    #18 0x7fd7802ef31d in call_dissector_through_handle epan/packet.c:684:8
    #19 0x7fd7802d9b1f in call_dissector_work epan/packet.c:759:9
    #20 0x7fd7802d8b3d in dissector_try_uint_new epan/packet.c:1329:8
    #21 0x7fd77d3da8b7 in dissect_frame epan/dissectors/packet-frame.c:521:11
    #22 0x7fd7802ef31d in call_dissector_through_handle epan/packet.c:684:8
    #23 0x7fd7802d9b1f in call_dissector_work epan/packet.c:759:9
    #24 0x7fd7802e8737 in call_dissector_only epan/packet.c:2992:8
    #25 0x7fd7802d08e4 in call_dissector_with_data epan/packet.c:3005:8
    #26 0x7fd7802cf904 in dissect_record epan/packet.c:567:3
    #27 0x7fd780267c48 in epan_dissect_run_with_taps epan/epan.c:474:2
    #28 0x55af63e126c6 in process_packet_single_pass tshark.c:3421:5
    #29 0x55af63e0b821 in process_cap_file tshark.c:3250:11
    #30 0x55af63e03549 in main tshark.c:1955:17
    #31 0x7fd771d92510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
    #32 0x55af63cf04f9 in _start (run/tshark+0xd44f9)

0x613000000f8b is located 0 bytes to the right of 331-byte region
[0x613000000e40,0x613000000f8b)
allocated by thread T0 here:
    #0 0x55af63da6300 in realloc (run/tshark+0x18a300)
    #1 0x7fd7727a2d47 in g_realloc /build/src/glib/glib/gmem.c:159
    #2 0x7fd7731ea388 in wtap_read_packet_bytes wiretap/wtap.c:1349:2
    #3 0x7fd772f713f0 in libpcap_read_packet wiretap/libpcap.c:729:7
    #4 0x7fd772f66527 in libpcap_read wiretap/libpcap.c:620:9
    #5 0x7fd7731e9518 in wtap_read wiretap/wtap.c:1242:7
    #6 0x55af63e0b5ab in process_cap_file tshark.c:3245:12
    #7 0x55af63e03549 in main tshark.c:1955:17
    #8 0x7fd771d92510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)

SUMMARY: AddressSanitizer: heap-buffer-overflow (run/tshark+0x103147) in
__interceptor_strncmp.part.74
Shadow bytes around the buggy address:
  0x0c267fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff81b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff81c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c267fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff81e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff81f0: 00[03]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18029==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

Reply via email to