[Wireshark-bugs] [Bug 13701] New: [oss-fuzz] UBSAN: division by zero in packet-btl2cap.c:1687:87

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13701

            Bug ID: 13701
           Summary: [oss-fuzz] UBSAN: division by zero in
                    packet-btl2cap.c:1687:87
           Product: Wireshark
           Version: Git
          Hardware: x86-64
               URL: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=
                    1539
                OS: Linux (other)
            Status: CONFIRMED
          Severity: Major
          Priority: High
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: pe...@lekensteyn.nl
  Target Milestone: ---

Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3498-g79eab8ca07)

Copyright 1998-2017 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.22.0, with LZ4, with Snappy, with libxml2 2.9.4.

Running on Linux 4.10.13-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.

Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1539

Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
epan/dissectors/packet-btl2cap.c:1687:87: runtime error: division by zero
    #0 0x7fa0960f301d in dissect_connparamrequest
epan/dissectors/packet-btl2cap.c:1687:87
    #1 0x7fa0960d4f99 in dissect_btl2cap
epan/dissectors/packet-btl2cap.c:2552:27
    #2 0x7fa0997d5fad in call_dissector_through_handle epan/packet.c:684:8
    #3 0x7fa0997c07af in call_dissector_work epan/packet.c:759:9
    #4 0x7fa0997bf7cd in dissector_try_uint_new epan/packet.c:1329:8
    #5 0x7fa0997c0d09 in dissector_try_uint epan/packet.c:1353:9
    #6 0x7fa09701d3a2 in dissect_snap epan/dissectors/packet-llc.c:682:9
    #7 0x7fa09701dbfe in dissect_llc epan/dissectors/packet-llc.c:439:3
    #8 0x7fa0997d5fad in call_dissector_through_handle epan/packet.c:684:8
    #9 0x7fa0997c07af in call_dissector_work epan/packet.c:759:9
    #10 0x7fa0997bf7cd in dissector_try_uint_new epan/packet.c:1329:8
    #11 0x7fa0997c0d09 in dissector_try_uint epan/packet.c:1353:9
    #12 0x7fa09801ea76 in decode_udp_ports epan/dissectors/packet-udp.c:678:7
    #13 0x7fa098034552 in dissect epan/dissectors/packet-udp.c:1131:5
    #14 0x7fa09802387f in dissect_udp epan/dissectors/packet-udp.c:1137:3
    #15 0x7fa0997d5fad in call_dissector_through_handle epan/packet.c:684:8
    #16 0x7fa0997c07af in call_dissector_work epan/packet.c:759:9
    #17 0x7fa0997bf7cd in dissector_try_uint_new epan/packet.c:1329:8
    #18 0x7fa096cee05c in ip_try_dissect epan/dissectors/packet-ip.c:1854:7
    #19 0x7fa096cfcfe6 in dissect_ip_v4 epan/dissectors/packet-ip.c:2315:10
    #20 0x7fa0997d5fad in call_dissector_through_handle epan/packet.c:684:8
    #21 0x7fa0997c07af in call_dissector_work epan/packet.c:759:9
    #22 0x7fa0997bf7cd in dissector_try_uint_new epan/packet.c:1329:8
    #23 0x7fa0997c0d09 in dissector_try_uint epan/packet.c:1353:9
    #24 0x7fa09676a6e3 in dissect_ethertype
epan/dissectors/packet-ethertype.c:268:21
    #25 0x7fa0997d5fad in call_dissector_through_handle epan/packet.c:684:8
    #26 0x7fa0997c07af in call_dissector_work epan/packet.c:759:9
    #27 0x7fa0997cf3c7 in call_dissector_only epan/packet.c:2992:8
    #28 0x7fa0997b7574 in call_dissector_with_data epan/packet.c:3005:8
    #29 0x7fa0967668be in dissect_eth_common epan/dissectors/packet-eth.c:536:5
    #30 0x7fa09675c147 in dissect_eth epan/dissectors/packet-eth.c:800:5
    #31 0x7fa0997d5fad in call_dissector_through_handle epan/packet.c:684:8
    #32 0x7fa0997c07af in call_dissector_work epan/packet.c:759:9
    #33 0x7fa0997bf7cd in dissector_try_uint_new epan/packet.c:1329:8
    #34 0x7fa09689ead7 in dissect_frame epan/dissectors/packet-frame.c:521:11
    #35 0x7fa0997d5fad in call_dissector_through_handle epan/packet.c:684:8
    #36 0x7fa0997c07af in call_dissector_work epan/packet.c:759:9
    #37 0x7fa0997cf3c7 in call_dissector_only epan/packet.c:2992:8
    #38 0x7fa0997b7574 in call_dissector_with_data epan/packet.c:3005:8
    #39 0x7fa0997b6594 in dissect_record epan/packet.c:567:3
    #40 0x7fa09974e8d8 in epan_dissect_run_with_taps epan/epan.c:473:2
    #41 0x55e88e5f42d6 in process_packet_single_pass tshark.c:3436:5
    #42 0x55e88e5ecf2f in process_cap_file tshark.c:3267:11
    #43 0x55e88e5e4bd0 in main tshark.c:1971:17
    #44 0x7fa08b1f5510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
    #45 0x55e88e4d1ac9 in _start (run/tshark+0xd4ac9)

SUMMARY: AddressSanitizer: undefined-behavior
epan/dissectors/packet-btl2cap.c:1687:87 in

-- 
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe