https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13706
Bug ID: 13706
Summary: [oss-fuzz] UBSAN: division by zero in
packet-ieee80211-radio.c:450:24
Product: Wireshark
Version: Git
Hardware: x86-64
URL: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=
1547
OS: Linux (other)
Status: CONFIRMED
Severity: Major
Priority: High
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: pe...@lekensteyn.nl
Target Milestone: ---
Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3513-g4b9e481665)
Copyright 1998-2017 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.22.0, with LZ4, with Snappy, with libxml2 2.9.4.
Running on Linux 4.10.13-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1547
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
epan/dissectors/packet-ieee80211-radio.c:450:24: runtime error: division by
zero
#0 0x7f79bddbf4d2 in calculate_11ac_duration
epan/dissectors/packet-ieee80211-radio.c:450:24
#1 0x7f79bddb9648 in dissect_wlan_radio_phdr
epan/dissectors/packet-ieee80211-radio.c:1079:31
#2 0x7f79bddac29c in dissect_wlan_radio
epan/dissectors/packet-ieee80211-radio.c:1189:3
#3 0x7f79c09ac69d in call_dissector_through_handle epan/packet.c:684:8
#4 0x7f79c0996e9f in call_dissector_work epan/packet.c:759:9
#5 0x7f79c09a5ab7 in call_dissector_only epan/packet.c:2992:8
#6 0x7f79c098dc64 in call_dissector_with_data epan/packet.c:3005:8
#7 0x7f79bddd86a2 in dissect_radiotap
epan/dissectors/packet-ieee80211-radiotap.c:1944:2
#8 0x7f79c09ac69d in call_dissector_through_handle epan/packet.c:684:8
#9 0x7f79c0996e9f in call_dissector_work epan/packet.c:759:9
#10 0x7f79c0995ebd in dissector_try_uint_new epan/packet.c:1329:8
#11 0x7f79be7603c4 in dissect_pcap_pktdata
epan/dissectors/packet-pcap_pktdata.c:371:14
#12 0x7f79c09ac69d in call_dissector_through_handle epan/packet.c:684:8
#13 0x7f79c0996e9f in call_dissector_work epan/packet.c:759:9
#14 0x7f79c09a5ab7 in call_dissector_only epan/packet.c:2992:8
#15 0x7f79c098dc64 in call_dissector_with_data epan/packet.c:3005:8
#16 0x7f79be95f009 in dissect_rftap epan/dissectors/packet-rftap.c:333:9
#17 0x7f79be95f1ec in dissect_rftap_heur
epan/dissectors/packet-rftap.c:354:12
#18 0x7f79c09a37f5 in dissector_try_heuristic epan/packet.c:2617:7
#19 0x7f79bf1f51c7 in decode_udp_ports epan/dissectors/packet-udp.c:685:9
#20 0x7f79bf20ac42 in dissect epan/dissectors/packet-udp.c:1131:5
#21 0x7f79bf1f9f6f in dissect_udp epan/dissectors/packet-udp.c:1137:3
#22 0x7f79c09ac69d in call_dissector_through_handle epan/packet.c:684:8
#23 0x7f79c0996e9f in call_dissector_work epan/packet.c:759:9
#24 0x7f79c0995ebd in dissector_try_uint_new epan/packet.c:1329:8
#25 0x7f79bdec474c in ip_try_dissect epan/dissectors/packet-ip.c:1854:7
#26 0x7f79bded36d6 in dissect_ip_v4 epan/dissectors/packet-ip.c:2315:10
#27 0x7f79c09ac69d in call_dissector_through_handle epan/packet.c:684:8
#28 0x7f79c0996e9f in call_dissector_work epan/packet.c:759:9
#29 0x7f79c0995ebd in dissector_try_uint_new epan/packet.c:1329:8
#30 0x7f79c09973f9 in dissector_try_uint epan/packet.c:1353:9
#31 0x7f79bd938a93 in dissect_ethertype
epan/dissectors/packet-ethertype.c:268:21
#32 0x7f79c09ac69d in call_dissector_through_handle epan/packet.c:684:8
#33 0x7f79c0996e9f in call_dissector_work epan/packet.c:759:9
#34 0x7f79c09a5ab7 in call_dissector_only epan/packet.c:2992:8
#35 0x7f79c098dc64 in call_dissector_with_data epan/packet.c:3005:8
#36 0x7f79bd934c6e in dissect_eth_common epan/dissectors/packet-eth.c:536:5
#37 0x7f79bd92a4f7 in dissect_eth epan/dissectors/packet-eth.c:800:5
#38 0x7f79c09ac69d in call_dissector_through_handle epan/packet.c:684:8
#39 0x7f79c0996e9f in call_dissector_work epan/packet.c:759:9
#40 0x7f79c0995ebd in dissector_try_uint_new epan/packet.c:1329:8
#41 0x7f79bda6ce87 in dissect_frame epan/dissectors/packet-frame.c:521:11
#42 0x7f79c09ac69d in call_dissector_through_handle epan/packet.c:684:8
#43 0x7f79c0996e9f in call_dissector_work epan/packet.c:759:9
#44 0x7f79c09a5ab7 in call_dissector_only epan/packet.c:2992:8
#45 0x7f79c098dc64 in call_dissector_with_data epan/packet.c:3005:8
#46 0x7f79c098cc84 in dissect_record epan/packet.c:567:3
#47 0x7f79c0924fc8 in epan_dissect_run_with_taps epan/epan.c:473:2
#48 0x561f29df82d6 in process_packet_single_pass tshark.c:3436:5
#49 0x561f29df0f2f in process_cap_file tshark.c:3267:11
#50 0x561f29de8bd0 in main tshark.c:1971:17
#51 0x7f79b23bf510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
#52 0x561f29cd5ac9 in _start (run/tshark+0xd4ac9)
SUMMARY: AddressSanitizer: undefined-behavior
epan/dissectors/packet-ieee80211-radio.c:450:24 in
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
