https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13712
Bug ID: 13712
Summary: [oss-fuzz] UBSAN: index 16 out of bounds for type
'guint8 [16]' in nbap.cnf:1670:9
Product: Wireshark
Version: Git
Hardware: x86-64
URL: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=
1592
OS: Linux (other)
Status: CONFIRMED
Severity: Major
Priority: High
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: pe...@lekensteyn.nl
Target Milestone: ---
Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3531-gaa3bbe5aeb)
Copyright 1998-2017 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.22.0, with LZ4, with Snappy, with libxml2 2.9.4.
Running on Linux 4.10.13-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1592
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
asn1/nbap/nbap.cnf:1670:9: runtime error: index 16 out of bounds for type
'guint8 [16]'
#0 0x7f9187063820 in dissect_nbap_LogicalChannelID
./asn1/nbap/nbap.cnf:1670:70
#1 0x7f91858f10b7 in dissect_per_sequence
epan/dissectors/packet-per.c:1920:12
#2 0x7f9187078564 in dissect_nbap_E_DCH_LogicalChannelToModifyItem
./asn1/nbap/nbap.cnf:1629:12
#3 0x7f91858ce9e8 in dissect_per_sequence_of_helper
epan/dissectors/packet-per.c:576:10
#4 0x7f91858dcd2d in dissect_per_constrained_sequence_of
epan/dissectors/packet-per.c:951:9
#5 0x7f918707847a in dissect_nbap_E_DCH_LogicalChannelToModify
./asn1/nbap/nbap.cnf:1646:12
#6 0x7f91858f10b7 in dissect_per_sequence
epan/dissectors/packet-per.c:1920:12
#7 0x7f9187078f74 in dissect_nbap_E_DCH_MACdFlow_ModifyTDDItem
./asn1/nbap/nbap.cnf:2457:12
#8 0x7f91858ce9e8 in dissect_per_sequence_of_helper
epan/dissectors/packet-per.c:576:10
#9 0x7f91858dcd2d in dissect_per_constrained_sequence_of
epan/dissectors/packet-per.c:951:9
#10 0x7f9187078f1a in dissect_nbap_E_DCH_TDD_Information_to_Modify_List
./asn1/nbap/nbap.cnf:2470:12
#11 0x7f91858f10b7 in dissect_per_sequence
epan/dissectors/packet-per.c:1920:12
#12 0x7f9187078e84 in dissect_nbap_E_DCH_TDD_Information_to_Modify
./asn1/nbap/nbap.cnf:2487:12
#13 0x7f91858f10b7 in dissect_per_sequence
epan/dissectors/packet-per.c:1920:12
#14 0x7f9187078e24 in dissect_nbap_E_DCH_Information_Reconfig
./asn1/nbap/nbap.cnf:2508:12
#15 0x7f9186fee381 in dissect_E_DCH_Information_Reconfig_PDU
./asn1/nbap/nbap.cnf:1919:12
#16 0x7f9187ad4cad in call_dissector_through_handle epan/packet.c:684:8
#17 0x7f9187ad326c in call_dissector_work_error epan/packet.c:824:9
#18 0x7f9187abf48e in call_dissector_work epan/packet.c:754:9
#19 0x7f9187abe4cd in dissector_try_uint_new epan/packet.c:1329:8
#20 0x7f918701fd1c in dissect_ProtocolExtensionFieldExtensionValue
./asn1/nbap/packet-nbap-template.c:346:11
#21 0x7f91858c70cd in dissect_per_open_type_internal
epan/dissectors/packet-per.c:244:5
#22 0x7f91858c74a9 in dissect_per_open_type_pdu_new
epan/dissectors/packet-per.c:265:9
#23 0x7f918701fcb9 in dissect_nbap_T_extensionValue
./asn1/nbap/nbap.cnf:201:12
#24 0x7f91858f10b7 in dissect_per_sequence
epan/dissectors/packet-per.c:1920:12
#25 0x7f918701fae4 in dissect_nbap_ProtocolExtensionField
./asn1/nbap/nbap.cnf:216:12
#26 0x7f91858ce9e8 in dissect_per_sequence_of_helper
epan/dissectors/packet-per.c:576:10
#27 0x7f91858dcd2d in dissect_per_constrained_sequence_of
epan/dissectors/packet-per.c:951:9
#28 0x7f918701f9aa in dissect_nbap_ProtocolExtensionContainer
./asn1/nbap/nbap.cnf:229:12
#29 0x7f91858f10b7 in dissect_per_sequence
epan/dissectors/packet-per.c:1920:12
#30 0x7f9187099d8e in dissect_nbap_DedicatedMeasurementReport
./asn1/nbap/nbap.cnf:490:12
#31 0x7f918701bb81 in dissect_DedicatedMeasurementReport_PDU
./asn1/nbap/nbap.cnf:7223:12
#32 0x7f9187ad4cad in call_dissector_through_handle epan/packet.c:684:8
#33 0x7f9187ad326c in call_dissector_work_error epan/packet.c:824:9
#34 0x7f9187abf48e in call_dissector_work epan/packet.c:754:9
#35 0x7f9187ac154f in dissector_try_string epan/packet.c:1628:9
#36 0x7f918701f4c5 in dissect_InitiatingMessageValue
./asn1/nbap/packet-nbap-template.c:352:11
#37 0x7f91858c70cd in dissect_per_open_type_internal
epan/dissectors/packet-per.c:244:5
#38 0x7f91858c74a9 in dissect_per_open_type_pdu_new
epan/dissectors/packet-per.c:265:9
#39 0x7f918701f0a9 in dissect_nbap_InitiatingMessage_value
./asn1/nbap/nbap.cnf:703:12
#40 0x7f91858f10b7 in dissect_per_sequence
epan/dissectors/packet-per.c:1920:12
#41 0x7f918701ece4 in dissect_nbap_InitiatingMessage
./asn1/nbap/nbap.cnf:720:12
#42 0x7f91858edd4d in dissect_per_choice
epan/dissectors/packet-per.c:1768:13
#43 0x7f918701ec87 in dissect_nbap_NBAP_PDU ./asn1/nbap/nbap.cnf:826:12
#44 0x7f918701eb81 in dissect_NBAP_PDU_PDU ./asn1/nbap/nbap.cnf:8431:12
#45 0x7f9186f9d88b in dissect_nbap ./asn1/nbap/packet-nbap-template.c:465:9
#46 0x7f9187ad4cad in call_dissector_through_handle epan/packet.c:684:8
#47 0x7f9187ad326c in call_dissector_work_error epan/packet.c:824:9
#48 0x7f9187abf48e in call_dissector_work epan/packet.c:754:9
#49 0x7f9187abe4cd in dissector_try_uint_new epan/packet.c:1329:8
#50 0x7f9185d43374 in dissect_payload epan/dissectors/packet-sctp.c:2538:9
#51 0x7f9185d3a4f7 in dissect_data_chunk
epan/dissectors/packet-sctp.c:3458:16
#52 0x7f9185d31bef in dissect_sctp_chunk
epan/dissectors/packet-sctp.c:4426:14
#53 0x7f9185d2bcfe in dissect_sctp_chunks
epan/dissectors/packet-sctp.c:4584:9
#54 0x7f9185d28d17 in dissect_sctp_packet
epan/dissectors/packet-sctp.c:4725:3
#55 0x7f9185d41764 in dissect_pktdrop_chunk
epan/dissectors/packet-sctp.c:4311:9
#56 0x7f9185d32709 in dissect_sctp_chunk
epan/dissectors/packet-sctp.c:4496:5
#57 0x7f9185d2bcfe in dissect_sctp_chunks
epan/dissectors/packet-sctp.c:4584:9
#58 0x7f9185d28d17 in dissect_sctp_packet
epan/dissectors/packet-sctp.c:4725:3
#59 0x7f9185d263fb in dissect_sctp epan/dissectors/packet-sctp.c:4786:3
#60 0x7f9187ad4cad in call_dissector_through_handle epan/packet.c:684:8
#61 0x7f9187abf4af in call_dissector_work epan/packet.c:759:9
#62 0x7f9187abe4cd in dissector_try_uint_new epan/packet.c:1329:8
#63 0x7f9184fd099c in ip_try_dissect epan/dissectors/packet-ip.c:1854:7
#64 0x7f9184fdf926 in dissect_ip_v4 epan/dissectors/packet-ip.c:2315:10
#65 0x7f9187ad4cad in call_dissector_through_handle epan/packet.c:684:8
#66 0x7f9187abf4af in call_dissector_work epan/packet.c:759:9
#67 0x7f9187abe4cd in dissector_try_uint_new epan/packet.c:1329:8
#68 0x7f9187abfa09 in dissector_try_uint epan/packet.c:1353:9
#69 0x7f9184a44733 in dissect_ethertype
epan/dissectors/packet-ethertype.c:268:21
#70 0x7f9187ad4cad in call_dissector_through_handle epan/packet.c:684:8
#71 0x7f9187abf4af in call_dissector_work epan/packet.c:759:9
#72 0x7f9187ace0c7 in call_dissector_only epan/packet.c:2992:8
#73 0x7f9187ab6274 in call_dissector_with_data epan/packet.c:3005:8
#74 0x7f9184a4090e in dissect_eth_common epan/dissectors/packet-eth.c:536:5
#75 0x7f9184a36197 in dissect_eth epan/dissectors/packet-eth.c:800:5
#76 0x7f9187ad4cad in call_dissector_through_handle epan/packet.c:684:8
#77 0x7f9187abf4af in call_dissector_work epan/packet.c:759:9
#78 0x7f9187abe4cd in dissector_try_uint_new epan/packet.c:1329:8
#79 0x7f9184b78b27 in dissect_frame epan/dissectors/packet-frame.c:521:11
#80 0x7f9187ad4cad in call_dissector_through_handle epan/packet.c:684:8
#81 0x7f9187abf4af in call_dissector_work epan/packet.c:759:9
#82 0x7f9187ace0c7 in call_dissector_only epan/packet.c:2992:8
#83 0x7f9187ab6274 in call_dissector_with_data epan/packet.c:3005:8
#84 0x7f9187ab5294 in dissect_record epan/packet.c:567:3
#85 0x7f9187a4d5d8 in epan_dissect_run_with_taps epan/epan.c:473:2
#86 0x56330d23b2d6 in process_packet_single_pass tshark.c:3442:5
#87 0x56330d233f2f in process_cap_file tshark.c:3273:11
#88 0x56330d22bbd0 in main tshark.c:1977:17
#89 0x7f91794ae510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
#90 0x56330d118ac9 in _start (run/tshark+0xd4ac9)
SUMMARY: AddressSanitizer: undefined-behavior asn1/nbap/nbap.cnf:1670:9 in
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
