https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13728
Bug ID: 13728
Summary: [oss-fuzz] ASAN: stack-overflow epan/expert.c:485:30
in expert_set_item_flags
Product: Wireshark
Version: Git
Hardware: x86-64
URL: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=
1697
OS: Linux (other)
Status: CONFIRMED
Severity: Major
Priority: High
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: pe...@lekensteyn.nl
Target Milestone: ---
Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3582-ge79488911f)
Copyright 1998-2017 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.52.2, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.12, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.22.0, with LZ4, with Snappy, with libxml2 2.9.4.
Running on Linux 4.10.13-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.12, with Gcrypt 1.7.6, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1697
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
ASAN:DEADLYSIGNAL
=================================================================
==31418==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe295ffff8 (pc
0x7f84d7aec054 bp 0x7ffe296001c0 sp 0x7ffe29600000 T0)
#0 0x7f84d7aec053 in expert_set_item_flags epan/expert.c:485:30
#1 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#2 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#3 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#4 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#5 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#6 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#7 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#8 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#9 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#10 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#11 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#12 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#13 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#14 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#15 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#16 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#17 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#18 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#19 0x7f84d7aec06b in expert_set_item_flags epan/expert.c:486:3
#20 0x7f84d7ae602f in expert_set_info_vformat epan/expert.c:537:3
#21 0x7f84d7ae58e8 in expert_add_info_format epan/expert.c:631:2
#22 0x7f84d404b0ab in dissect_amqp_1_0_list
epan/dissectors/packet-amqp.c:5948:9
#23 0x7f84d404f30d in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9975:32
#24 0x7f84d40513b5 in dissect_amqp_1_0_array
epan/dissectors/packet-amqp.c:6212:9
#25 0x7f84d404f4f4 in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9990:32
#26 0x7f84d40513b5 in dissect_amqp_1_0_array
epan/dissectors/packet-amqp.c:6212:9
#27 0x7f84d404f4f4 in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9990:32
#28 0x7f84d40513b5 in dissect_amqp_1_0_array
epan/dissectors/packet-amqp.c:6212:9
#29 0x7f84d404f4f4 in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9990:32
#30 0x7f84d40513b5 in dissect_amqp_1_0_array
epan/dissectors/packet-amqp.c:6212:9
#31 0x7f84d404f4f4 in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9990:32
#32 0x7f84d40513b5 in dissect_amqp_1_0_array
epan/dissectors/packet-amqp.c:6212:9
#33 0x7f84d404f4f4 in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9990:32
#34 0x7f84d404ba4c in get_amqp_1_0_type_value_formatter
epan/dissectors/packet-amqp.c:10128:5
#35 0x7f84d404b2d0 in dissect_amqp_1_0_list
epan/dissectors/packet-amqp.c:5962:9
#36 0x7f84d404f30d in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9975:32
#37 0x7f84d40513b5 in dissect_amqp_1_0_array
epan/dissectors/packet-amqp.c:6212:9
#38 0x7f84d404f4f4 in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9990:32
#39 0x7f84d40513b5 in dissect_amqp_1_0_array
epan/dissectors/packet-amqp.c:6212:9
#40 0x7f84d404f4f4 in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9990:32
#41 0x7f84d40513b5 in dissect_amqp_1_0_array
epan/dissectors/packet-amqp.c:6212:9
#42 0x7f84d404f4f4 in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9990:32
#43 0x7f84d40513b5 in dissect_amqp_1_0_array
epan/dissectors/packet-amqp.c:6212:9
#44 0x7f84d404f4f4 in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9990:32
#45 0x7f84d40513b5 in dissect_amqp_1_0_array
epan/dissectors/packet-amqp.c:6212:9
#46 0x7f84d404f4f4 in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9990:32
#47 0x7f84d404ba4c in get_amqp_1_0_type_value_formatter
epan/dissectors/packet-amqp.c:10128:5
#48 0x7f84d404b2d0 in dissect_amqp_1_0_list
epan/dissectors/packet-amqp.c:5962:9
#49 0x7f84d404f30d in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9975:32
#50 0x7f84d40513b5 in dissect_amqp_1_0_array
epan/dissectors/packet-amqp.c:6212:9
#51 0x7f84d404f4f4 in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9990:32
#52 0x7f84d40513b5 in dissect_amqp_1_0_array
epan/dissectors/packet-amqp.c:6212:9
#53 0x7f84d404f4f4 in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9990:32
#54 0x7f84d40513b5 in dissect_amqp_1_0_array
epan/dissectors/packet-amqp.c:6212:9
#55 0x7f84d404f4f4 in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9990:32
#56 0x7f84d40513b5 in dissect_amqp_1_0_array
epan/dissectors/packet-amqp.c:6212:9
#57 0x7f84d404f4f4 in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9990:32
#58 0x7f84d40513b5 in dissect_amqp_1_0_array
epan/dissectors/packet-amqp.c:6212:9
#59 0x7f84d404f4f4 in get_amqp_1_0_value_formatter
epan/dissectors/packet-amqp.c:9990:32
#60 0x7f84d404ba4c in get_amqp_1_0_type_value_formatter
epan/dissectors/packet-amqp.c:10128:5
#61 0x7f84d404b2d0 in dissect_amqp_1_0_list
epan/dissectors/packet-amqp.c:5962:9
#62 0x7f84d4049e96 in dissect_amqp_1_0_AMQP_frame
epan/dissectors/packet-amqp.c:6267:13
#63 0x7f84d402c746 in dissect_amqp_1_0_frame
epan/dissectors/packet-amqp.c:6497:9
#64 0x7f84d622641b in tcp_dissect_pdus epan/dissectors/packet-tcp.c:3505:13
#65 0x7f84d4027650 in dissect_amqp epan/dissectors/packet-amqp.c:10685:9
#66 0x7f84d7b5fb2d in call_dissector_through_handle epan/packet.c:684:8
#67 0x7f84d7b4a32f in call_dissector_work epan/packet.c:759:9
#68 0x7f84d7b4934d in dissector_try_uint_new epan/packet.c:1329:8
#69 0x7f84d6228a52 in decode_tcp_ports epan/dissectors/packet-tcp.c:5436:9
#70 0x7f84d6233c6b in process_tcp_payload
epan/dissectors/packet-tcp.c:5499:13
#71 0x7f84d622bd6c in dissect_tcp_payload
epan/dissectors/packet-tcp.c:5575:9
#72 0x7f84d62520a9 in dissect_tcp epan/dissectors/packet-tcp.c:6440:13
#73 0x7f84d7b5fb2d in call_dissector_through_handle epan/packet.c:684:8
#74 0x7f84d7b4a32f in call_dissector_work epan/packet.c:759:9
#75 0x7f84d7b4934d in dissector_try_uint_new epan/packet.c:1329:8
#76 0x7f84d50445cc in ip_try_dissect epan/dissectors/packet-ip.c:1854:7
#77 0x7f84d5053556 in dissect_ip_v4 epan/dissectors/packet-ip.c:2315:10
#78 0x7f84d7b5fb2d in call_dissector_through_handle epan/packet.c:684:8
#79 0x7f84d7b4a32f in call_dissector_work epan/packet.c:759:9
#80 0x7f84d7b4934d in dissector_try_uint_new epan/packet.c:1329:8
#81 0x7f84d7b4a889 in dissector_try_uint epan/packet.c:1353:9
#82 0x7f84d4ab8673 in dissect_ethertype
epan/dissectors/packet-ethertype.c:268:21
#83 0x7f84d7b5fb2d in call_dissector_through_handle epan/packet.c:684:8
#84 0x7f84d7b4a32f in call_dissector_work epan/packet.c:759:9
#85 0x7f84d7b58f47 in call_dissector_only epan/packet.c:2992:8
#86 0x7f84d7b410f4 in call_dissector_with_data epan/packet.c:3005:8
#87 0x7f84d4ab484e in dissect_eth_common epan/dissectors/packet-eth.c:536:5
#88 0x7f84d4aaa0d7 in dissect_eth epan/dissectors/packet-eth.c:800:5
#89 0x7f84d7b5fb2d in call_dissector_through_handle epan/packet.c:684:8
#90 0x7f84d7b4a32f in call_dissector_work epan/packet.c:759:9
#91 0x7f84d7b4934d in dissector_try_uint_new epan/packet.c:1329:8
#92 0x7f84d4beca77 in dissect_frame epan/dissectors/packet-frame.c:521:11
#93 0x7f84d7b5fb2d in call_dissector_through_handle epan/packet.c:684:8
#94 0x7f84d7b4a32f in call_dissector_work epan/packet.c:759:9
#95 0x7f84d7b58f47 in call_dissector_only epan/packet.c:2992:8
#96 0x7f84d7b410f4 in call_dissector_with_data epan/packet.c:3005:8
#97 0x7f84d7b40114 in dissect_record epan/packet.c:567:3
#98 0x7f84d7ad8458 in epan_dissect_run_with_taps epan/epan.c:473:2
#99 0x5601f1649266 in process_packet_single_pass tshark.c:3442:5
#100 0x5601f1641ebf in process_cap_file tshark.c:3273:11
#101 0x5601f1639b60 in main tshark.c:1977:17
#102 0x7f84c94cd439 in __libc_start_main (/usr/lib/libc.so.6+0x20439)
#103 0x5601f1526a79 in _start (run/tshark+0xd4a79)
SUMMARY: AddressSanitizer: stack-overflow epan/expert.c:485:30 in
expert_set_item_flags
==31418==ABORTING
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
