[Wireshark-bugs] [Bug 14114] New: [oss-fuzz] UBSAN: store to null pointer of type 'guint' (aka 'unsigned int') in packet-ieee80211.c:6035:7

bugzilla-daemon Wed, 11 Oct 2017 15:42:37 -0700

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14114


            Bug ID: 14114
           Summary: [oss-fuzz] UBSAN: store to null pointer of type
                    'guint' (aka 'unsigned int') in
                    packet-ieee80211.c:6035:7
           Product: Wireshark
           Version: Git
          Hardware: x86-64
               URL: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=
                    3613
                OS: Linux
            Status: CONFIRMED
          Severity: Major
          Priority: High
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: pe...@lekensteyn.nl
  Target Milestone: ---

Build Information:
TShark (Wireshark) 2.5.0 (v2.5.0rc0-1293-gb363e46a)

Copyright 1998-2017 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.52.2, with zlib 1.2.11, without SMI, with c-ares 1.13.0, with Lua
5.2.4, with GnuTLS 3.5.15, with Gcrypt 1.8.1, with MIT Kerberos, with GeoIP,
with nghttp2 1.23.1, with LZ4, with Snappy, with libxml2 2.9.5.

Running on Linux 4.12.10-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 32060 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.15, with Gcrypt 1.8.1, with zlib 1.2.11.

Built using clang 4.2.1 Compatible Clang 5.0.0 (tags/RELEASE_500/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3613

Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark:
tshark -Vxr clusterfuzz-testcase-minimized-5205904426270720.pcap
--
epan/dissectors/packet-ieee80211.c:6035:7: runtime error: store to null pointer
of type 'guint' (aka 'unsigned int')
    #0 0x7efd2abf1318 in dissect_advertisement_protocol_common
epan/dissectors/packet-ieee80211.c:6035:13
    #1 0x7efd2abc34e5 in dissect_advertisement_protocol
epan/dissectors/packet-ieee80211.c:6073:10
    #2 0x7efd2d743dec in call_dissector_through_handle epan/packet.c:690:8
    #3 0x7efd2d72f4c7 in call_dissector_work epan/packet.c:768:9
    #4 0x7efd2d72e525 in dissector_try_uint_new epan/packet.c:1343:8
    #5 0x7efd2aba7584 in add_tagged_field
epan/dissectors/packet-ieee80211.c:14655:8
    #6 0x7efd2abeb169 in ieee_80211_add_tagged_parameters
epan/dissectors/packet-ieee80211.c:17086:19
    #7 0x7efd2abe9e4d in dissect_ieee80211_mgt
epan/dissectors/packet-ieee80211.c:17212:7
    #8 0x7efd2abe41b7 in dissect_ieee80211_common
epan/dissectors/packet-ieee80211.c:19135:7
    #9 0x7efd2abab958 in dissect_ieee80211_withoutfcs
epan/dissectors/packet-ieee80211.c:19335:3
    #10 0x7efd2d743dec in call_dissector_through_handle epan/packet.c:690:8
    #11 0x7efd2d72f4c7 in call_dissector_work epan/packet.c:768:9
    #12 0x7efd2d73d7f9 in call_dissector_only epan/packet.c:3055:8
    #13 0x7efd2d7273a1 in call_dissector_with_data epan/packet.c:3068:8
    #14 0x7efd2d73d861 in call_dissector epan/packet.c:3085:9
    #15 0x7efd2affa795 in dissect_lwapp epan/dissectors/packet-lwapp.c:448:9
    #16 0x7efd2d743dec in call_dissector_through_handle epan/packet.c:690:8
    #17 0x7efd2d72f4c7 in call_dissector_work epan/packet.c:768:9
    #18 0x7efd2d72e525 in dissector_try_uint_new epan/packet.c:1343:8
    #19 0x7efd2d72fd79 in dissector_try_uint epan/packet.c:1367:9
    #20 0x7efd2a708493 in dissect_ethertype
epan/dissectors/packet-ethertype.c:270:21
    #21 0x7efd2d743dec in call_dissector_through_handle epan/packet.c:690:8
    #22 0x7efd2d72f4c7 in call_dissector_work epan/packet.c:768:9
    #23 0x7efd2d73d7f9 in call_dissector_only epan/packet.c:3055:8
    #24 0x7efd2d7273a1 in call_dissector_with_data epan/packet.c:3068:8
    #25 0x7efd2a704ace in dissect_eth_common epan/dissectors/packet-eth.c:536:5
    #26 0x7efd2a6f9ebc in dissect_eth_withoutfcs
epan/dissectors/packet-eth.c:810:3
    #27 0x7efd2d743dec in call_dissector_through_handle epan/packet.c:690:8
    #28 0x7efd2d72f4c7 in call_dissector_work epan/packet.c:768:9
    #29 0x7efd2d73d7f9 in call_dissector_only epan/packet.c:3055:8
    #30 0x7efd2d7273a1 in call_dissector_with_data epan/packet.c:3068:8
    #31 0x7efd2d73d861 in call_dissector epan/packet.c:3085:9
    #32 0x7efd2a706aa7 in dissect_etherip epan/dissectors/packet-etherip.c:94:3
    #33 0x7efd2d743dec in call_dissector_through_handle epan/packet.c:690:8
    #34 0x7efd2d72f4c7 in call_dissector_work epan/packet.c:768:9
    #35 0x7efd2d72e525 in dissector_try_uint_new epan/packet.c:1343:8
    #36 0x7efd2ac845d0 in ip_try_dissect epan/dissectors/packet-ip.c:1865:7
    #37 0x7efd2ac91334 in dissect_ip_v4 epan/dissectors/packet-ip.c:2323:10
    #38 0x7efd2d743dec in call_dissector_through_handle epan/packet.c:690:8
    #39 0x7efd2d72f4c7 in call_dissector_work epan/packet.c:768:9
    #40 0x7efd2d72e525 in dissector_try_uint_new epan/packet.c:1343:8
    #41 0x7efd2d72fd79 in dissector_try_uint epan/packet.c:1367:9
    #42 0x7efd2a708493 in dissect_ethertype
epan/dissectors/packet-ethertype.c:270:21
    #43 0x7efd2d743dec in call_dissector_through_handle epan/packet.c:690:8
    #44 0x7efd2d72f4c7 in call_dissector_work epan/packet.c:768:9
    #45 0x7efd2d73d7f9 in call_dissector_only epan/packet.c:3055:8
    #46 0x7efd2d7273a1 in call_dissector_with_data epan/packet.c:3068:8
    #47 0x7efd2a704ace in dissect_eth_common epan/dissectors/packet-eth.c:536:5
    #48 0x7efd2a6fb8f6 in dissect_eth epan/dissectors/packet-eth.c:800:5
    #49 0x7efd2d743dec in call_dissector_through_handle epan/packet.c:690:8
    #50 0x7efd2d72f4c7 in call_dissector_work epan/packet.c:768:9
    #51 0x7efd2d72e525 in dissector_try_uint_new epan/packet.c:1343:8
    #52 0x7efd2a82456b in dissect_frame epan/dissectors/packet-frame.c:555:11
    #53 0x7efd2d743dec in call_dissector_through_handle epan/packet.c:690:8
    #54 0x7efd2d72f4c7 in call_dissector_work epan/packet.c:768:9
    #55 0x7efd2d73d7f9 in call_dissector_only epan/packet.c:3055:8
    #56 0x7efd2d7273a1 in call_dissector_with_data epan/packet.c:3068:8
    #57 0x7efd2d726712 in dissect_record epan/packet.c:573:3
    #58 0x7efd2d6c9d48 in epan_dissect_run_with_taps epan/epan.c:480:2
    #59 0x56200ebce209 in process_packet_single_pass tshark.c:3531:5
    #60 0x56200ebc791d in process_cap_file tshark.c:3357:11
    #61 0x56200ebbff94 in main tshark.c:2050:17
    #62 0x7efd1f5dff69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)
    #63 0x56200eaa74e9 in _start (run/tshark+0xd84e9)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
epan/dissectors/packet-ieee80211.c:6035:7 in

-- 
You are receiving this mail because:
You are watching all bug changes.

___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 14114] New: [oss-fuzz] UBSAN: store to null pointer of type 'guint' (aka 'unsigned int') in packet-ieee80211.c:6035:7

Reply via email to