https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14470
Bug ID: 14470
Summary: Crafted CIP packets causes heap-use-after-free
Product: Wireshark
Version: Git
Hardware: x86
OS: Linux
Status: UNCONFIRMED
Severity: Major
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: otto.air...@gmail.com
Target Milestone: ---
Created attachment 16178
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16178&action=edit
capture file
Build Information:
TShark (Wireshark) 2.5.1 (v2.5.1rc0-417-g24b5a553)
Built using clang 4.2.1 Compatible Clang 3.8.0 (tags/RELEASE_380/final).
--
=================================================================
==130947==ERROR: AddressSanitizer: heap-use-after-free on address
0x61d000019a9e at pc 0x7fe2cc795523 bp 0x7ffd2fe97910 sp 0x7ffd2fe97908
READ of size 4 at 0x61d000019a9e thread T0
#0 0x7fe2cc795522 in enip_open_cip_connection
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-enip.c:1098
(discriminator 1)
#1 0x7fe2cc795522 in dissect_cpf
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-enip.c:2628
(discriminator 1)
#3 0x7fe2cc78ebc2 in dissect_enip_pdu
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-enip.c:2827
#5 0x7fe2cd677941 in tcp_dissect_pdus
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-tcp.c:3612
#7 0x7fe2cc78c185 in dissect_enip_tcp
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-enip.c:2869
#9 0x7fe2cbe2b291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#11 0x7fe2cbe1c0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#13 0x7fe2cbe1bb62 in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
#15 0x7fe2cd6798b6 in decode_tcp_ports
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-tcp.c:5548
#17 0x7fe2cd67f4d9 in process_tcp_payload
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-tcp.c:5611
#19 0x7fe2cd67c124 in desegment_tcp
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-tcp.c:3134
#20 0x7fe2cd67c124 in dissect_tcp_payload
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-tcp.c:5684
#22 0x7fe2cd68a800 in dissect_tcp
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-tcp.c:6522
#24 0x7fe2cbe2b291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#26 0x7fe2cbe1c0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#28 0x7fe2cbe1bb62 in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
#30 0x7fe2ccb56501 in ip_try_dissect
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-ip.c:1845
#31 0x7fe2ccb56501 in dissect_ip_v4
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-ip.c:2303
#33 0x7fe2cbe2b291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#35 0x7fe2cbe1c0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#37 0x7fe2cbe1c8de in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
#38 0x7fe2cbe1c8de in dissector_try_uint
/home/fuzzer/wireshark/wireshark/epan/packet.c:1385
#40 0x7fe2cc7d97b0 in dissect_ethertype
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-ethertype.c:259
#42 0x7fe2cbe2b291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#44 0x7fe2cbe1c0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#46 0x7fe2cbe17f0b in call_dissector_only
/home/fuzzer/wireshark/wireshark/epan/packet.c:3092
#47 0x7fe2cbe17f0b in call_dissector_with_data
/home/fuzzer/wireshark/wireshark/epan/packet.c:3105
#49 0x7fe2cc7d651e in dissect_eth_common
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-eth.c:526
#51 0x7fe2cc7d4087 in dissect_eth
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-eth.c:801
(discriminator 3)
#53 0x7fe2cbe2b291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#55 0x7fe2cbe1c0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#57 0x7fe2cbe1bb62 in dissector_try_uint_new
/home/fuzzer/wireshark/wireshark/epan/packet.c:1361
#59 0x7fe2cc859901 in dissect_frame
/home/fuzzer/wireshark/wireshark/epan/dissectors/packet-frame.c:579
#61 0x7fe2cbe2b291 in call_dissector_through_handle
/home/fuzzer/wireshark/wireshark/epan/packet.c:694
#63 0x7fe2cbe1c0bb in call_dissector_work
/home/fuzzer/wireshark/wireshark/epan/packet.c:779
#65 0x7fe2cbe17f0b in call_dissector_only
/home/fuzzer/wireshark/wireshark/epan/packet.c:3092
#66 0x7fe2cbe17f0b in call_dissector_with_data
/home/fuzzer/wireshark/wireshark/epan/packet.c:3105
#68 0x7fe2cbe16fd7 in dissect_record
/home/fuzzer/wireshark/wireshark/epan/packet.c:568
#70 0x7fe2cbdf2d15 in epan_dissect_run
/home/fuzzer/wireshark/wireshark/epan/epan.c:527
#72 0x5185b3 in process_packet_first_pass
/home/fuzzer/wireshark/wireshark/tshark.c:2917
#73 0x5185b3 in process_cap_file
/home/fuzzer/wireshark/wireshark/tshark.c:3186
#74 0x5185b3 in main /home/fuzzer/wireshark/wireshark/tshark.c:2033
#76 0x7fe2c26b582f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#78 0x424098 in _start ??:?
0x61d000019a9e is located 30 bytes inside of 2048-byte region
[0x61d000019a80,0x61d00001a280)
freed by thread T0 here:
#0 0x4c4548 in realloc ??:?
#2 0x7fe2c3a527d7 in g_realloc ??:?
#4 0x7fe2d85831d5 in wtap_read_packet_bytes
/home/fuzzer/wireshark/wireshark/wiretap/wtap.c:1346
#6 0x7fe2d84b2f33 in libpcap_read_packet
/home/fuzzer/wireshark/wireshark/wiretap/libpcap.c:760
#8 0x7fe2d8582c4a in wtap_read
/home/fuzzer/wireshark/wireshark/wiretap/wtap.c:1234
#10 0x5182a3 in process_cap_file
/home/fuzzer/wireshark/wireshark/tshark.c:3185 (discriminator 1)
#11 0x5182a3 in main /home/fuzzer/wireshark/wireshark/tshark.c:2033
(discriminator 1)
#13 0x7fe2c26b582f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
previously allocated by thread T0 here:
#0 0x4c41c8 in __interceptor_malloc ??:?
#2 0x7fe2c3a52718 in g_malloc ??:?
#4 0x7fe2d8468c24 in wtap_open_offline
/home/fuzzer/wireshark/wireshark/wiretap/file_access.c:1100
#6 0x51cbf3 in cf_open /home/fuzzer/wireshark/wireshark/tshark.c:4030
#8 0x51607f in main /home/fuzzer/wireshark/wireshark/tshark.c:2009
#10 0x7fe2c26b582f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-use-after-free
(/home/fuzzer/wireshark/wireshark/epan/.libs/libwireshark.so.0+0x8616522)
Shadow bytes around the buggy address:
0x0c3a7fffb300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffb310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffb320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffb330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffb340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3a7fffb350: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffb360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffb370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffb380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffb390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffb3a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==130947==ABORTING
Credit goes to: Otto Airamo and Antti Levomäki, Forcepoint
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
