[Wireshark-bugs] [Bug 14682] New: [oss-fuzz] ASAN: heap-buffer-overflow epan/dissectors/packet-ber.c:3988:17 in dissect_ber_constrained_bitstring

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14682

            Bug ID: 14682
           Summary: [oss-fuzz] ASAN: heap-buffer-overflow
                    epan/dissectors/packet-ber.c:3988:17 in
                    dissect_ber_constrained_bitstring
           Product: Wireshark
           Version: Git
          Hardware: x86-64
               URL: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=
                    8011
                OS: Linux
            Status: CONFIRMED
          Severity: Major
          Priority: High
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: pe...@lekensteyn.nl
  Target Milestone: ---

Build Information:
TShark (Wireshark) 2.9.0 (v2.9.0rc0-495-gf8ac12c5)

Copyright 1998-2018 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.56.0, with zlib 1.2.11, without SMI, with c-ares 1.13.0, with Lua
5.2.4, with GnuTLS 3.5.18, with Gcrypt 1.8.2, with MIT Kerberos, with MaxMind
DB
resolver, with nghttp2 1.31.1, with LZ4, with Snappy, with libxml2 2.9.8.

Running on Linux 4.15.15-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31988 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.18, with Gcrypt 1.8.2, with zlib 1.2.11, binary
plugins supported (13 loaded).

Built using clang 4.2.1 Compatible Clang 6.0.0 (tags/RELEASE_600/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8011

Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark:
tshark -Vxr
clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-4859050050191360.pcap
--
=================================================================
==12271==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000457835 at pc 0x7f8e0223a918 bp 0x7ffda9c8dcd0 sp 0x7ffda9c8dcc8
READ of size 1 at 0x602000457835 thread T0
    #0 0x7f8e0223a917 in dissect_ber_constrained_bitstring
epan/dissectors/packet-ber.c:3988:17
    #1 0x7f8e0223b0d2 in dissect_ber_bitstring
epan/dissectors/packet-ber.c:4014:10
    #2 0x7f8e050a77dd in dissect_kerberos_TicketFlags
./asn1/kerberos/kerberos.cnf:458:12
    #3 0x7f8e02227862 in dissect_ber_sequence
epan/dissectors/packet-ber.c:2384:17
    #4 0x7f8e050a775b in dissect_kerberos_EncTicketPart_U
./asn1/kerberos/kerberos.cnf:290:12
    #5 0x7f8e02214490 in dissect_ber_tagged_type
epan/dissectors/packet-ber.c:681:18
    #6 0x7f8e050a2896 in dissect_kerberos_EncTicketPart
./asn1/kerberos/kerberos.cnf:300:12
    #7 0x7f8e0222d213 in dissect_ber_choice
epan/dissectors/packet-ber.c:2890:21
    #8 0x7f8e050a26fd in dissect_kerberos_Applications
./asn1/kerberos/kerberos.cnf:453:12
    #9 0x7f8e050a0ca1 in dissect_kerberos_common
./asn1/kerberos/packet-kerberos-template.c:1984:10
    #10 0x7f8e050a1903 in dissect_kerberos_udp
./asn1/kerberos/packet-kerberos-template.c:2046:9
    #11 0x7f8e05defc8b in call_dissector_through_handle epan/packet.c:692:9
    #12 0x7f8e05dda267 in call_dissector_work epan/packet.c:777:9
    #13 0x7f8e05dd92c5 in dissector_try_uint_new epan/packet.c:1359:8
    #14 0x7f8e05ddab19 in dissector_try_uint epan/packet.c:1383:9
    #15 0x7f8e04519b9a in decode_udp_ports epan/dissectors/packet-udp.c:666:7
    #16 0x7f8e0452d2d8 in dissect epan/dissectors/packet-udp.c:1127:5
    #17 0x7f8e0451e8cf in dissect_udp epan/dissectors/packet-udp.c:1133:3
    #18 0x7f8e05defc8b in call_dissector_through_handle epan/packet.c:692:9
    #19 0x7f8e05dda267 in call_dissector_work epan/packet.c:777:9
    #20 0x7f8e05dd92c5 in dissector_try_uint_new epan/packet.c:1359:8
    #21 0x7f8e02b5079e in dissect_exported_pdu
epan/dissectors/packet-exported_pdu.c:366:17
    #22 0x7f8e05defc8b in call_dissector_through_handle epan/packet.c:692:9
    #23 0x7f8e05dda267 in call_dissector_work epan/packet.c:777:9
    #24 0x7f8e05dd92c5 in dissector_try_uint_new epan/packet.c:1359:8
    #25 0x7f8e02c76c4d in dissect_frame epan/dissectors/packet-frame.c:579:11
    #26 0x7f8e05defc8b in call_dissector_through_handle epan/packet.c:692:9
    #27 0x7f8e05dda267 in call_dissector_work epan/packet.c:777:9
    #28 0x7f8e05de8c77 in call_dissector_only epan/packet.c:3090:8
    #29 0x7f8e05dd1d31 in call_dissector_with_data epan/packet.c:3103:8
    #30 0x7f8e05dd1069 in dissect_record epan/packet.c:566:3
    #31 0x7f8e05d7ff58 in epan_dissect_run_with_taps epan/epan.c:542:2
    #32 0x55c92e1f01b9 in process_packet_single_pass tshark.c:3541:5
    #33 0x55c92e1e950c in process_cap_file tshark.c:3367:11
    #34 0x55c92e1e0e40 in main tshark.c:2051:17
    #35 0x7f8df6fed06a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)
    #36 0x55c92e0c29e9 in _start (run/tshark+0xe09e9)

0x602000457835 is located 0 bytes to the right of 5-byte region
[0x602000457830,0x602000457835)
allocated by thread T0 here:
    #0 0x55c92e186191 in malloc (run/tshark+0x1a4191)
    #1 0x7f8df7a15ac9 in g_malloc /build/src/glib/glib/gmem.c:99
    #2 0x7f8e05bd4c86 in wmem_simple_alloc
epan/wmem/wmem_allocator_simple.c:43:50
    #3 0x7f8e05bc1ae9 in wmem_alloc epan/wmem/wmem_core.c:46:12
    #4 0x7f8e05ffd17e in tvb_memdup epan/tvbuff.c:890:10
    #5 0x7f8e02239178 in dissect_ber_constrained_bitstring
epan/dissectors/packet-ber.c:3953:31
    #6 0x7f8e0223b0d2 in dissect_ber_bitstring
epan/dissectors/packet-ber.c:4014:10
    #7 0x7f8e050a77dd in dissect_kerberos_TicketFlags
./asn1/kerberos/kerberos.cnf:458:12
    #8 0x7f8e02227862 in dissect_ber_sequence
epan/dissectors/packet-ber.c:2384:17
    #9 0x7f8e050a775b in dissect_kerberos_EncTicketPart_U
./asn1/kerberos/kerberos.cnf:290:12
    #10 0x7f8e02214490 in dissect_ber_tagged_type
epan/dissectors/packet-ber.c:681:18
    #11 0x7f8e050a2896 in dissect_kerberos_EncTicketPart
./asn1/kerberos/kerberos.cnf:300:12
    #12 0x7f8e0222d213 in dissect_ber_choice
epan/dissectors/packet-ber.c:2890:21
    #13 0x7f8e050a26fd in dissect_kerberos_Applications
./asn1/kerberos/kerberos.cnf:453:12
    #14 0x7f8e050a0ca1 in dissect_kerberos_common
./asn1/kerberos/packet-kerberos-template.c:1984:10
    #15 0x7f8e050a1903 in dissect_kerberos_udp
./asn1/kerberos/packet-kerberos-template.c:2046:9
    #16 0x7f8e05defc8b in call_dissector_through_handle epan/packet.c:692:9
    #17 0x7f8e05dda267 in call_dissector_work epan/packet.c:777:9
    #18 0x7f8e05dd92c5 in dissector_try_uint_new epan/packet.c:1359:8
    #19 0x7f8e05ddab19 in dissector_try_uint epan/packet.c:1383:9
    #20 0x7f8e04519b9a in decode_udp_ports epan/dissectors/packet-udp.c:666:7
    #21 0x7f8e0452d2d8 in dissect epan/dissectors/packet-udp.c:1127:5
    #22 0x7f8e0451e8cf in dissect_udp epan/dissectors/packet-udp.c:1133:3
    #23 0x7f8e05defc8b in call_dissector_through_handle epan/packet.c:692:9
    #24 0x7f8e05dda267 in call_dissector_work epan/packet.c:777:9
    #25 0x7f8e05dd92c5 in dissector_try_uint_new epan/packet.c:1359:8
    #26 0x7f8e02b5079e in dissect_exported_pdu
epan/dissectors/packet-exported_pdu.c:366:17
    #27 0x7f8e05defc8b in call_dissector_through_handle epan/packet.c:692:9
    #28 0x7f8e05dda267 in call_dissector_work epan/packet.c:777:9
    #29 0x7f8e05dd92c5 in dissector_try_uint_new epan/packet.c:1359:8

SUMMARY: AddressSanitizer: heap-buffer-overflow
epan/dissectors/packet-ber.c:3988:17 in dissect_ber_constrained_bitstring
Shadow bytes around the buggy address:
  0x0c0480082eb0: fa fa 04 fa fa fa 00 fa fa fa 00 02 fa fa 00 05
  0x0c0480082ec0: fa fa 00 05 fa fa 00 05 fa fa fd fa fa fa 00 00
  0x0c0480082ed0: fa fa 00 00 fa fa 06 fa fa fa 00 00 fa fa 00 05
  0x0c0480082ee0: fa fa 00 01 fa fa 00 01 fa fa 00 00 fa fa 00 00
  0x0c0480082ef0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c0480082f00: fa fa 00 01 fa fa[05]fa fa fa fa fa fa fa fa fa
  0x0c0480082f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480082f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480082f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480082f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480082f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12271==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe