Wireshark-bugs: [Wireshark-bugs] [Bug 9601] New: Clang ASAN : heap-buffer-overflow UDVM/Sigcomp

Date: Thu, 26 Dec 2013 15:39:34 +0000
Bug ID 9601
Summary Clang ASAN : heap-buffer-overflow UDVM/Sigcomp : udvm_state_access
Classification Unclassified
Product Wireshark
Version unspecified
Hardware All
OS All
Status UNCONFIRMED
Severity Trivial
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Build Information:

--
I fuzzing wireshark with ASAN (
http://clang.llvm.org/docs/AddressSanitizer.html) and it found the following
issue :

Input file: ../menagerie/asan2/4838-fuzz-2010-06-24-6775.pcap


=================================================================
==18772==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6210000563ec at pc 0x7f201eb48fd1 bp 0x7ffface1d830 sp 0x7ffface1d828
READ of size 1 at 0x6210000563ec thread T0
    #0 0x7f201eb48fd0 in udvm_state_access
/home/alagoutte/wireshark-clang/epan/sigcomp_state_hdlr.c:787
    #1 0x7f201eb4ff3f in decompress_sigcomp_message
/home/alagoutte/wireshark-clang/epan/sigcomp-udvm.c:2315
    #2 0x7f201f4d10ab in dissect_sigcomp_common
/home/alagoutte/wireshark-clang/epan/dissectors/packet-sigcomp.c:899
    #3 0x7f201eaf028d in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:509
    #4 0x7f201eaf359c in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2140
    #5 0x7f201f4d90c7 in dissect_sip
/home/alagoutte/wireshark-clang/epan/dissectors/packet-sip.c:2060
    #6 0x7f201eaf028d in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:509
    #7 0x7f201eaf056b in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1031
    #8 0x7f201f653911 in decode_udp_ports
/home/alagoutte/wireshark-clang/epan/dissectors/packet-udp.c:413
    #9 0x7f201f6565ee in dissect
/home/alagoutte/wireshark-clang/epan/dissectors/packet-udp.c:752
    #10 0x7f201eaf02b9 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:513
    #11 0x7f201eaeff13 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1031
    #12 0x7f201f118cce in dissect_ipv6
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ipv6.c:2139
    #13 0x7f201eaf02b9 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:513
    #14 0x7f201eaf056b in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1031
    #15 0x7f201ef4b56c in dissect_ethertype
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ethertype.c:305
    #16 0x7f201eaf028d in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:509
    #17 0x7f201eaf359c in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2140
    #18 0x7f201ef49fc2 in dissect_eth_common
/home/alagoutte/wireshark-clang/epan/dissectors/packet-eth.c:472
    #19 0x7f201eaf02b9 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:513
    #20 0x7f201eaf056b in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1031
    #21 0x7f201ef97110 in dissect_frame
/home/alagoutte/wireshark-clang/epan/dissectors/packet-frame.c:490
    #22 0x7f201eaf02b9 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:513
    #23 0x7f201eaf359c in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2140
    #24 0x7f201eaeedd3 in call_dissector
/home/alagoutte/wireshark-clang/epan/packet.c:2170
    #25 0x7f201eacf888 in epan_dissect_run_with_taps
/home/alagoutte/wireshark-clang/epan/epan.c:329
    #26 0x4a6555 in process_packet
/home/alagoutte/wireshark-clang/tshark.c:3453
    #27 0x4a2047 in load_cap_file /home/alagoutte/wireshark-clang/tshark.c:3256
    #28 0x7f2017a47de4 in __libc_start_main
/build/buildd/eglibc-2.17/csu/libc-start.c:260
    #29 0x48b38c in _start ??:?

0x6210000563ec is located 0 bytes to the right of 4844-byte region
[0x621000055100,0x6210000563ec)
allocated by thread T0 here:
    #0 0x473de1 in malloc ??:?
    #1 0x7f2019e76dd0 in g_malloc ??:?

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c4280002c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280002c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280002c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280002c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280002c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4280002c70: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
  0x0c4280002c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280002c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280002ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280002cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280002cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe


You are receiving this mail because:
  • You are watching all bug changes.