Bug ID |
10191
|
Summary |
Clang ASAN: heap-buffer-overflow Multipart : find_parameter
|
Classification |
Unclassified
|
Product |
Wireshark
|
Version |
Git
|
Hardware |
All
|
OS |
All
|
Status |
UNCONFIRMED
|
Severity |
Normal
|
Priority |
Low
|
Component |
Dissection engine (libwireshark)
|
Assignee |
[email protected]
|
Reporter |
[email protected]
|
Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
I fuzzing wireshark with ASAN (
http://clang.llvm.org/docs/AddressSanitizer.html) and it found the following
issue :
stderr follows:
Input file: ../menagerie/public/406-malformed-service-load-packet.pcap
Command and args: ./tshark -nVxr
=================================================================
==30378==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x608000217afb at pc 0x7fd83d387ee7 bp 0x7fff6654e2d0 sp
7fff6654e2c8
READ of size 1 at 0x608000217afb thread T0
#0 0x7fd83d387ee6 in find_parameter
/home/alagoutte/wireshark-clang/epan/dissectors/packet-multipart.c:341
#1 0x7fd83d386050 in get_multipart_info
/home/alagoutte/wireshark-clang/epan/dissectors/packet-multipart.c:408
#2 0x7fd83cc1f61a in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:622
#3 0x7fd83d1911a2 in dissect_http_message
/home/alagoutte/wireshark-clang/epan/dissectors/packet-http.c:1449
#4 0x7fd83d18bf4e in dissect_http
/home/alagoutte/wireshark-clang/epan/dissectors/packet-http.c:2776
#5 0x7fd83d18d90a in dissect_http_heur_tcp
/home/alagoutte/wireshark-clang/epan/dissectors/packet-http.c:2815
#6 0x7fd83cc21ea2 in dissector_try_heuristic
/home/alagoutte/wireshark-clang/epan/packet.c:2026
#7 0x7fd83d711cd8 in decode_tcp_ports
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tcp.c:3947
#8 0x7fd83d7146e6 in process_tcp_payload
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tcp.c:3992
#9 0x7fd83d7129f6 in desegment_tcp
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tcp.c:1804
#10 0x7fd83d71bfc4 in dissect_tcp
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tcp.c:4871
#11 0x7fd83cc1f649 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:626
#12 0x7fd83cc1f298 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1144
#13 0x7fd83d2149c3 in dissect_ip
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ip.c:2409
#14 0x7fd83cc1f649 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:626
#15 0x7fd83cc1f8c9 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1144
#16 0x7fd83d065c1a in dissect_ethertype
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ethertype.c:303
#17 0x7fd83cc1f61a in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:622
#18 0x7fd83cc229cc in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2282
#19 0x7fd83d064781 in dissect_eth_common
/home/alagoutte/wireshark-clang/epan/dissectors/packet-eth.c:475
#20 0x7fd83cc1f649 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:626
#21 0x7fd83cc1f8c9 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1144
#22 0x7fd83d0b11cd in dissect_frame
/home/alagoutte/wireshark-clang/epan/dissectors/packet-frame.c:508
#23 0x7fd83cc1f649 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:626
#24 0x7fd83cc229cc in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2282
#25 0x7fd83cc1d506 in call_dissector
/home/alagoutte/wireshark-clang/epan/packet.c:2312
#26 0x7fd83cbff9ce in epan_dissect_run_with_taps
/home/alagoutte/wireshark-clang/epan/epan.c:350
#27 0x4d4e68 in process_packet
/home/alagoutte/wireshark-clang/tshark.c:3537
#28 0x4d023f in load_cap_file /home/alagoutte/wireshark-clang/tshark.c:3327
#29 0x7fd8358e2de4 in __libc_start_main
/build/buildd/eglibc-2.17/csu/libc-start.c:260
#30 0x4baeec in _start ??:?
0x608000217afb is located 0 bytes to the right of 91-byte region
[0x608000217aa0,0x608000217afb)
allocated by thread T0 here:
#0 0x49ed8b in malloc ??:?
#1 0x7fd837d11dd0 in g_malloc ??:?
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0c108003af00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c108003af10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c108003af20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c108003af30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c108003af40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c108003af50: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00[03]
0x0c108003af60: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 03
0x0c108003af70: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c108003af80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c108003af90: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c108003afa0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
ASan internal: fe
==30378==ABORTING
You are receiving this mail because:
- You are watching all bug changes.