Wireshark-bugs: [Wireshark-bugs] [Bug 10191] New: Clang ASAN: heap-buffer-overflow Multipart : f

Date: Wed, 18 Jun 2014 00:26:17 +0000
Bug ID 10191
Summary Clang ASAN: heap-buffer-overflow Multipart : find_parameter
Classification Unclassified
Product Wireshark
Version Git
Hardware All
OS All
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
I fuzzing wireshark with ASAN (
http://clang.llvm.org/docs/AddressSanitizer.html) and it found the following
issue :

stderr follows:

Input file: ../menagerie/public/406-malformed-service-load-packet.pcap

Command and args: ./tshark -nVxr

=================================================================
==30378==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x608000217afb at pc 0x7fd83d387ee7 bp 0x7fff6654e2d0 sp
7fff6654e2c8
READ of size 1 at 0x608000217afb thread T0
    #0 0x7fd83d387ee6 in find_parameter
/home/alagoutte/wireshark-clang/epan/dissectors/packet-multipart.c:341
    #1 0x7fd83d386050 in get_multipart_info
/home/alagoutte/wireshark-clang/epan/dissectors/packet-multipart.c:408
    #2 0x7fd83cc1f61a in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:622
    #3 0x7fd83d1911a2 in dissect_http_message
/home/alagoutte/wireshark-clang/epan/dissectors/packet-http.c:1449
    #4 0x7fd83d18bf4e in dissect_http
/home/alagoutte/wireshark-clang/epan/dissectors/packet-http.c:2776
    #5 0x7fd83d18d90a in dissect_http_heur_tcp
/home/alagoutte/wireshark-clang/epan/dissectors/packet-http.c:2815
    #6 0x7fd83cc21ea2 in dissector_try_heuristic
/home/alagoutte/wireshark-clang/epan/packet.c:2026
    #7 0x7fd83d711cd8 in decode_tcp_ports
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tcp.c:3947
    #8 0x7fd83d7146e6 in process_tcp_payload
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tcp.c:3992
    #9 0x7fd83d7129f6 in desegment_tcp
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tcp.c:1804
    #10 0x7fd83d71bfc4 in dissect_tcp
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tcp.c:4871
    #11 0x7fd83cc1f649 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:626
    #12 0x7fd83cc1f298 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1144
    #13 0x7fd83d2149c3 in dissect_ip
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ip.c:2409
    #14 0x7fd83cc1f649 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:626
    #15 0x7fd83cc1f8c9 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1144
    #16 0x7fd83d065c1a in dissect_ethertype
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ethertype.c:303
    #17 0x7fd83cc1f61a in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:622
    #18 0x7fd83cc229cc in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2282
    #19 0x7fd83d064781 in dissect_eth_common
/home/alagoutte/wireshark-clang/epan/dissectors/packet-eth.c:475
    #20 0x7fd83cc1f649 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:626
    #21 0x7fd83cc1f8c9 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1144
    #22 0x7fd83d0b11cd in dissect_frame
/home/alagoutte/wireshark-clang/epan/dissectors/packet-frame.c:508
    #23 0x7fd83cc1f649 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:626
    #24 0x7fd83cc229cc in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2282
    #25 0x7fd83cc1d506 in call_dissector
/home/alagoutte/wireshark-clang/epan/packet.c:2312
    #26 0x7fd83cbff9ce in epan_dissect_run_with_taps
/home/alagoutte/wireshark-clang/epan/epan.c:350
    #27 0x4d4e68 in process_packet
/home/alagoutte/wireshark-clang/tshark.c:3537
    #28 0x4d023f in load_cap_file /home/alagoutte/wireshark-clang/tshark.c:3327
    #29 0x7fd8358e2de4 in __libc_start_main
/build/buildd/eglibc-2.17/csu/libc-start.c:260
    #30 0x4baeec in _start ??:?

0x608000217afb is located 0 bytes to the right of 91-byte region
[0x608000217aa0,0x608000217afb)
allocated by thread T0 here:
    #0 0x49ed8b in malloc ??:?
    #1 0x7fd837d11dd0 in g_malloc ??:?

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c108003af00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c108003af10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c108003af20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c108003af30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c108003af40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c108003af50: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00[03]
  0x0c108003af60: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 03
  0x0c108003af70: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c108003af80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c108003af90: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c108003afa0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==30378==ABORTING


You are receiving this mail because:
  • You are watching all bug changes.