Bug ID |
10281
|
Summary |
Buildbot crash output: fuzz-2014-07-12-9393.pcap
|
Classification |
Unclassified
|
Product |
Wireshark
|
Version |
unspecified
|
Hardware |
x86-64
|
URL |
http://www.wireshark.org/download/automated/captures/fuzz-2014-07-12-9393.pcap
|
OS |
Ubuntu
|
Status |
CONFIRMED
|
Severity |
Major
|
Priority |
High
|
Component |
Dissection engine (libwireshark)
|
Assignee |
[email protected]
|
Reporter |
[email protected]
|
Problems have been found with the following capture file:
http://www.wireshark.org/download/automated/captures/fuzz-2014-07-12-9393.pcap
stderr:
Input file: /home/wireshark/menagerie/menagerie/6575-test-dlmapc-wmx.pcap
Build host information:
Linux wsbb04 3.2.0-65-generic #98-Ubuntu SMP Wed Jun 11 20:27:07 UTC 2014
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID: Ubuntu
Description: Ubuntu 12.04.4 LTS
Release: 12.04
Codename: precise
Buildbot information:
BUILDBOT_REPOSITORY=ssh://[email protected]:29418/wireshark
BUILDBOT_BUILDNUMBER=2853
BUILDBOT_URL=http://buildbot.wireshark.org/trunk/
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_SLAVENAME=clang-code-analysis
BUILDBOT_GOT_REVISION=b3b1f7c3aa2233a147294bad833b748d38fba84d
Return value: 0
Dissector bug: 0
Valgrind error count: 248
Git commit
commit b3b1f7c3aa2233a147294bad833b748d38fba84d
Author: Peter Wu <[email protected]>
Date: Thu Jul 3 11:23:19 2014 +0200
logcat: improve (crash) robustness, improve names
The logcat version detector would crash with ASAN enabled because it did
not validate the payload length and hence a payload length of 0 would
trigger out-of-bounds access. (This happened on non-logcat data.)
This patch tries to get rid of all magic numbers by using a structure,
improves the version detector to validate the payload length and
prevents crashes due to missing nul-terminators in the input. Older
Android kernels would create entries with __pad with random contents, so
that cannot be used to determine version for v1. Instead, use heuristics
on the priority, tag and maybe the msg field.
Furthermore, Android is mostly (if not, always?) Little-Endian, so add
conversions where necessary (just in case WS supports BE arches).
"microseconds" has been renamed to "milliseconds" because that is what
they are, actually. A duplicate logcat_log loop has been refactored
such that one loop is sufficient, instead of separate buffers for each
log part, a single one is now used. get_priority does not really need
a pointer, just make it accept a character.
The output has been validated against v1 and v2 logcat binary formats
with __pad (hdr_size) equal to 0, and on attachment 9906 [details].
Change-Id: I46c8813e76fe705b293ffdee85b4c1bfff7d8362
Reviewed-on: https://code.wireshark.org/review/2803
Reviewed-by: Michal Labedzki <[email protected]>
Tested-by: Michal Labedzki <[email protected]>
Command and args: ./tools/valgrind-wireshark.sh
==5561== Memcheck, a memory error detector
==5561== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==5561== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==5561== Command:
/home/wireshark/builders/trunk-clang-ca/clangcodeanalysis/install/bin/tshark
-nr /fuzz/buildbot/clangcodeanalysis/valgrind-fuzz/fuzz-2014-07-12-9393.pcap
==5561==
==5561== Conditional jump or move depends on uninitialised value(s)
==5561== at 0xEE7A905: dissect_dlmap_ie (msg_dlmap.c:1774)
==5561== by 0xEE7CE88: wimax_decode_dlmapc (msg_dlmap.c:2110)
==5561== by 0xEE6C19F: dissect_wimax_pdu_decoder (wimax_pdu_decoder.c:136)
==5561== by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561== by 0x660D2BD: call_dissector_work (packet.c:713)
==5561== by 0x660F220: call_dissector_with_data (packet.c:2297)
==5561== by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561== by 0x660D2BD: call_dissector_work (packet.c:713)
==5561== by 0x660DAE2: dissector_try_uint_new (packet.c:1145)
==5561== by 0x660DB36: dissector_try_uint (packet.c:1171)
==5561== by 0x6D51924: decode_udp_ports (packet-udp.c:412)
==5561== by 0x6D5206E: dissect (packet-udp.c:762)
==5561==
==5561== Conditional jump or move depends on uninitialised value(s)
==5561== at 0xEE7A90F: dissect_dlmap_ie (msg_dlmap.c:1852)
==5561== by 0xEE7CE88: wimax_decode_dlmapc (msg_dlmap.c:2110)
==5561== by 0xEE6C19F: dissect_wimax_pdu_decoder (wimax_pdu_decoder.c:136)
==5561== by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561== by 0x660D2BD: call_dissector_work (packet.c:713)
==5561== by 0x660F220: call_dissector_with_data (packet.c:2297)
==5561== by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561== by 0x660D2BD: call_dissector_work (packet.c:713)
==5561== by 0x660DAE2: dissector_try_uint_new (packet.c:1145)
==5561== by 0x660DB36: dissector_try_uint (packet.c:1171)
==5561== by 0x6D51924: decode_udp_ports (packet-udp.c:412)
==5561== by 0x6D5206E: dissect (packet-udp.c:762)
==5561==
==5561== Conditional jump or move depends on uninitialised value(s)
==5561== at 0xEE7A95D: dissect_dlmap_ie (msg_dlmap.c:1940)
==5561== by 0xEE7CE88: wimax_decode_dlmapc (msg_dlmap.c:2110)
==5561== by 0xEE6C19F: dissect_wimax_pdu_decoder (wimax_pdu_decoder.c:136)
==5561== by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561== by 0x660D2BD: call_dissector_work (packet.c:713)
==5561== by 0x660F220: call_dissector_with_data (packet.c:2297)
==5561== by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561== by 0x660D2BD: call_dissector_work (packet.c:713)
==5561== by 0x660DAE2: dissector_try_uint_new (packet.c:1145)
==5561== by 0x660DB36: dissector_try_uint (packet.c:1171)
==5561== by 0x6D51924: decode_udp_ports (packet-udp.c:412)
==5561== by 0x6D5206E: dissect (packet-udp.c:762)
==5561==
==5561== Conditional jump or move depends on uninitialised value(s)
==5561== at 0xEE7A9C5: dissect_dlmap_ie (msg_dlmap.c:1953)
==5561== by 0xEE7CE88: wimax_decode_dlmapc (msg_dlmap.c:2110)
==5561== by 0xEE6C19F: dissect_wimax_pdu_decoder (wimax_pdu_decoder.c:136)
==5561== by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561== by 0x660D2BD: call_dissector_work (packet.c:713)
==5561== by 0x660F220: call_dissector_with_data (packet.c:2297)
==5561== by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561== by 0x660D2BD: call_dissector_work (packet.c:713)
==5561== by 0x660DAE2: dissector_try_uint_new (packet.c:1145)
==5561== by 0x660DB36: dissector_try_uint (packet.c:1171)
==5561== by 0x6D51924: decode_udp_ports (packet-udp.c:412)
==5561== by 0x6D5206E: dissect (packet-udp.c:762)
==5561==
==5561== Conditional jump or move depends on uninitialised value(s)
==5561== at 0xEE7AA8D: dissect_dlmap_ie (msg_dlmap.c:1774)
==5561== by 0xEE7CE88: wimax_decode_dlmapc (msg_dlmap.c:2110)
==5561== by 0xEE6C19F: dissect_wimax_pdu_decoder (wimax_pdu_decoder.c:136)
==5561== by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561== by 0x660D2BD: call_dissector_work (packet.c:713)
==5561== by 0x660F220: call_dissector_with_data (packet.c:2297)
==5561== by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561== by 0x660D2BD: call_dissector_work (packet.c:713)
==5561== by 0x660DAE2: dissector_try_uint_new (packet.c:1145)
==5561== by 0x660DB36: dissector_try_uint (packet.c:1171)
==5561== by 0x6D51924: decode_udp_ports (packet-udp.c:412)
==5561== by 0x6D5206E: dissect (packet-udp.c:762)
==5561==
==5561==
==5561== HEAP SUMMARY:
==5561== in use at exit: 1,207,177 bytes in 29,301 blocks
==5561== total heap usage: 221,382 allocs, 192,081 frees, 28,226,687 bytes
allocated
==5561==
==5561== LEAK SUMMARY:
==5561== definitely lost: 5,411 bytes in 165 blocks
==5561== indirectly lost: 36,648 bytes in 49 blocks
==5561== possibly lost: 0 bytes in 0 blocks
==5561== still reachable: 1,165,118 bytes in 29,087 blocks
==5561== suppressed: 0 bytes in 0 blocks
==5561== Rerun with --leak-check=full to see details of leaked memory
==5561==
==5561== For counts of detected and suppressed errors, rerun with: -v
==5561== Use --track-origins=yes to see where uninitialised values come from
==5561== ERROR SUMMARY: 248 errors from 5 contexts (suppressed: 3 from 3)
[ no debug trace ]
You are receiving this mail because:
- You are watching all bug changes.