Wireshark-bugs: [Wireshark-bugs] [Bug 10897] New: Clang ASAN : AddressSanitizer: global-buffer-o

Date: Tue, 27 Jan 2015 17:08:48 +0000
Bug ID 10897
Summary Clang ASAN : AddressSanitizer: global-buffer-overflow ANSI
Product Wireshark
Version Git
Hardware All
OS All
Status UNCONFIRMED
Severity Minor
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Build Information:

--
I fuzzing wireshark with ASAN (
http://clang.llvm.org/docs/AddressSanitizer.html) and it found the following
issue :


Input file: ../menagerie/public/2386-e60_92_.pcap

Build host information:
Linux dev 3.11.0-18-generic #32-Ubuntu SMP Tue Feb 18 21:11:14 UTC 2014 x86_64
x86_64 x86_64 GNU/Linux
Distributor ID: Ubuntu
Description:    Ubuntu 13.10
Release:        13.10
Codename:       saucy

Return value:  1

Dissector bug:  0

Valgrind error count:  0



=================================================================
==23693==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7f5a7412a62f at pc 0x7f5a72b1a8eb bp 0x7ffffaf64770 sp 0x7ffffaf64768
READ of size 1 at 0x7f5a7412a62f thread T0
    #0 0x7f5a72b1a8ea in tele_param_cb_num
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ansi_637.c:1454
    #1 0x7f5a72b167a0 in dissect_ansi_637_tele_message
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ansi_637.c:2261
    #2 0x7f5a729cb509 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:630
    #3 0x7f5a729cb789 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1149
    #4 0x7f5a737c47f2 in dissect_ansi_map_SMS_TeleserviceIdentifier
/home/alagoutte/wireshark-clang/epan/dissectors/../../asn1/ansi_map/ansi_map.cnf:341
    #5 0x7f5a72ba3d17 in dissect_ber_set
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ber.c:2666
    #6 0x7f5a737c64bf in dissect_ansi_map_SMSDeliveryPointToPoint_U
/home/alagoutte/wireshark-clang/epan/dissectors/../../asn1/ansi_map/ansi_map.cnf:672
    #7 0x7f5a72b9ab1c in dissect_ber_tagged_type
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ber.c:713
    #8 0x7f5a737bb415 in dissect_ansi_map_HandoffMeasurementRequest
/home/alagoutte/wireshark-clang/epan/dissectors/../../asn1/ansi_map/ansi_map.cnf:754
    #9 0x7f5a729cb4da in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:626
    #10 0x7f5a729c98bc in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2394
    #11 0x7f5a737cfc95 in find_tcap_subdissector
/home/alagoutte/wireshark-clang/epan/dissectors/../../asn1/ansi_tcap/packet-ansi_tcap-template.c:350
    #12 0x7f5a737cfeb5 in dissect_ansi_tcap_T_parameter
/home/alagoutte/wireshark-clang/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:88
    #13 0x7f5a72ba2647 in dissect_ber_sequence
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ber.c:2418
    #14 0x7f5a737cf479 in dissect_ansi_tcap_Invoke
/home/alagoutte/wireshark-clang/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:97
    #15 0x7f5a72ba4f87 in dissect_ber_choice
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ber.c:2916
    #16 0x7f5a737cf431 in dissect_ansi_tcap_ComponentPDU
/home/alagoutte/wireshark-clang/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:256
    #17 0x7f5a72ba701c in dissect_ber_sq_of
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ber.c:3515
    #18 0x7f5a72ba77b5 in dissect_ber_sequence_of
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ber.c:3546
    #19 0x7f5a737cf3ef in dissect_ansi_tcap_SEQUENCE_OF_ComponentPDU
/home/alagoutte/wireshark-clang/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:270
    #20 0x7f5a72b9aacf in dissect_ber_tagged_type
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ber.c:710
    #21 0x7f5a737cf3ad in dissect_ansi_tcap_ComponentSequence
/home/alagoutte/wireshark-clang/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:280
    #22 0x7f5a72ba2647 in dissect_ber_sequence
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ber.c:2418
    #23 0x7f5a737ce6a4 in dissect_ansi_tcap_TransactionPDU
/home/alagoutte/wireshark-clang/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:145
    #24 0x7f5a72ba4f87 in dissect_ber_choice
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ber.c:2916
    #25 0x7f5a737ce42c in dissect_ansi_tcap_PackageType
/home/alagoutte/wireshark-clang/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:173
    #26 0x7f5a729cb509 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:630
    #27 0x7f5a729c98bc in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2394
    #28 0x7f5a73cbf286 in dissect_tcap
/home/alagoutte/wireshark-clang/epan/dissectors/../../asn1/tcap/packet-tcap-template.c:2006
    #29 0x7f5a729cb509 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:630
    #30 0x7f5a729cb158 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1149
    #31 0x7f5a733ebc0b in dissect_sccp_data_param
/home/alagoutte/wireshark-clang/epan/dissectors/packet-sccp.c:2344
(discriminator 1)
    #32 0x7f5a733eb26f in dissect_sccp_parameter
/home/alagoutte/wireshark-clang/epan/dissectors/packet-sccp.c:2557
    #33 0x7f5a733eb5fb in dissect_sccp_variable_parameter
/home/alagoutte/wireshark-clang/epan/dissectors/packet-sccp.c:2638
    #34 0x7f5a733e800b in dissect_sccp_message
/home/alagoutte/wireshark-clang/epan/dissectors/packet-sccp.c:2949
    #35 0x7f5a729cb509 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:630
    #36 0x7f5a729cb789 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1149
    #37 0x7f5a7319b204 in dissect_mtp3_payload
/home/alagoutte/wireshark-clang/epan/dissectors/packet-mtp3.c:646
    #38 0x7f5a729cb509 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:630
    #39 0x7f5a729cb789 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1149
    #40 0x7f5a72e89d19 in dissect_frame
/home/alagoutte/wireshark-clang/epan/dissectors/packet-frame.c:494
    #41 0x7f5a729cb4da in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:626
    #42 0x7f5a729c98bc in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2394
    #43 0x7f5a729c939b in dissect_record
/home/alagoutte/wireshark-clang/epan/packet.c:499
    #44 0x7f5a729a9cae in epan_dissect_run_with_taps
/home/alagoutte/wireshark-clang/epan/epan.c:346
    #45 0x4d7a39 in process_packet
/home/alagoutte/wireshark-clang/tshark.c:3619
    #46 0x4d2eee in load_cap_file /home/alagoutte/wireshark-clang/tshark.c:3380
    #47 0x7f5a69134de4 in __libc_start_main
/build/buildd/eglibc-2.17/csu/libc-start.c:260
    #48 0x4c157c in _start ??:?

0x7f5a7412a62f is located 49 bytes to the left of global variable '<string
literal>' defined in 'packet-ansi_637.c:1766:17' (0x7f5a7412a660) of size 8
  '<string literal>' is ascii string 'Unknown'
0x7f5a7412a62f is located 0 bytes to the right of global variable 'air_digits'
defined in 'packet-ansi_637.c:205:28' (0x7f5a7412a620) of size 15
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0febce81d470: 00 02 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 02 f9
  0x0febce81d480: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0febce81d490: f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 00 03 f9 f9
  0x0febce81d4a0: f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9
  0x0febce81d4b0: 00 00 00 02 f9 f9 f9 f9 00 00 00 00 00 01 f9 f9
=>0x0febce81d4c0: f9 f9 f9 f9 00[07]f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0febce81d4d0: f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 00 00 00 00
  0x0febce81d4e0: 01 f9 f9 f9 f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9
  0x0febce81d4f0: 00 05 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 05 f9
  0x0febce81d500: f9 f9 f9 f9 00 00 00 00 00 00 00 03 f9 f9 f9 f9
  0x0febce81d510: 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==23693==ABORTING


You are receiving this mail because:
  • You are watching all bug changes.