| Bug ID |
11262
|
| Summary |
tshark -z io,stat,1,SUM(ip.len) reports invalid stats, triggers ASAN buffer overrun
|
| Product |
Wireshark
|
| Version |
Git
|
| Hardware |
All
|
| OS |
All
|
| Status |
UNCONFIRMED
|
| Severity |
Major
|
| Priority |
Low
|
| Component |
TShark
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Created attachment 13655 [details]
https.pcapng.gz - subject capture file
Build Information:
TShark (Wireshark) 1.99.7 (v1.99.7rc0-106-gc100e1c from master)
Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with libz 1.2.8, with GLib 2.44.1, without SMI, without c-ares, without ADNS,
with Lua 5.2, with GnuTLS 3.4.1, with Gcrypt 1.6.3, with MIT Kerberos, with
GeoIP.
Running on Linux 4.0.4-2-ARCH, with locale en_US.UTF-8, with libpcap version
1.6.2, with libz 1.2.8, with GnuTLS 3.4.1, with Gcrypt 1.6.3.
Intel(R) Core(TM) i5 CPU M 560 @ 2.67GHz (with SSE4.2)
Built using gcc 5.1.0.
--
The attached attachment triggers an ASAN violation with this command:
tshark -r https.pcapng.gz -z 'io,stat,1,SUM(ip.len)' -q
=========================
| IO Statistics |
| |
=================================================================
==6655==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000212a8b
at pc 0x7f0e1ee9e679 bp 0x7ffcc15842c0 sp 0x7ffcc1583a38
READ of size 1 at 0x603000212a8b thread T0
#0 0x7f0e1ee9e678 in printf_common
/build/gcc-multilib/src/gcc-5-20150519/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:542
#1 0x7f0e1ee9ec87 in __interceptor_vprintf
/build/gcc-multilib/src/gcc-5-20150519/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:906
#2 0x7f0e1ee9ed97 in __interceptor_printf
/build/gcc-multilib/src/gcc-5-20150519/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:942
#3 0x45ca7d in iostat_draw /tmp/wireshark/ui/cli/tap-iostat.c:818
#4 0x7f0e13097149 in draw_tap_listeners /tmp/wireshark/epan/tap.c:448
#5 0x41c03b in main /tmp/wireshark/tshark.c:2257
#6 0x7f0e0a17578f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
#7 0x40ab78 in _start (/tmp/wsbuild/run/tshark+0x40ab78)
0x603000212a8b is located 1 bytes to the right of 26-byte region
[0x603000212a70,0x603000212a8a)
allocated by thread T0 here:
#0 0x7f0e1eed69da in __interceptor_malloc
/build/gcc-multilib/src/gcc-5-20150519/libsanitizer/asan/asan_malloc_linux.cc:38
#1 0x7f0e0b2564c9 in g_malloc (/usr/lib/libglib-2.0.so.0+0x4f4c9)
#2 0x7f0e13097149 in draw_tap_listeners /tmp/wireshark/epan/tap.c:448
#3 0x41c03b in main /tmp/wireshark/tshark.c:2257
#4 0x7f0e0a17578f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/build/gcc-multilib/src/gcc-5-20150519/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:542
printf_common
Shadow bytes around the buggy address:
0x0c068003a500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c068003a510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c068003a520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c068003a530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c068003a540: fa fa fa fa fa fa fa fa 00 00 00 05 fa fa 00 00
=>0x0c068003a550: 00[02]fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x0c068003a560: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
0x0c068003a570: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
0x0c068003a580: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
0x0c068003a590: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fd
0x0c068003a5a0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==6655==ABORTING
gdb reports borderlen==25 and this is the head output without ASAN (on tshark
1.12.5-2 on Arch Linux x86_64):
=========================
| IO Statistics |
| |
| Duration: 43.341901 secs|
| Interval: 1 secs |
| |
| Col 1: SUM(ip.len) |
|-----------------------|
| |1 | |
| Interval | SUM | |
|----------------| |
| 0 <> 1 | 0 | |
| 1 <> 2 | 0 | |
| 2 <> 3 | 0 | |
| 3 <> 4 | 0 | |
| 4 <> 5 | 0 | |
| 5 <> 6 | 0 | |
| 6 <> 7 | 0 | |
| 7 <> 8 | 0 | |
while this was the output for tshark 1.10.6-1 (Ubuntu 14.04 x86_64):
====================================
| IO Statistics |
| |
| Interval size: 1 secs |
| Col 1: Frames and bytes |
| 2: SUM(ip.len) |
|----------------------------------|
| |1 |2 |
| Interval | Frames | Bytes | SUM |
|----------------------------------|
| 0 <> 1 | 28 | 6205 | 0 |
| 1 <> 2 | 0 | 0 | 0 |
| 2 <> 3 | 6 | 396 | 0 |
| 3 <> 4 | 0 | 0 | 0 |
| 4 <> 5 | 2 | 114 | 0 |
| 5 <> 6 | 29 | 9019 | 0 |
| 6 <> 7 | 14 | 5476 | 0 |
| 7 <> 8 | 322 | 169038 | 0 |
| 8 <> 9 | 44 | 38627 | 0 |
| 9 <> 10 | 0 | 0 | 0 |
Something has regressed between 1.10 and 1.12, needs some investigation.
You are receiving this mail because:
- You are watching all bug changes.