Wireshark-bugs: [Wireshark-bugs] [Bug 11527] Buildbot crash output: fuzz-2015-09-14-12129.pcap

Date Prev · Date Next · Thread Prev · Thread Next
Date: Mon, 30 Nov 2015 23:22:14 +0000

Comment # 5 on bug 11527 from
Still a problem in v2.1.0rc0-857-g370d32d

Below is valgrind log (with -fsanitize=undefined enabled too). I have no idea
where the UBsan warning comes from (it also occurred without valgrind and with
a separate ASAN build). Could be a Clang 3.7.0 bug.

The UBsan error could also not be reproduced with this minimum example that
covers the same parameters...
// =====================================================================
#include "airpdcap_system.h"
UINT8 m[] = {0x88, 0x41, 0x2c, 0x0, 0x0, 0x1d, 0x73, 0x7b, 0x9e, 0x4b, 0x0,
0x21, 0x6b, 0x67, 0x5b, 0x6, 0x0, 0x1d, 0x73, 0x7b, 0x9e, 0x4a, 0x30, 0xaa};
gint mac_header_len = 26;
INT len = 94;
UCHAR TK1[16] = {0x86, 0x3c, 0x37, 0x78, 0x6c, 0x76, 0x65, 0xdb, 0xb9,
    0x1e, 0x83, 0x28, 0xde, 0x2f, 0xa3, 0xce};
int main(void) {
    AirPDcapCcmpDecrypt(m, mac_header_len, len, TK1);
    return 0;
}
// =====================================================================

==7552== Memcheck, a memory error detector
==7552== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==7552== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==7552== Command: run/tshark -nr fuzz-2015-09-14-12129.pcap
==7552==
==7552== Conditional jump or move depends on uninitialised value(s)
==7552==    at 0x7612993: AirPDcapDecryptWPABroadcastKey (airpdcap.c:421)
==7552==    by 0x7611AF7: AirPDcapRsna4WHandshake (airpdcap.c:1405)
==7552==    by 0x7607670: AirPDcapScanForKeys (airpdcap.c:563)
==7552==    by 0x7606437: AirPDcapPacketProcess (airpdcap.c:695)
==7552==    by 0x8377337: dissect_ieee80211_common (packet-ieee80211.c:17767)
==7552==    by 0x8352178: dissect_ieee80211 (packet-ieee80211.c:18375)
==7552==    by 0x743162A: call_dissector_through_handle (packet.c:616)
==7552==    by 0x7422C29: call_dissector_work (packet.c:691)
==7552==    by 0x742DC92: call_dissector_only (packet.c:2662)
==7552==    by 0x741CC04: call_dissector_with_data (packet.c:2675)
==7552==    by 0x831FB8F: dissect_wlan_radio (packet-ieee80211-radio.c:975)
==7552==    by 0x743162A: call_dissector_through_handle (packet.c:616)
==7552==
==7552== Conditional jump or move depends on uninitialised value(s)
==7552==    at 0x76128E9: AirPDcapDecryptWPABroadcastKey (airpdcap.c:415)
==7552==    by 0x7611AF7: AirPDcapRsna4WHandshake (airpdcap.c:1405)
==7552==    by 0x7607670: AirPDcapScanForKeys (airpdcap.c:563)
==7552==    by 0x7606437: AirPDcapPacketProcess (airpdcap.c:695)
==7552==    by 0x8377337: dissect_ieee80211_common (packet-ieee80211.c:17767)
==7552==    by 0x8352178: dissect_ieee80211 (packet-ieee80211.c:18375)
==7552==    by 0x743162A: call_dissector_through_handle (packet.c:616)
==7552==    by 0x7422C29: call_dissector_work (packet.c:691)
==7552==    by 0x742DC92: call_dissector_only (packet.c:2662)
==7552==    by 0x741CC04: call_dissector_with_data (packet.c:2675)
==7552==    by 0x831FB8F: dissect_wlan_radio (packet-ieee80211-radio.c:975)
==7552==    by 0x743162A: call_dissector_through_handle (packet.c:616)
==7552==
==7552== Conditional jump or move depends on uninitialised value(s)
==7552==    at 0x761295B: AirPDcapDecryptWPABroadcastKey (airpdcap.c:419)
==7552==    by 0x7611AF7: AirPDcapRsna4WHandshake (airpdcap.c:1405)
==7552==    by 0x7607670: AirPDcapScanForKeys (airpdcap.c:563)
==7552==    by 0x7606437: AirPDcapPacketProcess (airpdcap.c:695)
==7552==    by 0x8377337: dissect_ieee80211_common (packet-ieee80211.c:17767)
==7552==    by 0x8352178: dissect_ieee80211 (packet-ieee80211.c:18375)
==7552==    by 0x743162A: call_dissector_through_handle (packet.c:616)
==7552==    by 0x7422C29: call_dissector_work (packet.c:691)
==7552==    by 0x742DC92: call_dissector_only (packet.c:2662)
==7552==    by 0x741CC04: call_dissector_with_data (packet.c:2675)
==7552==    by 0x831FB8F: dissect_wlan_radio (packet-ieee80211-radio.c:975)
==7552==    by 0x743162A: call_dissector_through_handle (packet.c:616)
==7552==
==7552== Use of uninitialised value of size 8
==7552==    at 0x761297E: AirPDcapDecryptWPABroadcastKey (airpdcap.c:419)
==7552==    by 0x7611AF7: AirPDcapRsna4WHandshake (airpdcap.c:1405)
==7552==    by 0x7607670: AirPDcapScanForKeys (airpdcap.c:563)
==7552==    by 0x7606437: AirPDcapPacketProcess (airpdcap.c:695)
==7552==    by 0x8377337: dissect_ieee80211_common (packet-ieee80211.c:17767)
==7552==    by 0x8352178: dissect_ieee80211 (packet-ieee80211.c:18375)
==7552==    by 0x743162A: call_dissector_through_handle (packet.c:616)
==7552==    by 0x7422C29: call_dissector_work (packet.c:691)
==7552==    by 0x742DC92: call_dissector_only (packet.c:2662)
==7552==    by 0x741CC04: call_dissector_with_data (packet.c:2675)
==7552==    by 0x831FB8F: dissect_wlan_radio (packet-ieee80211-radio.c:975)
==7552==    by 0x743162A: call_dissector_through_handle (packet.c:616)
==7552==
==7552== Conditional jump or move depends on uninitialised value(s)
==7552==    at 0x76129A9: AirPDcapDecryptWPABroadcastKey (airpdcap.c:422)
==7552==    by 0x7611AF7: AirPDcapRsna4WHandshake (airpdcap.c:1405)
==7552==    by 0x7607670: AirPDcapScanForKeys (airpdcap.c:563)
==7552==    by 0x7606437: AirPDcapPacketProcess (airpdcap.c:695)
==7552==    by 0x8377337: dissect_ieee80211_common (packet-ieee80211.c:17767)
==7552==    by 0x8352178: dissect_ieee80211 (packet-ieee80211.c:18375)
==7552==    by 0x743162A: call_dissector_through_handle (packet.c:616)
==7552==    by 0x7422C29: call_dissector_work (packet.c:691)
==7552==    by 0x742DC92: call_dissector_only (packet.c:2662)
==7552==    by 0x741CC04: call_dissector_with_data (packet.c:2675)
==7552==    by 0x831FB8F: dissect_wlan_radio (packet-ieee80211-radio.c:975)
==7552==    by 0x743162A: call_dissector_through_handle (packet.c:616)
==7552==
==7552== Conditional jump or move depends on uninitialised value(s)
==7552==    at 0x7612A06: AirPDcapDecryptWPABroadcastKey (airpdcap.c:425)
==7552==    by 0x7611AF7: AirPDcapRsna4WHandshake (airpdcap.c:1405)
==7552==    by 0x7607670: AirPDcapScanForKeys (airpdcap.c:563)
==7552==    by 0x7606437: AirPDcapPacketProcess (airpdcap.c:695)
==7552==    by 0x8377337: dissect_ieee80211_common (packet-ieee80211.c:17767)
==7552==    by 0x8352178: dissect_ieee80211 (packet-ieee80211.c:18375)
==7552==    by 0x743162A: call_dissector_through_handle (packet.c:616)
==7552==    by 0x7422C29: call_dissector_work (packet.c:691)
==7552==    by 0x742DC92: call_dissector_only (packet.c:2662)
==7552==    by 0x741CC04: call_dissector_with_data (packet.c:2675)
==7552==    by 0x831FB8F: dissect_wlan_radio (packet-ieee80211-radio.c:975)
==7552==    by 0x743162A: call_dissector_through_handle (packet.c:616)
==7552==
==7552== Use of uninitialised value of size 8
==7552==    at 0x7612A29: AirPDcapDecryptWPABroadcastKey (airpdcap.c:425)
==7552==    by 0x7611AF7: AirPDcapRsna4WHandshake (airpdcap.c:1405)
==7552==    by 0x7607670: AirPDcapScanForKeys (airpdcap.c:563)
==7552==    by 0x7606437: AirPDcapPacketProcess (airpdcap.c:695)
==7552==    by 0x8377337: dissect_ieee80211_common (packet-ieee80211.c:17767)
==7552==    by 0x8352178: dissect_ieee80211 (packet-ieee80211.c:18375)
==7552==    by 0x743162A: call_dissector_through_handle (packet.c:616)
==7552==    by 0x7422C29: call_dissector_work (packet.c:691)
==7552==    by 0x742DC92: call_dissector_only (packet.c:2662)
==7552==    by 0x741CC04: call_dissector_with_data (packet.c:2675)
==7552==    by 0x831FB8F: dissect_wlan_radio (packet-ieee80211-radio.c:975)
==7552==    by 0x743162A: call_dissector_through_handle (packet.c:616)
==7552==
epan/crypt/airpdcap_ccmp.c:228:7: runtime error: left shift of 170 by 24 places
cannot be represented in type 'int'
==7553== Warning: invalid file descriptor 1024 in syscall close()
    #0 0x7616a85 in AirPDcapCcmpDecrypt epan/crypt/airpdcap_ccmp.c:228:7
    #1 0x76099c7 in AirPDcapRsnaMng epan/crypt/airpdcap.c:1034:22
    #2 0x7606848 in AirPDcapPacketProcess epan/crypt/airpdcap.c:757:17
    #3 0x8377337 in dissect_ieee80211_common
epan/dissectors/packet-ieee80211.c:17767:9
    #4 0x8352178 in dissect_ieee80211
epan/dissectors/packet-ieee80211.c:18375:10
    #5 0x743162a in call_dissector_through_handle epan/packet.c:616:8
    #6 0x7422c29 in call_dissector_work epan/packet.c:691:9
    #7 0x742dc92 in call_dissector_only epan/packet.c:2662:8
    #8 0x741cc04 in call_dissector_with_data epan/packet.c:2675:8
    #9 0x831fb8f in dissect_wlan_radio
epan/dissectors/packet-ieee80211-radio.c:975:10
    #10 0x743162a in call_dissector_through_handle epan/packet.c:616:8
    #11 0x7422c29 in call_dissector_work epan/packet.c:691:9
    #12 0x742dc92 in call_dissector_only epan/packet.c:2662:8
    #13 0x741cc04 in call_dissector_with_data epan/packet.c:2675:8
    #14 0x8a66f56 in dissect_ppi epan/dissectors/packet-ppi.c:1133:9
    #15 0x743162a in call_dissector_through_handle epan/packet.c:616:8
    #16 0x7422c29 in call_dissector_work epan/packet.c:691:9
    #17 0x7422026 in dissector_try_uint_new epan/packet.c:1148:9
    #18 0x80c2769 in dissect_frame epan/dissectors/packet-frame.c:500:11
    #19 0x743162a in call_dissector_through_handle epan/packet.c:616:8
    #20 0x7422c29 in call_dissector_work epan/packet.c:691:9
    #21 0x742dc92 in call_dissector_only epan/packet.c:2662:8
    #22 0x741cc04 in call_dissector_with_data epan/packet.c:2675:8
    #23 0x741c454 in dissect_record epan/packet.c:501:3
    #24 0x73ad8d8 in epan_dissect_run_with_taps epan/epan.c:373:2
    #25 0x1ce274 in process_packet tshark.c:3728:5
    #26 0x1c8db4 in load_cap_file tshark.c:3484:11
    #27 0x1c1f3a in main tshark.c:2197:13
    #28 0xf3b260f in __libc_start_main (/usr/lib/libc.so.6+0x2060f)
    #29 0x18c768 in _start (run/tshark+0x84768)

==7552==
==7552== HEAP SUMMARY:
==7552==     in use at exit: 1,000,363 bytes in 27,887 blocks
==7552==   total heap usage: 267,469 allocs, 239,582 frees, 32,324,560 bytes
allocated
==7552==
==7552== LEAK SUMMARY:
==7552==    definitely lost: 2,657 bytes in 108 blocks
==7552==    indirectly lost: 36,448 bytes in 48 blocks
==7552==      possibly lost: 0 bytes in 0 blocks
==7552==    still reachable: 961,258 bytes in 27,731 blocks
==7552==         suppressed: 0 bytes in 0 blocks
==7552== Rerun with --leak-check=full to see details of leaked memory
==7552==
==7552== For counts of detected and suppressed errors, rerun with: -v
==7552== Use --track-origins=yes to see where uninitialised values come from
==7552== ERROR SUMMARY: 16 errors from 7 contexts (suppressed: 0 from 0)


You are receiving this mail because:
  • You are watching all bug changes.