Wireshark-bugs: [Wireshark-bugs] [Bug 12664] New: Fuzzed PCAP causing stack buffer overflow in r
Date: Mon, 25 Jul 2016 07:42:04 +0000
| Bug ID | 12664 |
|---|---|
| Summary | Fuzzed PCAP causing stack buffer overflow in rlc_decode_li |
| Product | Wireshark |
| Version | 2.0.2 |
| Hardware | x86 |
| OS | Ubuntu |
| Status | UNCONFIRMED |
| Severity | Major |
| Priority | Low |
| Component | Dissection engine (libwireshark) |
| Assignee | [email protected] |
| Reporter | [email protected] |
Created attachment 14762 [details] Sample PCAP Build Information: TShark (Wireshark) 2.0.2 (SVN Rev Unknown from unknown) Copyright 1998-2016 Gerald Combs <[email protected]> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3, with libz 1.2.8, with GLib 2.48.0, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.2, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with MIT Kerberos, with GeoIP. Running on Linux 4.4.0-22-generic, with locale en_GB.UTF-8, with libpcap version 1.7.4, with libz 1.2.8, with GnuTLS 3.4.10, with Gcrypt 1.6.5. Intel Core Processor (Haswell) (with SSE4.2) Built using gcc 5.3.1 20160407. -- Fuzzed PCAP causes stack buffer overflow on tshark 2.0.2 and a recent build from repository ( commit 688d055acd523e645c1e87267dcf4a0a9867adbd ). ASAN output from 'tshark -2 -V -r <pcap>': ================================================================= ==13949==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff11dd28a4 at pc 0x7f100127d992 bp 0x7fff11dd2600 sp 0x7fff11dd25f0 WRITE of size 1 at 0x7fff11dd28a4 thread T0 #0 0x7f100127d991 in rlc_decode_li /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-rlc.c:1739 #1 0x7f100127f8e2 in dissect_rlc_um /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-rlc.c:1886 #2 0x7f10012820a4 in dissect_rlc_dcch /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-rlc.c:2473 #3 0x7f100091692e in call_dissector_through_handle /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648 #4 0x7f100091692e in call_dissector_work /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723 #5 0x7f1000919d41 in call_dissector_with_data /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:2792 #6 0x7f10014ca7d3 in dissect_mac_fdd_dch /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-umts_mac.c:564 #7 0x7f100091692e in call_dissector_through_handle /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648 #8 0x7f100091692e in call_dissector_work /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723 #9 0x7f1000919d41 in call_dissector_with_data /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:2792 #10 0x7f10014b9913 in dissect_tb_data /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-umts_fp.c:815 #11 0x7f10014c562b in dissect_dch_channel_info /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-umts_fp.c:2557 #12 0x7f10014c562b in dissect_fp_common /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-umts_fp.c:4419 #13 0x7f100091692e in call_dissector_through_handle /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648 #14 0x7f100091692e in call_dissector_work /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723 #15 0x7f10008f8764 in try_conversation_dissector /workarea/fuzz/victimlibs2/wireshark/epan/conversation.c:1323 #16 0x7f10014b2337 in decode_udp_ports /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-udp.c:537 #17 0x7f10014b3936 in dissect /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-udp.c:1028 #18 0x7f10014b4aad in dissect_udp /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-udp.c:1034 #19 0x7f100091692e in call_dissector_through_handle /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648 #20 0x7f100091692e in call_dissector_work /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723 #21 0x7f1000917707 in dissector_try_uint_new /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1187 #22 0x7f1000f1fec3 in ip_try_dissect /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ip.c:1976 #23 0x7f1000f22038 in dissect_ip_v4 /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ip.c:2439 #24 0x7f100091692e in call_dissector_through_handle /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648 #25 0x7f100091692e in call_dissector_work /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723 #26 0x7f1000917707 in dissector_try_uint_new /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1187 #27 0x7f10009177a0 in dissector_try_uint /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1213 #28 0x7f1000d7b978 in dissect_ethertype /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ethertype.c:262 #29 0x7f100091692e in call_dissector_through_handle /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648 #30 0x7f100091692e in call_dissector_work /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723 #31 0x7f1000919d41 in call_dissector_with_data /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:2792 #32 0x7f1000d79772 in dissect_eth_common /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-eth.c:539 #33 0x7f1000d7a822 in dissect_eth /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-eth.c:803 #34 0x7f100091692e in call_dissector_through_handle /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648 #35 0x7f100091692e in call_dissector_work /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723 #36 0x7f1000917707 in dissector_try_uint_new /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1187 #37 0x7f1000dc5185 in dissect_frame /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-frame.c:507 #38 0x7f100091692e in call_dissector_through_handle /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648 #39 0x7f100091692e in call_dissector_work /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723 #40 0x7f1000919d41 in call_dissector_with_data /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:2792 #41 0x7f100091acb3 in dissect_record /workarea/fuzz/victimlibs2/wireshark/epan/packet.c:531 #42 0x7f1000901f2b in epan_dissect_run /workarea/fuzz/victimlibs2/wireshark/epan/epan.c:365 #43 0x410ea3 in process_packet_first_pass /workarea/fuzz/victimlibs2/wireshark/tshark.c:2694 #44 0x410ea3 in load_cap_file /workarea/fuzz/victimlibs2/wireshark/tshark.c:2987 #45 0x410ea3 in main /workarea/fuzz/victimlibs2/wireshark/tshark.c:1873 #46 0x7f0ff9a6482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #47 0x412608 in _start (/workarea/fuzz/bin/shark/tshark+0x412608) Address 0x7fff11dd28a4 is located in stack of thread T0 at offset 420 in frame #0 0x7f100127f61f in dissect_rlc_um /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-rlc.c:1829 This frame has 3 object(s): [32, 36) 'orig_num' [96, 120) 'ch_lookup' [160, 416) 'li' <== Memory access at offset 420 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-rlc.c:1739 rlc_decode_li Shadow bytes around the buggy address: 0x1000623b24c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000623b24d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000623b24e0: f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00 00 00 f4 0x1000623b24f0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 0x1000623b2500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1000623b2510: 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 00 00 00 00 0x1000623b2520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000623b2530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000623b2540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000623b2550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000623b2560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==13949==ABORTING
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 12664] Fuzzed PCAP causing stack buffer overflow in rlc_decode_li
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12664] Fuzzed PCAP causing stack buffer overflow in rlc_decode_li
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12664] Fuzzed PCAP causing stack buffer overflow in rlc_decode_li
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12664] Fuzzed PCAP causing stack buffer overflow in rlc_decode_li
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12664] Fuzzed PCAP causing stack buffer overflow in rlc_decode_li
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12664] Fuzzed PCAP causing stack buffer overflow in rlc_decode_li
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12664] Fuzzed PCAP causing stack buffer overflow in rlc_decode_li
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12664] Fuzzed PCAP causing stack buffer overflow in rlc_decode_li
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12664] Fuzzed PCAP causing stack buffer overflow in rlc_decode_li
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12664] Fuzzed PCAP causing stack buffer overflow in rlc_decode_li
- Prev by Date: [Wireshark-bugs] [Bug 12660] Fuzzed PCAP causing long runtime in rlc_decode_li
- Next by Date: [Wireshark-bugs] [Bug 12664] Fuzzed PCAP causing stack buffer overflow in rlc_decode_li
- Previous by thread: [Wireshark-bugs] [Bug 12663] Fuzzed PCAP causing segmentation fault in parse_wbxml_tag_defined
- Next by thread: [Wireshark-bugs] [Bug 12664] Fuzzed PCAP causing stack buffer overflow in rlc_decode_li
- Index(es):