Wireshark-bugs: [Wireshark-bugs] [Bug 9717] New: Clang ASAN : heap-buffer-overflow string_fvalue
Date: Mon, 03 Feb 2014 13:28:42 +0000
Bug ID 9717
Summary Clang ASAN : heap-buffer-overflow string_fvalue_set_string
Classification Unclassified
Product Wireshark
Version Git
Hardware All
OS All
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter alexis.lagoutte@gmail.com

Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
I fuzzing wireshark with ASAN (
http://clang.llvm.org/docs/AddressSanitizer.html) and it found the following
issue :


Input file: ../menagerie/public/874-wimaxasncp-rand1.pcap


Command and args: ./tshark -nVxr

=================================================================
==10900==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61b000013a5c at pc 0x45ffce bp 0x7fff666b8c50 sp 0x7fff666b8c30
READ of size 1435 at 0x61b000013a5c thread T0
    #0 0x45ffcd in __interceptor_strlen ??:?
    #1 0x7f856af3c0b2 in g_strdup ??:?
    #2 0x7f856fd06c31 in string_fvalue_set_string
/home/alagoutte/wireshark-clang/epan/ftypes/ftype-string.c:55
    #3 0x7f856fc6cdb2 in proto_tree_set_string
/home/alagoutte/wireshark-clang/epan/proto.c:2782
    #4 0x7f856fc6d266 in proto_tree_add_string_format
/home/alagoutte/wireshark-clang/epan/proto.c:2718
    #5 0x7f8562ae1aea in wimaxasncp_dissect_tlv_value
/home/alagoutte/wireshark-clang/plugins/wimaxasncp/packet-wimaxasncp.c:843
    #6 0x7f8562ad819b in dissect_wimaxasncp_backend
/home/alagoutte/wireshark-clang/plugins/wimaxasncp/packet-wimaxasncp.c:2087
    #7 0x7f856fc3836d in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:593
    #8 0x7f856fc3864b in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1115
    #9 0x7f85707a0be1 in decode_udp_ports
/home/alagoutte/wireshark-clang/epan/dissectors/packet-udp.c:413
    #10 0x7f85707a3f0e in dissect
/home/alagoutte/wireshark-clang/epan/dissectors/packet-udp.c:752
    #11 0x7f856fc38399 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:597
    #12 0x7f856fc37ff3 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1115
    #13 0x7f8570242737 in dissect_ip
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ip.c:2403
    #14 0x7f856fc38399 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:597
    #15 0x7f856fc3864b in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1115
    #16 0x7f857009134e in dissect_ethertype
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ethertype.c:305
    #17 0x7f856fc3836d in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:593
    #18 0x7f856fc3b68c in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2224
    #19 0x7f857008fdc2 in dissect_eth_common
/home/alagoutte/wireshark-clang/epan/dissectors/packet-eth.c:472
    #20 0x7f856fc38399 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:597
    #21 0x7f856fc3864b in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1115
    #22 0x7f85700dcdae in dissect_frame
/home/alagoutte/wireshark-clang/epan/dissectors/packet-frame.c:490
    #23 0x7f856fc38399 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:597
    #24 0x7f856fc3b68c in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2224
    #25 0x7f856fc36221 in call_dissector
/home/alagoutte/wireshark-clang/epan/packet.c:2254
    #26 0x7f856fc16e18 in epan_dissect_run_with_taps
/home/alagoutte/wireshark-clang/epan/epan.c:329
    #27 0x4a5235 in process_packet
/home/alagoutte/wireshark-clang/tshark.c:3487
    #28 0x4a0c23 in load_cap_file /home/alagoutte/wireshark-clang/tshark.c:3277
    #29 0x7f8568af5de4 in __libc_start_main
/build/buildd/eglibc-2.17/csu/libc-start.c:260
    #30 0x4898ec in _start ??:?

0x61b000013a5c is located 0 bytes to the right of 1500-byte region
[0x61b000013480,0x61b000013a5c)
allocated by thread T0 here:
    #0 0x471ad1 in malloc ??:?
    #1 0x7f856af24dd0 in g_malloc ??:?
    #2 0x4a2e94 in cf_open /home/alagoutte/wireshark-clang/tshark.c:3952
    #3 0x49f140 in main /home/alagoutte/wireshark-clang/tshark.c:2001
    #4 0x7f8568af5de4 in __libc_start_main
/build/buildd/eglibc-2.17/csu/libc-start.c:260

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c367fffa6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffa700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffa710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffa720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffa730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fffa740: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
  0x0c367fffa750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fffa760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fffa770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffa780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffa790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==10900==ABORTING


You are receiving this mail because:
  • You are watching all bug changes.