Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 10121] New: Clang ASAN : heap-buffer-overflow Token Ring : add_ring_bridge

Wireshark-bugs: [Wireshark-bugs] [Bug 10121] New: Clang ASAN : heap-buffer-overflow Token Ring :

Date: Tue, 20 May 2014 13:02:55 +0000

Bug ID	10121
Summary	Clang ASAN : heap-buffer-overflow Token Ring : add_ring_bridge_pairs
Classification	Unclassified
Product	Wireshark
Version	Git
Hardware	All
OS	All
Status	UNCONFIRMED
Severity	Minor
Priority	Low
Component	Dissection engine (libwireshark)
Assignee	bugzilla-admin@wireshark.org
Reporter	alexis.lagoutte@gmail.com

Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
I fuzzing wireshark with ASAN (
http://clang.llvm.org/docs/AddressSanitizer.html) and it found the following
issue :

Input file: ../menagerie/public/sna1.trc.gz (File is available here
http://marc.info/?l=ethereal-dev&m=87686071115762&w=2 )

Build host information:
Linux dev 3.11.0-18-generic #32-Ubuntu SMP Tue Feb 18 21:11:14 UTC 2014 x86_64
x86_64 x86_64 GNU/Linux
Distributor ID: Ubuntu
Description:    Ubuntu 13.10
Release:        13.10
Codename:       saucy

Return value:  1

Dissector bug:  0

Valgrind error count:  0



=================================================================
==11918==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60d000037596 at pc 0x48a0b2 bp 0x7fff923abd70 sp 0x7fff923ab530
READ of size 103 at 0x60d000037596 thread T0
    #0 0x48a0b1 in __interceptor_strlen ??:?
    #1 0x7f66f579b0b2 in g_strdup ??:?
    #2 0x7f66fa747961 in string_fvalue_set_string
/home/alagoutte/wireshark-clang/epan/ftypes/ftype-string.c:53
    #3 0x7f66fa6acab4 in proto_tree_set_string
/home/alagoutte/wireshark-clang/epan/proto.c:3062
    #4 0x7f66fb1b0747 in add_ring_bridge_pairs
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tr.c:632
    #5 0x7f66fa679d19 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:596
    #6 0x7f66fa679f99 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1114
    #7 0x7f66fab06e53 in dissect_frame
/home/alagoutte/wireshark-clang/epan/dissectors/packet-frame.c:488
    #8 0x7f66fa679d19 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:596
    #9 0x7f66fa67d03c in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2251
    #10 0x7f66fa677c84 in call_dissector
/home/alagoutte/wireshark-clang/epan/packet.c:2281
    #11 0x7f66fa65a418 in epan_dissect_run_with_taps
/home/alagoutte/wireshark-clang/epan/epan.c:348
    #12 0x4d44db in process_packet
/home/alagoutte/wireshark-clang/tshark.c:3537
    #13 0x4cf8df in load_cap_file /home/alagoutte/wireshark-clang/tshark.c:3327
    #14 0x7f66f3354de4 in __libc_start_main
/build/buildd/eglibc-2.17/csu/libc-start.c:260
    #15 0x4ba62c in _start ??:?

0x60d000037596 is located 0 bytes to the right of 134-byte region
[0x60d000037510,0x60d000037596)
allocated by thread T0 here:
    #0 0x49ea3b in malloc ??:?
    #1 0x7f66f5783dd0 in g_malloc ??:?
    #2 0x7f66fa679d19 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:596

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c1a7fffee60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fffee70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fffee80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fffee90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fffeea0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a7fffeeb0: 00 00[06]fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1a7fffeec0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c1a7fffeed0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1a7fffeee0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1a7fffeef0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a7fffef00: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==11918==ABORTING

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 10121] Clang ASAN : heap-buffer-overflow Token Ring : add_ring_bridge_pairs
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10121] Clang ASAN : heap-buffer-overflow Token Ring : add_ring_bridge_pairs
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10121] Clang ASAN : heap-buffer-overflow Token Ring : add_ring_bridge_pairs
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 10119] Wrong length of Modulation Type and Modulation System fileds in Satellite Delivery Descriptor
Next by Date: [Wireshark-bugs] [Bug 10121] Clang ASAN : heap-buffer-overflow Token Ring : add_ring_bridge_pairs
Previous by thread: [Wireshark-bugs] [Bug 10120] Clang ASAN : global-buffer-overflow GSM RLCMAC : dissect_dl_rlc_control_message
Next by thread: [Wireshark-bugs] [Bug 10121] Clang ASAN : heap-buffer-overflow Token Ring : add_ring_bridge_pairs
Index(es):
- Date
- Thread