Wireshark-bugs: [Wireshark-bugs] [Bug 10135] New: Clang ASAN: heap-buffer-overflow HTTP: is_http
Bug ID |
10135
|
Summary |
Clang ASAN: heap-buffer-overflow HTTP: is_http_request_or_reply
|
Classification |
Unclassified
|
Product |
Wireshark
|
Version |
Git
|
Hardware |
All
|
OS |
All
|
Status |
UNCONFIRMED
|
Severity |
Minor
|
Priority |
Low
|
Component |
Wireshark
|
Assignee |
bugzilla-admin@wireshark.org
|
Reporter |
alexis.lagoutte@gmail.com
|
Created attachment 12769 [details]
Fuzz crash file
Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
Hi,
I found a another issue with Clang ASAN
I attach the fuzz sample (because need lot of pass to crash...)
Input file: asan/657-bug1581.pcap
Build host information:
Linux dev 3.11.0-18-generic #32-Ubuntu SMP Tue Feb 18 21:11:14 UTC 2014 x86_64
x86_64 x86_64 GNU/Linux
Distributor ID: Ubuntu
Description: Ubuntu 13.10
Release: 13.10
Codename: saucy
Return value: 1
Dissector bug: 0
Valgrind error count: 0
Command and args: ./tshark -nVxr
=================================================================
==10615==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61700001f0b1 at pc 0x7feb11d51023 bp 0x7fff3fb4be30 sp 0x7fff3fb4be28
READ of size 1 at 0x61700001f0b1 thread T0
#0 0x7feb11d51022 in wmem_strndup
/home/alagoutte/wireshark-clang/epan/wmem/wmem_strutl.c:59 (discriminator 2)
#1 0x7feb11068468 in is_http_request_or_reply
/home/alagoutte/wireshark-clang/epan/dissectors/packet-http.c:2209
#2 0x7feb11064045 in dissect_http_message
/home/alagoutte/wireshark-clang/epan/dissectors/packet-http.c:841
#3 0x7feb1106204e in dissect_http
/home/alagoutte/wireshark-clang/epan/dissectors/packet-http.c:2776
#4 0x7feb10af561a in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:622
#5 0x7feb10acd056 in try_conversation_dissector
/home/alagoutte/wireshark-clang/epan/conversation.c:1307
#6 0x7feb115e7968 in decode_tcp_ports
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tcp.c:3876
#7 0x7feb115ea7e6 in process_tcp_payload
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tcp.c:3992
#8 0x7feb115e87d0 in desegment_tcp
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tcp.c:1868
#9 0x7feb115f20c4 in dissect_tcp
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tcp.c:4871
#10 0x7feb10af5649 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:626
#11 0x7feb10af5298 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1144
#12 0x7feb110eaac3 in dissect_ip
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ip.c:2409
#13 0x7feb10af5649 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:626
#14 0x7feb10af58c9 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1144
#15 0x7feb10f3bd1a in dissect_ethertype
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ethertype.c:303
#16 0x7feb10af561a in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:622
#17 0x7feb10af89cc in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2282
#18 0x7feb10f3a876 in dissect_eth_common
/home/alagoutte/wireshark-clang/epan/dissectors/packet-eth.c:471
#19 0x7feb10af5649 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:626
#20 0x7feb10af58c9 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1144
#21 0x7feb10f872cd in dissect_frame
/home/alagoutte/wireshark-clang/epan/dissectors/packet-frame.c:508
#22 0x7feb10af5649 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:626
#23 0x7feb10af89cc in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2282
#24 0x7feb10af3506 in call_dissector
/home/alagoutte/wireshark-clang/epan/packet.c:2312
#25 0x7feb10ad59ce in epan_dissect_run_with_taps
/home/alagoutte/wireshark-clang/epan/epan.c:350
#26 0x4d4e68 in process_packet
/home/alagoutte/wireshark-clang/tshark.c:3537
#27 0x4d023f in load_cap_file /home/alagoutte/wireshark-clang/tshark.c:3327
#28 0x7feb097b8de4 in __libc_start_main
/build/buildd/eglibc-2.17/csu/libc-start.c:260
#29 0x4baeec in _start ??:?
0x61700001f0b1 is located 0 bytes to the right of 689-byte region
[0x61700001ee00,0x61700001f0b1)
allocated by thread T0 here:
#0 0x49ed8b in malloc ??:?
#1 0x7feb0bbe7dd0 in g_malloc ??:?
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0c2e7fffbdc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fffbdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fffbde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fffbdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fffbe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2e7fffbe10: 00 00 00 00 00 00[01]fa fa fa fa fa fa fa fa fa
0x0c2e7fffbe20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e7fffbe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fffbe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fffbe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2e7fffbe60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
ASan internal: fe
You are receiving this mail because:
- You are watching all bug changes.