Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 11262] tshark -z io, stat, 1, SUM(ip.len) reports invalid stats, triggers ASAN

Wireshark-bugs: [Wireshark-bugs] [Bug 11262] tshark -z io, stat, 1, SUM(ip.len) reports invalid

Date: Mon, 08 Jun 2015 21:48:22 +0000

Comment # 1 on bug 11262 from Peter Wu

Also observed with this capture is an ASAN issue in the ber dissector with both
wireshark and wireshark-gtk (but not tshark) and this command:

    wireshark -r https.pcapng.gz -Y ocsp

==8544==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7f8120632fca at pc 0x7f812bc23dc5 bp 0x7fff666c82d0 sp 0x7fff666c7a78
READ of size 16 at 0x7f8120632fca thread T0
    #0 0x7f812bc23dc4 in __asan_memcpy
/build/gcc-multilib/src/gcc-5-20150519/libsanitizer/asan/asan_interceptors.cc:367
    #1 0x7f812a0f261e in g_array_append_vals
(/usr/lib/libglib-2.0.so.0+0x1d61e)
    #2 0x7f812a0f3708 in g_byte_array_append
(/usr/lib/libglib-2.0.so.0+0x1e708)
    #3 0x7f811e0933e5 in proto_tree_set_bytes /tmp/wireshark/epan/proto.c:2675
    #4 0x7f811e0913f7 in proto_tree_add_bytes /tmp/wireshark/epan/proto.c:2575
    #5 0x7f811e093160 in proto_tree_add_bytes_format
/tmp/wireshark/epan/proto.c:2651
    #6 0x7f811e3e799d in dissect_ber_integer64
/tmp/wireshark/epan/dissectors/packet-ber.c:1891
    #7 0x7f811e3e8583 in dissect_ber_integer
/tmp/wireshark/epan/dissectors/packet-ber.c:1996
    #8 0x7f811fbafa29 in dissect_pkix1explicit_CertificateSerialNumber
../../asn1/pkix1explicit/packet-pkix1explicit-fn.c:33
    #9 0x7f811e3eb868 in dissect_ber_sequence
/tmp/wireshark/epan/dissectors/packet-ber.c:2412
    #10 0x7f811fb7063e in dissect_ocsp_CertID
../../asn1/ocsp/packet-ocsp-fn.c:32
    #11 0x7f811e3eb868 in dissect_ber_sequence
/tmp/wireshark/epan/dissectors/packet-ber.c:2412
    #12 0x7f811fb70694 in dissect_ocsp_Request
../../asn1/ocsp/packet-ocsp-fn.c:47
    #13 0x7f811e3f177e in dissect_ber_sq_of
/tmp/wireshark/epan/dissectors/packet-ber.c:3509
    #14 0x7f811e3f1ad3 in dissect_ber_sequence_of
/tmp/wireshark/epan/dissectors/packet-ber.c:3540
    #15 0x7f811fb706ea in dissect_ocsp_SEQUENCE_OF_Request
../../asn1/ocsp/packet-ocsp-fn.c:60
    #16 0x7f811e3eb868 in dissect_ber_sequence
/tmp/wireshark/epan/dissectors/packet-ber.c:2412
    #17 0x7f811fb70740 in dissect_ocsp_TBSRequest
../../asn1/ocsp/packet-ocsp-fn.c:77
    #18 0x7f811e3eb868 in dissect_ber_sequence
/tmp/wireshark/epan/dissectors/packet-ber.c:2412
    #19 0x7f811fb70898 in dissect_ocsp_OCSPRequest
../../asn1/ocsp/packet-ocsp-fn.c:132
    #20 0x7f811fb720f5 in dissect_ocsp_request
../../asn1/ocsp/packet-ocsp-template.c:77
    #21 0x7f811e04ec52 in call_dissector_through_handle
/tmp/wireshark/epan/packet.c:612
    #22 0x7f811e04f2f8 in call_dissector_work /tmp/wireshark/epan/packet.c:700
    #23 0x7f811e05752e in call_dissector_only /tmp/wireshark/epan/packet.c:2373
    #24 0x7f811e9cd80a in dissect_http_message
/tmp/wireshark/epan/dissectors/packet-http.c:1483
    #25 0x7f811e9d6317 in dissect_http
/tmp/wireshark/epan/dissectors/packet-http.c:2943
    #26 0x7f811e04ec52 in call_dissector_through_handle
/tmp/wireshark/epan/packet.c:612
    #27 0x7f811e04f2f8 in call_dissector_work /tmp/wireshark/epan/packet.c:700
    #28 0x7f811e051e74 in dissector_try_uint_new
/tmp/wireshark/epan/packet.c:1132
    #29 0x7f811f340644 in decode_tcp_ports
/tmp/wireshark/epan/dissectors/packet-tcp.c:4116
    #30 0x7f811f3415a9 in process_tcp_payload
/tmp/wireshark/epan/dissectors/packet-tcp.c:4188
    #31 0x7f811f334f41 in desegment_tcp
/tmp/wireshark/epan/dissectors/packet-tcp.c:1998
    #32 0x7f811f341f57 in dissect_tcp_payload
/tmp/wireshark/epan/dissectors/packet-tcp.c:4255
    #33 0x7f811f34dea3 in dissect_tcp
/tmp/wireshark/epan/dissectors/packet-tcp.c:5096
    #34 0x7f811e04ecba in call_dissector_through_handle
/tmp/wireshark/epan/packet.c:614
    #35 0x7f811e04f2f8 in call_dissector_work /tmp/wireshark/epan/packet.c:700
    #36 0x7f811e051e74 in dissector_try_uint_new
/tmp/wireshark/epan/packet.c:1132
    #37 0x7f811eaa0695 in ip_try_dissect
/tmp/wireshark/epan/dissectors/packet-ip.c:1964
    #38 0x7f811eaa6373 in dissect_ip
/tmp/wireshark/epan/dissectors/packet-ip.c:2445
    #39 0x7f811e04ecba in call_dissector_through_handle
/tmp/wireshark/epan/packet.c:614
    #40 0x7f811e04f2f8 in call_dissector_work /tmp/wireshark/epan/packet.c:700
    #41 0x7f811e051e74 in dissector_try_uint_new
/tmp/wireshark/epan/packet.c:1132
    #42 0x7f811e051f37 in dissector_try_uint /tmp/wireshark/epan/packet.c:1158
    #43 0x7f811e7d8ffc in dissect_ethertype
/tmp/wireshark/epan/dissectors/packet-ethertype.c:301
    #44 0x7f811e04ec52 in call_dissector_through_handle
/tmp/wireshark/epan/packet.c:612
    #45 0x7f811e04f2f8 in call_dissector_work /tmp/wireshark/epan/packet.c:700
    #46 0x7f811e05752e in call_dissector_only /tmp/wireshark/epan/packet.c:2373
    #47 0x7f811e057572 in call_dissector_with_data
/tmp/wireshark/epan/packet.c:2386
    #48 0x7f811e7d5281 in dissect_eth_common
/tmp/wireshark/epan/dissectors/packet-eth.c:544
    #49 0x7f811e7d77e6 in dissect_eth_maybefcs
/tmp/wireshark/epan/dissectors/packet-eth.c:827
    #50 0x7f811e04ecba in call_dissector_through_handle
/tmp/wireshark/epan/packet.c:614
    #51 0x7f811e04f2f8 in call_dissector_work /tmp/wireshark/epan/packet.c:700
    #52 0x7f811e051e74 in dissector_try_uint_new
/tmp/wireshark/epan/packet.c:1132
    #53 0x7f811e051f37 in dissector_try_uint /tmp/wireshark/epan/packet.c:1158
    #54 0x7f811e869d36 in dissect_frame
/tmp/wireshark/epan/dissectors/packet-frame.c:496
    #55 0x7f811e04ec52 in call_dissector_through_handle
/tmp/wireshark/epan/packet.c:612
    #56 0x7f811e04f2f8 in call_dissector_work /tmp/wireshark/epan/packet.c:700
    #57 0x7f811e05752e in call_dissector_only /tmp/wireshark/epan/packet.c:2373
    #58 0x7f811e057572 in call_dissector_with_data
/tmp/wireshark/epan/packet.c:2386
    #59 0x7f811e04ca00 in dissect_record /tmp/wireshark/epan/packet.c:492
    #60 0x7f811e012dfe in epan_dissect_run /tmp/wireshark/epan/epan.c:332
    #61 0x44a809 in cf_select_packet /tmp/wireshark/file.c:3819
    #62 0x4bb30e in packet_list_select_cb
/tmp/wireshark/ui/gtk/packet_list.c:1165
    #63 0x7f812a3f41f4 in g_closure_invoke
(/usr/lib/libgobject-2.0.so.0+0x101f4)
    #64 0x7f812a405a00  (/usr/lib/libgobject-2.0.so.0+0x21a00)
    #65 0x7f812a40e47a in g_signal_emit_valist
(/usr/lib/libgobject-2.0.so.0+0x2a47a)
    #66 0x7f812a40e7ae in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2a7ae)
    #67 0x7f812b5d423f  (/usr/lib/libgtk-3.so.0+0x32823f)
    #68 0x7f812b5d731a in gtk_tree_view_set_cursor_on_cell
(/usr/lib/libgtk-3.so.0+0x32b31a)
    #69 0x4ba376 in scroll_to_and_select_iter
/tmp/wireshark/ui/gtk/packet_list.c:969
    #70 0x4bac64 in packet_list_select_row_from_data
/tmp/wireshark/ui/gtk/packet_list.c:1085
    #71 0x43f0a5 in rescan_packets /tmp/wireshark/file.c:2095
    #72 0x43cf5a in cf_filter_packets /tmp/wireshark/file.c:1705
    #73 0x495b55 in main_filter_packets
/tmp/wireshark/ui/gtk/main_filter_toolbar.c:378
    #74 0x490714 in main /tmp/wireshark/ui/gtk/main.c:3233
    #75 0x7f8114c5e78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #76 0x4244d8 in _start (/tmp/wsbuild/run/wireshark-gtk+0x4244d8)

0x7f8120632fca is located 54 bytes to the left of global variable '*.LC105'
defined in '/tmp/wireshark/epan/dissectors/packet-ber.c' (0x7f8120633000) of
size 15
  '*.LC105' is ascii string 'invalid length'
0x7f8120632fca is located 0 bytes to the right of global variable '*.LC104'
defined in '/tmp/wireshark/epan/dissectors/packet-ber.c' (0x7f8120632fc0) of
size 10
  '*.LC104' is ascii string '%s : 0x%s'
SUMMARY: AddressSanitizer: global-buffer-overflow
/build/gcc-multilib/src/gcc-5-20150519/libsanitizer/asan/asan_interceptors.cc:367
__asan_memcpy
Shadow bytes around the buggy address:
  0x0ff0a40be5a0: 00 00 05 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 07
  0x0ff0a40be5b0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0a40be5c0: 00 00 00 00 00 00 00 00 00 06 f9 f9 f9 f9 f9 f9
  0x0ff0a40be5d0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
  0x0ff0a40be5e0: 06 f9 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
=>0x0ff0a40be5f0: 00 00 00 05 f9 f9 f9 f9 00[02]f9 f9 f9 f9 f9 f9
  0x0ff0a40be600: 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
  0x0ff0a40be610: 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ff0a40be620: 00 00 07 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff0a40be630: 00 06 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff0a40be640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==8544==ABORTING

You are receiving this mail because:

You are watching all bug changes.

References:
- [Wireshark-bugs] [Bug 11262] New: tshark -z io, stat, 1, SUM(ip.len) reports invalid stats, triggers ASAN buffer overrun
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 11262] New: tshark -z io, stat, 1, SUM(ip.len) reports invalid stats, triggers ASAN buffer overrun
Next by Date: [Wireshark-bugs] [Bug 594] use port names instead of port numbers in filter expressions
Previous by thread: [Wireshark-bugs] [Bug 11262] New: tshark -z io, stat, 1, SUM(ip.len) reports invalid stats, triggers ASAN buffer overrun
Next by thread: [Wireshark-bugs] [Bug 11262] tshark -z io, stat, 1, SUM(ip.len) reports invalid stats, triggers ASAN buffer overrun
Index(es):
- Date
- Thread