Wireshark-bugs: [Wireshark-bugs] [Bug 11264] New: global-buffer-overflow in OCSP/BER dissector
Date: Wed, 10 Jun 2015 07:45:28 +0000
| Bug ID | 11264 |
|---|---|
| Summary | global-buffer-overflow in OCSP/BER dissector |
| Product | Wireshark |
| Version | Git |
| Hardware | All |
| OS | All |
| Status | UNCONFIRMED |
| Severity | Major |
| Priority | Low |
| Component | Dissection engine (libwireshark) |
| Assignee | bugzilla-admin@wireshark.org |
| Reporter | peter@lekensteyn.nl |
| CC | alexis.lagoutte@gmail.com, pascal.quantin@gmail.com |
Build Information: TShark (Wireshark) 1.99.7 (v1.99.7rc0-106-gc100e1c from master) Copyright 1998-2015 Gerald Combs <gerald@wireshark.org> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3, with libz 1.2.8, with GLib 2.44.1, without SMI, without c-ares, without ADNS, with Lua 5.2, with GnuTLS 3.4.1, with Gcrypt 1.6.3, with MIT Kerberos, with GeoIP. Running on Linux 4.0.4-2-ARCH, with locale en_US.UTF-8, with libpcap version 1.6.2, with libz 1.2.8, with GnuTLS 3.4.1, with Gcrypt 1.6.3. Intel(R) Core(TM) i5 CPU M 560 @ 2.67GHz (with SSE4.2) Built using gcc 5.1.0. -- Originally reported in bug 11262, reproduced with attachment 13655 [details]. Happens with both wireshark-gtk and wireshark-qt. Triggered by selecting an OCSP packet or by invoking this command (s/wireshark/tshark/ is not affected, tshark -2 is not tested): wireshark -r https.pcapng.gz -Y ocsp ==8544==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f8120632fca at pc 0x7f812bc23dc5 bp 0x7fff666c82d0 sp 0x7fff666c7a78 READ of size 16 at 0x7f8120632fca thread T0 #0 0x7f812bc23dc4 in __asan_memcpy /build/gcc-multilib/src/gcc-5-20150519/libsanitizer/asan/asan_interceptors.cc:367 #1 0x7f812a0f261e in g_array_append_vals (/usr/lib/libglib-2.0.so.0+0x1d61e) #2 0x7f812a0f3708 in g_byte_array_append (/usr/lib/libglib-2.0.so.0+0x1e708) #3 0x7f811e0933e5 in proto_tree_set_bytes epan/proto.c:2675 #4 0x7f811e0913f7 in proto_tree_add_bytes epan/proto.c:2575 #5 0x7f811e093160 in proto_tree_add_bytes_format epan/proto.c:2651 #6 0x7f811e3e799d in dissect_ber_integer64 epan/dissectors/packet-ber.c:1891 #7 0x7f811e3e8583 in dissect_ber_integer epan/dissectors/packet-ber.c:1996 #8 0x7f811fbafa29 in dissect_pkix1explicit_CertificateSerialNumber ../../asn1/pkix1explicit/packet-pkix1explicit-fn.c:33 #9 0x7f811e3eb868 in dissect_ber_sequence epan/dissectors/packet-ber.c:2412 #10 0x7f811fb7063e in dissect_ocsp_CertID ../../asn1/ocsp/packet-ocsp-fn.c:32 #11 0x7f811e3eb868 in dissect_ber_sequence epan/dissectors/packet-ber.c:2412 #12 0x7f811fb70694 in dissect_ocsp_Request ../../asn1/ocsp/packet-ocsp-fn.c:47 #13 0x7f811e3f177e in dissect_ber_sq_of epan/dissectors/packet-ber.c:3509 #14 0x7f811e3f1ad3 in dissect_ber_sequence_of epan/dissectors/packet-ber.c:3540 #15 0x7f811fb706ea in dissect_ocsp_SEQUENCE_OF_Request ../../asn1/ocsp/packet-ocsp-fn.c:60 #16 0x7f811e3eb868 in dissect_ber_sequence epan/dissectors/packet-ber.c:2412 #17 0x7f811fb70740 in dissect_ocsp_TBSRequest ../../asn1/ocsp/packet-ocsp-fn.c:77 #18 0x7f811e3eb868 in dissect_ber_sequence epan/dissectors/packet-ber.c:2412 #19 0x7f811fb70898 in dissect_ocsp_OCSPRequest ../../asn1/ocsp/packet-ocsp-fn.c:132 #20 0x7f811fb720f5 in dissect_ocsp_request ../../asn1/ocsp/packet-ocsp-template.c:77 #21 0x7f811e04ec52 in call_dissector_through_handle epan/packet.c:612 #22 0x7f811e04f2f8 in call_dissector_work epan/packet.c:700 #23 0x7f811e05752e in call_dissector_only epan/packet.c:2373 #24 0x7f811e9cd80a in dissect_http_message epan/dissectors/packet-http.c:1483 #25 0x7f811e9d6317 in dissect_http epan/dissectors/packet-http.c:2943 #26 0x7f811e04ec52 in call_dissector_through_handle epan/packet.c:612 #27 0x7f811e04f2f8 in call_dissector_work epan/packet.c:700 #28 0x7f811e051e74 in dissector_try_uint_new epan/packet.c:1132 #29 0x7f811f340644 in decode_tcp_ports epan/dissectors/packet-tcp.c:4116 #30 0x7f811f3415a9 in process_tcp_payload epan/dissectors/packet-tcp.c:4188 #31 0x7f811f334f41 in desegment_tcp epan/dissectors/packet-tcp.c:1998 #32 0x7f811f341f57 in dissect_tcp_payload epan/dissectors/packet-tcp.c:4255 #33 0x7f811f34dea3 in dissect_tcp epan/dissectors/packet-tcp.c:5096 #34 0x7f811e04ecba in call_dissector_through_handle epan/packet.c:614 #35 0x7f811e04f2f8 in call_dissector_work epan/packet.c:700 #36 0x7f811e051e74 in dissector_try_uint_new epan/packet.c:1132 #37 0x7f811eaa0695 in ip_try_dissect epan/dissectors/packet-ip.c:1964 #38 0x7f811eaa6373 in dissect_ip epan/dissectors/packet-ip.c:2445 #39 0x7f811e04ecba in call_dissector_through_handle epan/packet.c:614 #40 0x7f811e04f2f8 in call_dissector_work epan/packet.c:700 #41 0x7f811e051e74 in dissector_try_uint_new epan/packet.c:1132 #42 0x7f811e051f37 in dissector_try_uint epan/packet.c:1158 #43 0x7f811e7d8ffc in dissect_ethertype epan/dissectors/packet-ethertype.c:301 #44 0x7f811e04ec52 in call_dissector_through_handle epan/packet.c:612 #45 0x7f811e04f2f8 in call_dissector_work epan/packet.c:700 #46 0x7f811e05752e in call_dissector_only epan/packet.c:2373 #47 0x7f811e057572 in call_dissector_with_data epan/packet.c:2386 #48 0x7f811e7d5281 in dissect_eth_common epan/dissectors/packet-eth.c:544 #49 0x7f811e7d77e6 in dissect_eth_maybefcs epan/dissectors/packet-eth.c:827 #50 0x7f811e04ecba in call_dissector_through_handle epan/packet.c:614 #51 0x7f811e04f2f8 in call_dissector_work epan/packet.c:700 #52 0x7f811e051e74 in dissector_try_uint_new epan/packet.c:1132 #53 0x7f811e051f37 in dissector_try_uint epan/packet.c:1158 #54 0x7f811e869d36 in dissect_frame epan/dissectors/packet-frame.c:496 #55 0x7f811e04ec52 in call_dissector_through_handle epan/packet.c:612 #56 0x7f811e04f2f8 in call_dissector_work epan/packet.c:700 #57 0x7f811e05752e in call_dissector_only epan/packet.c:2373 #58 0x7f811e057572 in call_dissector_with_data epan/packet.c:2386 #59 0x7f811e04ca00 in dissect_record epan/packet.c:492 #60 0x7f811e012dfe in epan_dissect_run epan/epan.c:332 #61 0x44a809 in cf_select_packet file.c:3819 #62 0x4bb30e in packet_list_select_cb ui/gtk/packet_list.c:1165 #63 0x7f812a3f41f4 in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x101f4) #64 0x7f812a405a00 (/usr/lib/libgobject-2.0.so.0+0x21a00) #65 0x7f812a40e47a in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x2a47a) #66 0x7f812a40e7ae in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2a7ae) #67 0x7f812b5d423f (/usr/lib/libgtk-3.so.0+0x32823f) #68 0x7f812b5d731a in gtk_tree_view_set_cursor_on_cell (/usr/lib/libgtk-3.so.0+0x32b31a) #69 0x4ba376 in scroll_to_and_select_iter ui/gtk/packet_list.c:969 #70 0x4bac64 in packet_list_select_row_from_data ui/gtk/packet_list.c:1085 #71 0x43f0a5 in rescan_packets file.c:2095 #72 0x43cf5a in cf_filter_packets file.c:1705 #73 0x495b55 in main_filter_packets ui/gtk/main_filter_toolbar.c:378 #74 0x490714 in main ui/gtk/main.c:3233 #75 0x7f8114c5e78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f) #76 0x4244d8 in _start (/tmp/wsbuild/run/wireshark-gtk+0x4244d8) 0x7f8120632fca is located 54 bytes to the left of global variable '*.LC105' defined in 'epan/dissectors/packet-ber.c' (0x7f8120633000) of size 15 '*.LC105' is ascii string 'invalid length' 0x7f8120632fca is located 0 bytes to the right of global variable '*.LC104' defined in 'epan/dissectors/packet-ber.c' (0x7f8120632fc0) of size 10 '*.LC104' is ascii string '%s : 0x%s' SUMMARY: AddressSanitizer: global-buffer-overflow /build/gcc-multilib/src/gcc-5-20150519/libsanitizer/asan/asan_interceptors.cc:367 __asan_memcpy Shadow bytes around the buggy address: 0x0ff0a40be5a0: 00 00 05 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 07 0x0ff0a40be5b0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff0a40be5c0: 00 00 00 00 00 00 00 00 00 06 f9 f9 f9 f9 f9 f9 0x0ff0a40be5d0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 0x0ff0a40be5e0: 06 f9 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 =>0x0ff0a40be5f0: 00 00 00 05 f9 f9 f9 f9 00[02]f9 f9 f9 f9 f9 f9 0x0ff0a40be600: 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 0x0ff0a40be610: 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 0x0ff0a40be620: 00 00 07 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0ff0a40be630: 00 06 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0ff0a40be640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==8544==ABORTING
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 11264] global-buffer-overflow in OCSP/BER dissector
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11264] global-buffer-overflow in OCSP/BER dissector
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11264] global-buffer-overflow in OCSP/BER dissector
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11264] global-buffer-overflow in OCSP/BER dissector
- Prev by Date: [Wireshark-bugs] [Bug 11262] tshark -z io, stat, 1, SUM(ip.len) reports invalid stats, triggers ASAN buffer overrun
- Next by Date: [Wireshark-bugs] [Bug 11262] tshark -z io, stat, 1, SUM(ip.len) reports invalid stats, triggers ASAN buffer overrun
- Previous by thread: [Wireshark-bugs] [Bug 11263] TLS 1.2 Packet Capture with PMS Data
- Next by thread: [Wireshark-bugs] [Bug 11264] global-buffer-overflow in OCSP/BER dissector
- Index(es):