Wireshark-bugs: [Wireshark-bugs] [Bug 12664] New: Fuzzed PCAP causing stack buffer overflow in r
Date: Mon, 25 Jul 2016 07:42:04 +0000
Bug ID 12664
Summary Fuzzed PCAP causing stack buffer overflow in rlc_decode_li
Product Wireshark
Version 2.0.2
Hardware x86
OS Ubuntu
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter antti.levomaki@gmail.com

Created attachment 14762 [details]
Sample PCAP

Build Information:
TShark (Wireshark) 2.0.2 (SVN Rev Unknown from unknown)

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with libz 1.2.8, with GLib 2.48.0, with SMI 0.4.8, with c-ares 1.10.0, with Lua
5.2, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with MIT Kerberos, with GeoIP.

Running on Linux 4.4.0-22-generic, with locale en_GB.UTF-8, with libpcap
version
1.7.4, with libz 1.2.8, with GnuTLS 3.4.10, with Gcrypt 1.6.5.
Intel Core Processor (Haswell) (with SSE4.2)

Built using gcc 5.3.1 20160407.

--
Fuzzed PCAP causes stack buffer overflow on tshark 2.0.2 and a recent build
from repository ( commit 688d055acd523e645c1e87267dcf4a0a9867adbd ).

ASAN output from 'tshark -2 -V -r <pcap>':

=================================================================
==13949==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff11dd28a4 at pc 0x7f100127d992 bp 0x7fff11dd2600 sp 0x7fff11dd25f0
WRITE of size 1 at 0x7fff11dd28a4 thread T0
    #0 0x7f100127d991 in rlc_decode_li
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-rlc.c:1739
    #1 0x7f100127f8e2 in dissect_rlc_um
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-rlc.c:1886
    #2 0x7f10012820a4 in dissect_rlc_dcch
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-rlc.c:2473
    #3 0x7f100091692e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #4 0x7f100091692e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #5 0x7f1000919d41 in call_dissector_with_data
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:2792
    #6 0x7f10014ca7d3 in dissect_mac_fdd_dch
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-umts_mac.c:564
    #7 0x7f100091692e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #8 0x7f100091692e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #9 0x7f1000919d41 in call_dissector_with_data
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:2792
    #10 0x7f10014b9913 in dissect_tb_data
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-umts_fp.c:815
    #11 0x7f10014c562b in dissect_dch_channel_info
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-umts_fp.c:2557
    #12 0x7f10014c562b in dissect_fp_common
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-umts_fp.c:4419
    #13 0x7f100091692e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #14 0x7f100091692e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #15 0x7f10008f8764 in try_conversation_dissector
/workarea/fuzz/victimlibs2/wireshark/epan/conversation.c:1323
    #16 0x7f10014b2337 in decode_udp_ports
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-udp.c:537
    #17 0x7f10014b3936 in dissect
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-udp.c:1028
    #18 0x7f10014b4aad in dissect_udp
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-udp.c:1034
    #19 0x7f100091692e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #20 0x7f100091692e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #21 0x7f1000917707 in dissector_try_uint_new
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1187
    #22 0x7f1000f1fec3 in ip_try_dissect
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ip.c:1976
    #23 0x7f1000f22038 in dissect_ip_v4
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ip.c:2439
    #24 0x7f100091692e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #25 0x7f100091692e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #26 0x7f1000917707 in dissector_try_uint_new
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1187
    #27 0x7f10009177a0 in dissector_try_uint
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1213
    #28 0x7f1000d7b978 in dissect_ethertype
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-ethertype.c:262
    #29 0x7f100091692e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #30 0x7f100091692e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #31 0x7f1000919d41 in call_dissector_with_data
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:2792
    #32 0x7f1000d79772 in dissect_eth_common
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-eth.c:539
    #33 0x7f1000d7a822 in dissect_eth
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-eth.c:803
    #34 0x7f100091692e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #35 0x7f100091692e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #36 0x7f1000917707 in dissector_try_uint_new
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:1187
    #37 0x7f1000dc5185 in dissect_frame
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-frame.c:507
    #38 0x7f100091692e in call_dissector_through_handle
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:648
    #39 0x7f100091692e in call_dissector_work
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:723
    #40 0x7f1000919d41 in call_dissector_with_data
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:2792
    #41 0x7f100091acb3 in dissect_record
/workarea/fuzz/victimlibs2/wireshark/epan/packet.c:531
    #42 0x7f1000901f2b in epan_dissect_run
/workarea/fuzz/victimlibs2/wireshark/epan/epan.c:365
    #43 0x410ea3 in process_packet_first_pass
/workarea/fuzz/victimlibs2/wireshark/tshark.c:2694
    #44 0x410ea3 in load_cap_file
/workarea/fuzz/victimlibs2/wireshark/tshark.c:2987
    #45 0x410ea3 in main /workarea/fuzz/victimlibs2/wireshark/tshark.c:1873
    #46 0x7f0ff9a6482f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #47 0x412608 in _start (/workarea/fuzz/bin/shark/tshark+0x412608)

Address 0x7fff11dd28a4 is located in stack of thread T0 at offset 420 in frame
    #0 0x7f100127f61f in dissect_rlc_um
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-rlc.c:1829

  This frame has 3 object(s):
    [32, 36) 'orig_num'
    [96, 120) 'ch_lookup'
    [160, 416) 'li' <== Memory access at offset 420 overflows this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/workarea/fuzz/victimlibs2/wireshark/epan/dissectors/packet-rlc.c:1739
rlc_decode_li
Shadow bytes around the buggy address:
  0x1000623b24c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000623b24d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000623b24e0: f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00 00 00 f4
  0x1000623b24f0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000623b2500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000623b2510: 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 00 00 00 00
  0x1000623b2520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000623b2530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000623b2540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000623b2550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000623b2560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==13949==ABORTING


You are receiving this mail because:
  • You are watching all bug changes.