Wireshark-bugs: [Wireshark-bugs] [Bug 12752] New: AddressSanitizer: stack-buffer-overflow on add
Bug ID |
12752
|
Summary |
AddressSanitizer: stack-buffer-overflow on address 0x7ffee55f4350
|
Product |
Wireshark
|
Version |
Git
|
Hardware |
x86-64
|
OS |
Ubuntu
|
Status |
UNCONFIRMED
|
Severity |
Major
|
Priority |
Low
|
Component |
TShark
|
Assignee |
bugzilla-admin@wireshark.org
|
Reporter |
mtowalski@pentest.net.pl
|
Created attachment 14818 [details]
PoC
Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-312-g13d0d10 from master)
Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) without libpcap, with GLib 2.40.2, with zlib 1.2.8, without
SMI, without c-ares, without Lua, with GnuTLS 2.12.23, with Gcrypt 1.5.3, with
MIT Kerberos, without GeoIP.
Running on Linux 4.2.0-27-generic, with locale LC_CTYPE=en_US.UTF-8,
LC_NUMERIC=pl_PL.UTF-8, LC_TIME=pl_PL.UTF-8, LC_COLLATE=en_US.UTF-8,
LC_MONETARY=pl_PL.UTF-8, LC_MESSAGES=en_US.UTF-8, LC_PAPER=pl_PL.UTF-8,
LC_NAME=pl_PL.UTF-8, LC_ADDRESS=pl_PL.UTF-8, LC_TELEPHONE=pl_PL.UTF-8,
LC_MEASUREMENT=pl_PL.UTF-8, LC_IDENTIFICATION=pl_PL.UTF-8, with GnuTLS 2.12.23,
with Gcrypt 1.5.3, with zlib 1.2.8.
Intel(R) Core(TM) i7 CPU 860 @ 2.80GHz (with SSE4.2)
Built using clang 4.2.1 Compatible Clang 3.9.0 (trunk 274369).
--
=================================================================
==24799==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffee55f4350 at pc 0x7f16a97756b6 bp 0x7ffee55f4170 sp 0x7ffee55f4168
WRITE of size 4 at 0x7ffee55f4350 thread T0
#0 0x7f16a97756b5 in parse_outhdr_string
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-catapult-dct2000.c:1405:46
#1 0x7f16a97756b5 in dissect_catapult_dct2000
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-catapult-dct2000.c:2205
#2 0x7f16a93162fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
#3 0x7f16a93162fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
#4 0x7f16a9315ea1 in dissector_try_uint_new
/media/Fuzzing/Targets/wireshark/epan/packet.c:1188:9
#5 0x7f16a9a97165 in dissect_frame
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-frame.c:507:11
#6 0x7f16a93162fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
#7 0x7f16a93162fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
#8 0x7f16a93138c8 in call_dissector_only
/media/Fuzzing/Targets/wireshark/epan/packet.c:2780:8
#9 0x7f16a93138c8 in call_dissector_with_data
/media/Fuzzing/Targets/wireshark/epan/packet.c:2793
#10 0x7f16a9312ecb in dissect_record
/media/Fuzzing/Targets/wireshark/epan/packet.c:532:3
#11 0x7f16a92f5388 in epan_dissect_run_with_taps
/media/Fuzzing/Targets/wireshark/epan/epan.c:379:2
#12 0x55e045a73435 in process_packet
/media/Fuzzing/Targets/wireshark/tshark.c:3433:5
#13 0x55e045a73435 in load_cap_file
/media/Fuzzing/Targets/wireshark/tshark.c:3189
#14 0x55e045a73435 in main /media/Fuzzing/Targets/wireshark/tshark.c:1893
#15 0x7f16a0044f44 in __libc_start_main
/build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
#16 0x55e04599fd15 in _start
(/media/Fuzzing/Targets/wireshark/run/tshark+0x48d15)
Address 0x7ffee55f4350 is located in stack of thread T0 at offset 464 in frame
#0 0x7f16a976c2ff in dissect_catapult_dct2000
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-catapult-dct2000.c:2076
This frame has 18 object(s):
[32, 36) 'number_of_ues.i'
[48, 128) 'ueids.i'
[160, 240) 'rntis.i'
[272, 276) 'rapid.i'
[288, 292) 'rach_attempt_number.i'
[304, 308) 'temp.i'
[320, 324) 'next_offset.i'
[336, 464) 'digit_array.i' <== Memory access at offset 464 overflows this
variable
[496, 500) 'context_length'
[512, 516) 'protocol_length'
[528, 532) 'timestamp_length'
[544, 548) 'variant_length'
[560, 564) 'outhdr_length'
[576, 584) 'string'
[608, 616) 'string2776'
[640, 656) 'sourcev6'
[672, 688) 'destv6'
[704, 896) 'dotted_protocol_name'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-catapult-dct2000.c:1405:46
in parse_outhdr_string
Shadow bytes around the buggy address:
0x10005cab6810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cab6820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cab6830: f1 f1 f1 f1 04 f2 00 00 00 00 00 00 00 00 00 00
0x10005cab6840: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 f2 f2
0x10005cab6850: f2 f2 04 f2 04 f2 04 f2 04 f2 00 00 00 00 00 00
=>0x10005cab6860: 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2 04 f2
0x10005cab6870: 04 f2 04 f2 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2
0x10005cab6880: 00 00 f2 f2 00 00 f2 f2 00 00 00 00 00 00 00 00
0x10005cab6890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cab68a0: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x10005cab68b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==24799==ABORTING
You are receiving this mail because:
- You are watching all bug changes.