Wireshark-bugs: [Wireshark-bugs] [Bug 12754] New: AddressSanitizer: heap-buffer-overflow on addr
Date: Tue, 16 Aug 2016 21:27:57 +0000
Bug ID 12754
Summary AddressSanitizer: heap-buffer-overflow on address 0x61d0001a3e80
Product Wireshark
Version Git
Hardware x86-64
OS Ubuntu
Status UNCONFIRMED
Severity Major
Priority Low
Component TShark
Assignee bugzilla-admin@wireshark.org
Reporter mtowalski@pentest.net.pl

Created attachment 14819 [details]
PoC

Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-312-g13d0d10 from master)

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) without libpcap, with GLib 2.40.2, with zlib 1.2.8, without
SMI, without c-ares, without Lua, with GnuTLS 2.12.23, with Gcrypt 1.5.3, with
MIT Kerberos, without GeoIP.

Running on Linux 4.2.0-27-generic, with locale LC_CTYPE=en_US.UTF-8,
LC_NUMERIC=pl_PL.UTF-8, LC_TIME=pl_PL.UTF-8, LC_COLLATE=en_US.UTF-8,
LC_MONETARY=pl_PL.UTF-8, LC_MESSAGES=en_US.UTF-8, LC_PAPER=pl_PL.UTF-8,
LC_NAME=pl_PL.UTF-8, LC_ADDRESS=pl_PL.UTF-8, LC_TELEPHONE=pl_PL.UTF-8,
LC_MEASUREMENT=pl_PL.UTF-8, LC_IDENTIFICATION=pl_PL.UTF-8, with GnuTLS 2.12.23,
with Gcrypt 1.5.3, with zlib 1.2.8.
Intel(R) Core(TM) i7 CPU         860  @ 2.80GHz (with SSE4.2)

Built using clang 4.2.1 Compatible Clang 3.9.0 (trunk 274369).
--
=================================================================
==31475==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61d0001a3e80 at pc 0x55581cfc0cd0 bp 0x7ffde7c40430 sp 0x7ffde7c3fbd8
READ of size 1320512526 at 0x61d0001a3e80 thread T0
    #0 0x55581cfc0ccf in memcpy
(/media/Fuzzing/Targets/wireshark/run/tshark+0xd0ccf)
    #1 0x7f0f454b3ece in g_array_append_vals
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x1dece)
    #2 0x7f0f454b4ff8 in g_byte_array_append
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x1eff8)
    #3 0x7f0f4ddda974 in proto_tree_set_bytes
/media/Fuzzing/Targets/wireshark/epan/proto.c:3007:3
    #4 0x7f0f4ddd6ced in proto_tree_set_bytes_tvb
/media/Fuzzing/Targets/wireshark/epan/proto.c:3016:2
    #5 0x7f0f4ddd6ced in proto_tree_new_item
/media/Fuzzing/Targets/wireshark/epan/proto.c:1863
    #6 0x7f0f4ddd899b in proto_tree_add_item_new
/media/Fuzzing/Targets/wireshark/epan/proto.c:2517:9
    #7 0x7f0f4e289bb3 in dissect_data
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-data.c:85:4
    #8 0x7f0f4dd882fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
    #9 0x7f0f4dd882fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
    #10 0x7f0f4eb5f1c8 in dissect_ppp
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-ppp.c:5278:5
    #11 0x7f0f4eb5f1c8 in dissect_mp
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-ppp.c:5261
    #12 0x7f0f4dd882fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
    #13 0x7f0f4dd882fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
    #14 0x7f0f4dd8869d in dissector_try_uint_new
/media/Fuzzing/Targets/wireshark/epan/packet.c:1188:9
    #15 0x7f0f4dd8869d in dissector_try_uint
/media/Fuzzing/Targets/wireshark/epan/packet.c:1214
    #16 0x7f0f4eb63b09 in dissect_ppp_common
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-ppp.c:4323:10
    #17 0x7f0f4eb5ec44 in dissect_ppp_hdlc
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-ppp.c:5356:5
    #18 0x7f0f4dd882fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
    #19 0x7f0f4dd882fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
    #20 0x7f0f4dd858c8 in call_dissector_only
/media/Fuzzing/Targets/wireshark/epan/packet.c:2780:8
    #21 0x7f0f4dd858c8 in call_dissector_with_data
/media/Fuzzing/Targets/wireshark/epan/packet.c:2793
    #22 0x7f0f4e0176b6 in dissect_ascend
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-ascend.c:107:7
    #23 0x7f0f4dd882fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
    #24 0x7f0f4dd882fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
    #25 0x7f0f4dd87ea1 in dissector_try_uint_new
/media/Fuzzing/Targets/wireshark/epan/packet.c:1188:9
    #26 0x7f0f4e509165 in dissect_frame
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-frame.c:507:11
    #27 0x7f0f4dd882fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
    #28 0x7f0f4dd882fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
    #29 0x7f0f4dd858c8 in call_dissector_only
/media/Fuzzing/Targets/wireshark/epan/packet.c:2780:8
    #30 0x7f0f4dd858c8 in call_dissector_with_data
/media/Fuzzing/Targets/wireshark/epan/packet.c:2793
    #31 0x7f0f4dd84ecb in dissect_record
/media/Fuzzing/Targets/wireshark/epan/packet.c:532:3
    #32 0x7f0f4dd67388 in epan_dissect_run_with_taps
/media/Fuzzing/Targets/wireshark/epan/epan.c:379:2
    #33 0x55581d00c435 in process_packet
/media/Fuzzing/Targets/wireshark/tshark.c:3433:5
    #34 0x55581d00c435 in load_cap_file
/media/Fuzzing/Targets/wireshark/tshark.c:3189
    #35 0x55581d00c435 in main /media/Fuzzing/Targets/wireshark/tshark.c:1893
    #36 0x7f0f44ab6f44 in __libc_start_main
/build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #37 0x55581cf38d15 in _start
(/media/Fuzzing/Targets/wireshark/run/tshark+0x48d15)

0x61d0001a3e80 is located 0 bytes to the right of 2048-byte region
[0x61d0001a3680,0x61d0001a3e80)
allocated by thread T0 here:
    #0 0x55581cfd6cbc in malloc
(/media/Fuzzing/Targets/wireshark/run/tshark+0xe6cbc)
    #1 0x7f0f454e4610 in g_malloc
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/media/Fuzzing/Targets/wireshark/run/tshark+0xd0ccf) in memcpy
Shadow bytes around the buggy address:
  0x0c3a8002c780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a8002c790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a8002c7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a8002c7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a8002c7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a8002c7d0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a8002c7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a8002c7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a8002c800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a8002c810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a8002c820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31475==ABORTING


You are receiving this mail because:
  • You are watching all bug changes.