Wireshark-bugs: [Wireshark-bugs] [Bug 12754] New: AddressSanitizer: heap-buffer-overflow on addr
Bug ID |
12754
|
Summary |
AddressSanitizer: heap-buffer-overflow on address 0x61d0001a3e80
|
Product |
Wireshark
|
Version |
Git
|
Hardware |
x86-64
|
OS |
Ubuntu
|
Status |
UNCONFIRMED
|
Severity |
Major
|
Priority |
Low
|
Component |
TShark
|
Assignee |
bugzilla-admin@wireshark.org
|
Reporter |
mtowalski@pentest.net.pl
|
Created attachment 14819 [details]
PoC
Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-312-g13d0d10 from master)
Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) without libpcap, with GLib 2.40.2, with zlib 1.2.8, without
SMI, without c-ares, without Lua, with GnuTLS 2.12.23, with Gcrypt 1.5.3, with
MIT Kerberos, without GeoIP.
Running on Linux 4.2.0-27-generic, with locale LC_CTYPE=en_US.UTF-8,
LC_NUMERIC=pl_PL.UTF-8, LC_TIME=pl_PL.UTF-8, LC_COLLATE=en_US.UTF-8,
LC_MONETARY=pl_PL.UTF-8, LC_MESSAGES=en_US.UTF-8, LC_PAPER=pl_PL.UTF-8,
LC_NAME=pl_PL.UTF-8, LC_ADDRESS=pl_PL.UTF-8, LC_TELEPHONE=pl_PL.UTF-8,
LC_MEASUREMENT=pl_PL.UTF-8, LC_IDENTIFICATION=pl_PL.UTF-8, with GnuTLS 2.12.23,
with Gcrypt 1.5.3, with zlib 1.2.8.
Intel(R) Core(TM) i7 CPU 860 @ 2.80GHz (with SSE4.2)
Built using clang 4.2.1 Compatible Clang 3.9.0 (trunk 274369).
--
=================================================================
==31475==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61d0001a3e80 at pc 0x55581cfc0cd0 bp 0x7ffde7c40430 sp 0x7ffde7c3fbd8
READ of size 1320512526 at 0x61d0001a3e80 thread T0
#0 0x55581cfc0ccf in memcpy
(/media/Fuzzing/Targets/wireshark/run/tshark+0xd0ccf)
#1 0x7f0f454b3ece in g_array_append_vals
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x1dece)
#2 0x7f0f454b4ff8 in g_byte_array_append
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x1eff8)
#3 0x7f0f4ddda974 in proto_tree_set_bytes
/media/Fuzzing/Targets/wireshark/epan/proto.c:3007:3
#4 0x7f0f4ddd6ced in proto_tree_set_bytes_tvb
/media/Fuzzing/Targets/wireshark/epan/proto.c:3016:2
#5 0x7f0f4ddd6ced in proto_tree_new_item
/media/Fuzzing/Targets/wireshark/epan/proto.c:1863
#6 0x7f0f4ddd899b in proto_tree_add_item_new
/media/Fuzzing/Targets/wireshark/epan/proto.c:2517:9
#7 0x7f0f4e289bb3 in dissect_data
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-data.c:85:4
#8 0x7f0f4dd882fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
#9 0x7f0f4dd882fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
#10 0x7f0f4eb5f1c8 in dissect_ppp
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-ppp.c:5278:5
#11 0x7f0f4eb5f1c8 in dissect_mp
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-ppp.c:5261
#12 0x7f0f4dd882fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
#13 0x7f0f4dd882fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
#14 0x7f0f4dd8869d in dissector_try_uint_new
/media/Fuzzing/Targets/wireshark/epan/packet.c:1188:9
#15 0x7f0f4dd8869d in dissector_try_uint
/media/Fuzzing/Targets/wireshark/epan/packet.c:1214
#16 0x7f0f4eb63b09 in dissect_ppp_common
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-ppp.c:4323:10
#17 0x7f0f4eb5ec44 in dissect_ppp_hdlc
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-ppp.c:5356:5
#18 0x7f0f4dd882fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
#19 0x7f0f4dd882fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
#20 0x7f0f4dd858c8 in call_dissector_only
/media/Fuzzing/Targets/wireshark/epan/packet.c:2780:8
#21 0x7f0f4dd858c8 in call_dissector_with_data
/media/Fuzzing/Targets/wireshark/epan/packet.c:2793
#22 0x7f0f4e0176b6 in dissect_ascend
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-ascend.c:107:7
#23 0x7f0f4dd882fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
#24 0x7f0f4dd882fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
#25 0x7f0f4dd87ea1 in dissector_try_uint_new
/media/Fuzzing/Targets/wireshark/epan/packet.c:1188:9
#26 0x7f0f4e509165 in dissect_frame
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-frame.c:507:11
#27 0x7f0f4dd882fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
#28 0x7f0f4dd882fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
#29 0x7f0f4dd858c8 in call_dissector_only
/media/Fuzzing/Targets/wireshark/epan/packet.c:2780:8
#30 0x7f0f4dd858c8 in call_dissector_with_data
/media/Fuzzing/Targets/wireshark/epan/packet.c:2793
#31 0x7f0f4dd84ecb in dissect_record
/media/Fuzzing/Targets/wireshark/epan/packet.c:532:3
#32 0x7f0f4dd67388 in epan_dissect_run_with_taps
/media/Fuzzing/Targets/wireshark/epan/epan.c:379:2
#33 0x55581d00c435 in process_packet
/media/Fuzzing/Targets/wireshark/tshark.c:3433:5
#34 0x55581d00c435 in load_cap_file
/media/Fuzzing/Targets/wireshark/tshark.c:3189
#35 0x55581d00c435 in main /media/Fuzzing/Targets/wireshark/tshark.c:1893
#36 0x7f0f44ab6f44 in __libc_start_main
/build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
#37 0x55581cf38d15 in _start
(/media/Fuzzing/Targets/wireshark/run/tshark+0x48d15)
0x61d0001a3e80 is located 0 bytes to the right of 2048-byte region
[0x61d0001a3680,0x61d0001a3e80)
allocated by thread T0 here:
#0 0x55581cfd6cbc in malloc
(/media/Fuzzing/Targets/wireshark/run/tshark+0xe6cbc)
#1 0x7f0f454e4610 in g_malloc
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/media/Fuzzing/Targets/wireshark/run/tshark+0xd0ccf) in memcpy
Shadow bytes around the buggy address:
0x0c3a8002c780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a8002c790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a8002c7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a8002c7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a8002c7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a8002c7d0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a8002c7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a8002c7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a8002c800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a8002c810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a8002c820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31475==ABORTING
You are receiving this mail because:
- You are watching all bug changes.