Hi,
On Mon, Aug 12, 2013 at 05:17:50PM +0200, Alexis La Goutte wrote:
> I will try the ASAN feature (
> http://clang.llvm.org/docs/AddressSanitizer.html )
>
> I try to fuzz some capture from menagerie but i have already a issue with
> editcap (libwiretap)
>
> ./editcap -E 0.5 ../menagerie/public/10014-packet-mount-len.pcap
> /tmp/fuz.pcap |& ./asan_symbolize.py
> =================================================================
> ==15448==ERROR: AddressSanitizer: stack-buffer-overflow on address
> 0x7fff7e959c70 at pc 0x43a0d3 bp 0x7fff7e959890 sp 0x7fff7e959050
> READ of size 112 at 0x7fff7e959c70 thread T0
> #0 0x43a0d2 in memcpy ??:0
> #1 0x7faee0ab0f8d in ?? ??:0
> #2 0x7faee1667a7a in pcapng_dump_open wireshark/wiretap/pcapng.c:3631
> #3 0x7faee160b254 in wtap_dump_open_finish
> wireshark/wiretap/file_access.c:1507
> #4 0x45ceb1 in main wireshark/editcap.c:1205
> #5 0x7faedfea876c in ?? ??:0
> #6 0x45aeec in _start ??:0
> Address 0x7fff7e959c70 is located in stack of thread T0 at offset 560 in
> frame
> #0 0x7faee166679f in pcapng_dump_open wireshark/wiretap/pcapng.c:3593
>
> I known is may be a false positive... (and i not a expert in memory
> stuff...)
For me it's not:
Check types:
**interface_data_t** interface_data;
pcapng->interface_data = g_array_new(FALSE, FALSE, sizeof(**wtapng_if_descr_t**));
...
3596 **interface_data_t** interface_data;
3604 pcapng->interface_data = g_array_new(FALSE, FALSE, sizeof(**wtapng_if_descr_t**));
3631 g_array_append_val(pcapng->interface_data, interface_data);
wtapng_if_descr_t (big structure from wtap.h) != interface_data_t (16B from pcapng.h)
g_array_append_val() is trying to memcpy() 112B of interface_data (where only 16B is available) -- stack buffer overflow.
Banzai for ASAN! ;]
Kuba.
