[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #14 from Peter Wu --- Fixed denial of service (assertion failure) in v3.1.0rc0-704-gf3a86c02dd v3.0.2rc0-43-g1f42a581cf v2.6.9rc0-16-gff4b8613ff This was only reproducible with fuzzshark as that allows larger packet sizes (see comment 2). I don't think this is worth a CVE though. -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #13 from Gerrit Code Review --- Change 33123 merged by Peter Wu: frame: increase EXCEPTION_TREE_ITEMS. https://code.wireshark.org/review/33123 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #12 from Gerrit Code Review --- Change 33123 had a related patch set uploaded by Peter Wu: frame: increase EXCEPTION_TREE_ITEMS. https://code.wireshark.org/review/33123 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #11 from Gerrit Code Review --- Change 33122 merged by Peter Wu: frame: increase EXCEPTION_TREE_ITEMS. https://code.wireshark.org/review/33122 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #10 from Gerrit Code Review --- Change 33122 had a related patch set uploaded by Peter Wu: frame: increase EXCEPTION_TREE_ITEMS. https://code.wireshark.org/review/33122 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 Dario Lombardo changed: What|Removed |Added Status|CONFIRMED |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #9 from Gerrit Code Review --- Change 33060 merged by Dario Lombardo: frame: increase EXCEPTION_TREE_ITEMS. https://code.wireshark.org/review/33060 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #8 from Peter Wu --- Created attachment 17106 --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17106&action=edit Backtraces for the exception and 7 proto items using v3.1.0rc0-662-gfd30adca44 I am still able to reproduce this issue with master v3.1.0rc0-662-gfd30adca44 and the reproducer from the oss-fuzz issue tracker: HOME=/x FUZZSHARK_TABLE=ip.proto FUZZSHARK_TARGET=ospf fuzzshark clusterfuzz-testcase-minimized-fuzzshark_ip_proto-ospf-5128657784799232 Attached are the traces for watchpoints on changes to parent_tree.tree_data.count, this revealed 7 nodes that were added from the catch block in epan/expert.c:759 show_reported_bounds_error adds a proto node and calls expert_add_info: 1. _ws.malformed - protocol node via epan/show_exception.c:177 expert_create_tree adds two items: 2. _ws.malformed - expert tree via epan/expert.c:480 3. _ws.malformed - protocol filter because group==PI_MALFORMED via epan/expert.c:488 Because an explicit ei field was given: "add_expert_info(..., &ei_malformed)", two fields are added instead of one: 4. _ws.malformed.expert - none node via epan/expert.c:543 5. _ws.expert.message - string node via epan/expert.c:545 Two more fields are added for the severity and group: 6. _ws.expert.severity - uint node via epan/expert.c:549 7. _ws.expert.group - uint node via epan/expert.c:552 So this problem would never occur when an exception is triggered via DISSECTOR_ASSERT, but only for ReportedBoundsError exceptions (which occur when trying to use proto_tree_add_item with invalid bounds for a tvb). -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #7 from Gerrit Code Review --- Change 33060 had a related patch set uploaded by Dario Lombardo: frame: increase EXCEPTION_TREE_ITEMS by 2. https://code.wireshark.org/review/33060 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #6 from Dario Lombardo --- Actually it seems not to be the right crash point. Following step-by-step the execution of the frame dissector, it looks to me the crash is happening at packet-frame.c:593. -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978
Dario Lombardo changed:
What|Removed |Added
CC||lom...@gmail.com
--- Comment #5 from Dario Lombardo ---
I've reproduced it locally, and I give the exact error message in the bug
report:
Unhandled exception ("Adding _ws.expert.severity would put more than 100
items in the tree -- possible infinite loop", group=1, code=6)
To reproduce it I used docker, but if I run the "reproduce" command I don't get
anything. Instead, by lanching gdb as described here
https://github.com/google/oss-fuzz/blob/master/docs/debugging.md#debugging-fuzzers-with-gdb
I get the error message.
I've added breaks for the following functions in gdb:
break except_rethrow
break except_throw
break except_throwd
break except_vthrowf
break except_throwf
and I get this backtrace
#0 except_throw (group=1, code=3, msg=0x0) at /src/wireshark/epan/except.c:279
#1 0x006fb1f3 in tvb_ensure_bytes_exist (tvb=,
offset=, length=) at
/src/wireshark/epan/tvbuff.c:637
#2 0x006a2304 in proto_tree_add_item_new (tree=0x604000157450,
hfinfo=0xa5a53e8 , tvb=0x61d00010c480,
start=501073, length=,
encoding=0) at /src/wireshark/epan/proto.c:3370
#3 0x006c6b2a in proto_tree_add_bitmask_with_flags
(parent_tree=0x604000157450, tvb=0x61d00010c480, offset=501073,
hf_hdr=, ett=31007,
fields=0xa5afae0 , encoding=,
flags=) at /src/wireshark/epan/proto.c:11324
#4 0x006c6a19 in proto_tree_add_bitmask (parent_tree=0x1, tvb=0x3,
offset=0, hf_hdr=-32, ett=0, fields=0x0, encoding=0) at
/src/wireshark/epan/proto.c:11269
#5 0x015858fc in dissect_ospf_v3_lsa (tvb=0x61d00010c480,
pinfo=0x61410058, offset=501072, tree=0x604000157450,
disassemble_body=1406032, address_family=6 '\006')
at /src/wireshark/epan/dissectors/packet-ospf.c:3678
#6 0x01583391 in dissect_ospf_ls_upd (tvb=0x61d00010c480,
pinfo=0x61410058, offset=20, tree=, version=3 '\003',
length=,
address_family=) at
/src/wireshark/epan/dissectors/packet-ospf.c:1841
#7 0x0158218e in dissect_ospf (tvb=,
pinfo=0x61410058, tree=0x61902000, data=) at
/src/wireshark/epan/dissectors/packet-ospf.c:1417
#8 0x00665527 in call_dissector_through_handle (handle=, tvb=0x61d00010c480, pinfo=, tree=0x61902000, data=0x0)
at /src/wireshark/epan/packet.c:706
#9 0x0065d6b9 in call_dissector_work (handle=0x604f6750,
tvb=0x61d00010c480, pinfo_arg=0x61410058, tree=0x61902000,
add_proto_name=1, data=0x0)
at /src/wireshark/epan/packet.c:791
#10 0x006641b2 in call_all_postdissectors (tvb=0x61d00010c480,
pinfo=0x61410058, tree=0x61902000) at /src/wireshark/epan/packet.c:3516
#11 0x00ea7dd3 in dissect_frame (tvb=, pinfo=, parent_tree=, data=) at
/src/wireshark/epan/dissectors/packet-frame.c:703
#12 0x00665527 in call_dissector_through_handle (handle=, tvb=0x61d00010c480, pinfo=, tree=0x61902000,
data=0x7fffdb20)
at /src/wireshark/epan/packet.c:706
#13 0x0065d6b9 in call_dissector_work (handle=0x60460490,
tvb=0x61d00010c480, pinfo_arg=0x61410058, tree=0x61902000,
add_proto_name=1, data=0x7fffdb20)
at /src/wireshark/epan/packet.c:791
#14 0x0065ac3a in call_dissector_with_data (handle=0x1,
tvb=0x61d00010c480, pinfo=0x61410058, tree=0x61902000, data=0x0) at
/src/wireshark/epan/packet.c:3154
#15 0x0065a42f in dissect_record (edt=0x61410040,
file_type_subtype=, rec=0x77f4d220, tvb=0x61d00010c480,
fd=, cinfo=)
at /src/wireshark/epan/packet.c:580
#16 0x0064e754 in epan_dissect_run (edt=0x61410040,
file_type_subtype=0, rec=0x77f4d220, tvb=0x61d00010c480, fd=0x77f4d370,
cinfo=0x0) at /src/wireshark/epan/epan.c:550
#17 0x0053815e in LLVMFuzzerTestOneInput (buf=,
real_len=501073) at /src/wireshark/fuzz/fuzzshark.c:343
#18 0x0258b167 in ExecuteCallback () at
/src/libfuzzer/FuzzerLoop.cpp:529
#19 0x0254b537 in RunOneTest () at /src/libfuzzer/FuzzerDriver.cpp:286
#20 0x02557064 in FuzzerDriver () at
/src/libfuzzer/FuzzerDriver.cpp:715
#21 0x0254abad in main () at /src/libfuzzer/FuzzerMain.cpp:19
That leads me to packet-frame.c:703.
--
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #4 from Peter Wu --- The oss-fuzz issue reports: > Fuzzer: afl_wireshark_fuzzshark_ip_proto-ospf which might be the explanation for why max_len has no effect. Should this bug be investigated/fixed first before introducing a maximum length check in fuzzshark? -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978
Jakub Zawadzki changed:
What|Removed |Added
CC||darkjames...@darkjames.pl
--- Comment #3 from Jakub Zawadzki ---
(In reply to Peter Wu from comment #2)
> In order to reproduce this issue, I had to increase the maximum pcap size as
> the payload is 490 kiB:
It means that limitation to 1024 done by build script:
44 echo -en "[libfuzzer]\nmax_len = 1024\n" > $OUT/${fuzzer_name}.options
(https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=tools/oss-fuzzshark/build.sh;h=c14851c5cbe0ba25fe0013e4d85227675aa85a1d;hb=HEAD#l44)
doesn't work.
1) kcc did comment on max_len during initial push of fuzzer code:
https://github.com/google/oss-fuzz/pull/532#discussion_r111675176
2) looking on
https://github.com/google/oss-fuzz/blob/master/docs/new_project_guide.md#custom-libfuzzer-options-for-clusterfuzz
max_len is not recomended:
> (...) Use of max_len is not recommended as other fuzzing engines may not
> support that option. (...)
I would suggest to add limitation to oss-fuzzshark, cause as I understand some
fuzzer can generate even 1MB of payload.
// this is just side note, cause there might be still some infinity loop in
ospf.
--
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978
--- Comment #2 from Peter Wu ---
In order to reproduce this issue, I had to increase the maximum pcap size as
the payload is 490 kiB:
--- a/wiretap/wtap.h
+++ b/wiretap/wtap.h
@@ -405,3 +405,3 @@ extern "C" {
*/
-#define WTAP_MAX_PACKET_SIZE_STANDARD262144
+#define WTAP_MAX_PACKET_SIZE_STANDARD(1024 * 1024)
#define WTAP_MAX_PACKET_SIZE_DBUS(128*1024*1024)
To abort tshark after printing the message, set env var:
WIRESHARK_ABORT_ON_TOO_MANY_ITEMS=1
--
You are receiving this mail because:
You are watching all bug changes.___
Sent via:Wireshark-bugs mailing list
Archives:https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #1 from Peter Wu --- Created attachment 16495 --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16495&action=edit Packet capture file -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
