[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #14 from Peter Wu --- Fixed denial of service (assertion failure) in v3.1.0rc0-704-gf3a86c02dd v3.0.2rc0-43-g1f42a581cf v2.6.9rc0-16-gff4b8613ff This was only reproducible with fuzzshark as that allows larger packet sizes (see comment 2). I don't think this is worth a CVE though. -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #13 from Gerrit Code Review --- Change 33123 merged by Peter Wu: frame: increase EXCEPTION_TREE_ITEMS. https://code.wireshark.org/review/33123 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #12 from Gerrit Code Review --- Change 33123 had a related patch set uploaded by Peter Wu: frame: increase EXCEPTION_TREE_ITEMS. https://code.wireshark.org/review/33123 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #11 from Gerrit Code Review --- Change 33122 merged by Peter Wu: frame: increase EXCEPTION_TREE_ITEMS. https://code.wireshark.org/review/33122 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #10 from Gerrit Code Review --- Change 33122 had a related patch set uploaded by Peter Wu: frame: increase EXCEPTION_TREE_ITEMS. https://code.wireshark.org/review/33122 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 Dario Lombardo changed: What|Removed |Added Status|CONFIRMED |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #9 from Gerrit Code Review --- Change 33060 merged by Dario Lombardo: frame: increase EXCEPTION_TREE_ITEMS. https://code.wireshark.org/review/33060 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #8 from Peter Wu --- Created attachment 17106 --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17106&action=edit Backtraces for the exception and 7 proto items using v3.1.0rc0-662-gfd30adca44 I am still able to reproduce this issue with master v3.1.0rc0-662-gfd30adca44 and the reproducer from the oss-fuzz issue tracker: HOME=/x FUZZSHARK_TABLE=ip.proto FUZZSHARK_TARGET=ospf fuzzshark clusterfuzz-testcase-minimized-fuzzshark_ip_proto-ospf-5128657784799232 Attached are the traces for watchpoints on changes to parent_tree.tree_data.count, this revealed 7 nodes that were added from the catch block in epan/expert.c:759 show_reported_bounds_error adds a proto node and calls expert_add_info: 1. _ws.malformed - protocol node via epan/show_exception.c:177 expert_create_tree adds two items: 2. _ws.malformed - expert tree via epan/expert.c:480 3. _ws.malformed - protocol filter because group==PI_MALFORMED via epan/expert.c:488 Because an explicit ei field was given: "add_expert_info(..., &ei_malformed)", two fields are added instead of one: 4. _ws.malformed.expert - none node via epan/expert.c:543 5. _ws.expert.message - string node via epan/expert.c:545 Two more fields are added for the severity and group: 6. _ws.expert.severity - uint node via epan/expert.c:549 7. _ws.expert.group - uint node via epan/expert.c:552 So this problem would never occur when an exception is triggered via DISSECTOR_ASSERT, but only for ReportedBoundsError exceptions (which occur when trying to use proto_tree_add_item with invalid bounds for a tvb). -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #7 from Gerrit Code Review --- Change 33060 had a related patch set uploaded by Dario Lombardo: frame: increase EXCEPTION_TREE_ITEMS by 2. https://code.wireshark.org/review/33060 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #6 from Dario Lombardo --- Actually it seems not to be the right crash point. Following step-by-step the execution of the frame dissector, it looks to me the crash is happening at packet-frame.c:593. -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 Dario Lombardo changed: What|Removed |Added CC||lom...@gmail.com --- Comment #5 from Dario Lombardo --- I've reproduced it locally, and I give the exact error message in the bug report: Unhandled exception ("Adding _ws.expert.severity would put more than 100 items in the tree -- possible infinite loop", group=1, code=6) To reproduce it I used docker, but if I run the "reproduce" command I don't get anything. Instead, by lanching gdb as described here https://github.com/google/oss-fuzz/blob/master/docs/debugging.md#debugging-fuzzers-with-gdb I get the error message. I've added breaks for the following functions in gdb: break except_rethrow break except_throw break except_throwd break except_vthrowf break except_throwf and I get this backtrace #0 except_throw (group=1, code=3, msg=0x0) at /src/wireshark/epan/except.c:279 #1 0x006fb1f3 in tvb_ensure_bytes_exist (tvb=, offset=, length=) at /src/wireshark/epan/tvbuff.c:637 #2 0x006a2304 in proto_tree_add_item_new (tree=0x604000157450, hfinfo=0xa5a53e8 , tvb=0x61d00010c480, start=501073, length=, encoding=0) at /src/wireshark/epan/proto.c:3370 #3 0x006c6b2a in proto_tree_add_bitmask_with_flags (parent_tree=0x604000157450, tvb=0x61d00010c480, offset=501073, hf_hdr=, ett=31007, fields=0xa5afae0 , encoding=, flags=) at /src/wireshark/epan/proto.c:11324 #4 0x006c6a19 in proto_tree_add_bitmask (parent_tree=0x1, tvb=0x3, offset=0, hf_hdr=-32, ett=0, fields=0x0, encoding=0) at /src/wireshark/epan/proto.c:11269 #5 0x015858fc in dissect_ospf_v3_lsa (tvb=0x61d00010c480, pinfo=0x61410058, offset=501072, tree=0x604000157450, disassemble_body=1406032, address_family=6 '\006') at /src/wireshark/epan/dissectors/packet-ospf.c:3678 #6 0x01583391 in dissect_ospf_ls_upd (tvb=0x61d00010c480, pinfo=0x61410058, offset=20, tree=, version=3 '\003', length=, address_family=) at /src/wireshark/epan/dissectors/packet-ospf.c:1841 #7 0x0158218e in dissect_ospf (tvb=, pinfo=0x61410058, tree=0x61902000, data=) at /src/wireshark/epan/dissectors/packet-ospf.c:1417 #8 0x00665527 in call_dissector_through_handle (handle=, tvb=0x61d00010c480, pinfo=, tree=0x61902000, data=0x0) at /src/wireshark/epan/packet.c:706 #9 0x0065d6b9 in call_dissector_work (handle=0x604f6750, tvb=0x61d00010c480, pinfo_arg=0x61410058, tree=0x61902000, add_proto_name=1, data=0x0) at /src/wireshark/epan/packet.c:791 #10 0x006641b2 in call_all_postdissectors (tvb=0x61d00010c480, pinfo=0x61410058, tree=0x61902000) at /src/wireshark/epan/packet.c:3516 #11 0x00ea7dd3 in dissect_frame (tvb=, pinfo=, parent_tree=, data=) at /src/wireshark/epan/dissectors/packet-frame.c:703 #12 0x00665527 in call_dissector_through_handle (handle=, tvb=0x61d00010c480, pinfo=, tree=0x61902000, data=0x7fffdb20) at /src/wireshark/epan/packet.c:706 #13 0x0065d6b9 in call_dissector_work (handle=0x60460490, tvb=0x61d00010c480, pinfo_arg=0x61410058, tree=0x61902000, add_proto_name=1, data=0x7fffdb20) at /src/wireshark/epan/packet.c:791 #14 0x0065ac3a in call_dissector_with_data (handle=0x1, tvb=0x61d00010c480, pinfo=0x61410058, tree=0x61902000, data=0x0) at /src/wireshark/epan/packet.c:3154 #15 0x0065a42f in dissect_record (edt=0x61410040, file_type_subtype=, rec=0x77f4d220, tvb=0x61d00010c480, fd=, cinfo=) at /src/wireshark/epan/packet.c:580 #16 0x0064e754 in epan_dissect_run (edt=0x61410040, file_type_subtype=0, rec=0x77f4d220, tvb=0x61d00010c480, fd=0x77f4d370, cinfo=0x0) at /src/wireshark/epan/epan.c:550 #17 0x0053815e in LLVMFuzzerTestOneInput (buf=, real_len=501073) at /src/wireshark/fuzz/fuzzshark.c:343 #18 0x0258b167 in ExecuteCallback () at /src/libfuzzer/FuzzerLoop.cpp:529 #19 0x0254b537 in RunOneTest () at /src/libfuzzer/FuzzerDriver.cpp:286 #20 0x02557064 in FuzzerDriver () at /src/libfuzzer/FuzzerDriver.cpp:715 #21 0x0254abad in main () at /src/libfuzzer/FuzzerMain.cpp:19 That leads me to packet-frame.c:703. -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #4 from Peter Wu --- The oss-fuzz issue reports: > Fuzzer: afl_wireshark_fuzzshark_ip_proto-ospf which might be the explanation for why max_len has no effect. Should this bug be investigated/fixed first before introducing a maximum length check in fuzzshark? -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 Jakub Zawadzki changed: What|Removed |Added CC||darkjames...@darkjames.pl --- Comment #3 from Jakub Zawadzki --- (In reply to Peter Wu from comment #2) > In order to reproduce this issue, I had to increase the maximum pcap size as > the payload is 490 kiB: It means that limitation to 1024 done by build script: 44 echo -en "[libfuzzer]\nmax_len = 1024\n" > $OUT/${fuzzer_name}.options (https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=tools/oss-fuzzshark/build.sh;h=c14851c5cbe0ba25fe0013e4d85227675aa85a1d;hb=HEAD#l44) doesn't work. 1) kcc did comment on max_len during initial push of fuzzer code: https://github.com/google/oss-fuzz/pull/532#discussion_r111675176 2) looking on https://github.com/google/oss-fuzz/blob/master/docs/new_project_guide.md#custom-libfuzzer-options-for-clusterfuzz max_len is not recomended: > (...) Use of max_len is not recommended as other fuzzing engines may not > support that option. (...) I would suggest to add limitation to oss-fuzzshark, cause as I understand some fuzzer can generate even 1MB of payload. // this is just side note, cause there might be still some infinity loop in ospf. -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #2 from Peter Wu --- In order to reproduce this issue, I had to increase the maximum pcap size as the payload is 490 kiB: --- a/wiretap/wtap.h +++ b/wiretap/wtap.h @@ -405,3 +405,3 @@ extern "C" { */ -#define WTAP_MAX_PACKET_SIZE_STANDARD262144 +#define WTAP_MAX_PACKET_SIZE_STANDARD(1024 * 1024) #define WTAP_MAX_PACKET_SIZE_DBUS(128*1024*1024) To abort tshark after printing the message, set env var: WIRESHARK_ABORT_ON_TOO_MANY_ITEMS=1 -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
[Wireshark-bugs] [Bug 14978] [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978 --- Comment #1 from Peter Wu --- Created attachment 16495 --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16495&action=edit Packet capture file -- You are receiving this mail because: You are watching all bug changes.___ Sent via:Wireshark-bugs mailing list Archives:https://www.wireshark.org/lists/wireshark-bugs Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe