packet-umts_fp.c:3566

bugzilla-daemon Tue, 15 May 2018 04:56:25 -0700

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14698


            Bug ID: 14698
           Summary: ASAN:  global-buffer-overflow
                    epan/dissectors/packet-umts_fp.c:3566
           Product: Wireshark
           Version: Git
          Hardware: x86-64
                OS: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: Low
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: nardi.i...@gmail.com
  Target Milestone: ---

Created attachment 16341
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16341&action=edit
Pcap to reproduce the error

Build Information:
TShark (Wireshark) 2.9.0 (v2.9.0rc0-195-g6709f34e)

Copyright 1998-2018 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.48.2, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.10.0, with Lua
5.2.4, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with MIT Kerberos, with MaxMind
DB
resolver, with nghttp2 1.7.1, with LZ4, with Snappy, with libxml2 2.9.3.

Running on Linux 4.4.0-124-generic, with Intel(R) Core(TM) i7-4810MQ CPU @
2.80GHz (with SSE4.2), with 15952 MB of physical memory, with locale
LC_CTYPE=en_US.UTF-8, LC_NUMERIC=it_IT.UTF-8, LC_TIME=it_IT.UTF-8,
LC_COLLATE=en_US.UTF-8, LC_MONETARY=it_IT.UTF-8, LC_MESSAGES=en_US.UTF-8,
LC_PAPER=it_IT.UTF-8, LC_NAME=it_IT.UTF-8, LC_ADDRESS=it_IT.UTF-8,
LC_TELEPHONE=it_IT.UTF-8, LC_MEASUREMENT=it_IT.UTF-8,
LC_IDENTIFICATION=it_IT.UTF-8, with libpcap version 1.7.4, with GnuTLS 3.4.10,
with Gcrypt 1.6.5, with zlib 1.2.8, binary plugins supported (13 loaded).

Built using gcc 7.3.0.

--
Attached is the sample that triggers this error which can be reproduced with an
ASAN build of Wireshark:
tshark -r umts_fp_asan.pcap

==11035==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7fd89f12cb50 at pc 0x7fd895bed7a2 bp 0x7ffdd084c590 sp 0x7ffdd084c580
READ of size 1 at 0x7fd89f12cb50 thread T0
    #0 0x7fd895bed7a1 in dissect_hsdsch_type_2_channel_info
/home/ivan/svnrepos/wireshark/epan/dissectors/packet-umts_fp.c:3566
    #1 0x7fd895bfa7e1 in dissect_fp_common
/home/ivan/svnrepos/wireshark/epan/dissectors/packet-umts_fp.c:5764
    #2 0x7fd895bfa985 in dissect_fp
/home/ivan/svnrepos/wireshark/epan/dissectors/packet-umts_fp.c:5809
    #3 0x7fd894724b9d in call_dissector_through_handle
/home/ivan/svnrepos/wireshark/epan/packet.c:692
    #4 0x7fd894725103 in call_dissector_work
/home/ivan/svnrepos/wireshark/epan/packet.c:777
    #5 0x7fd89472d0bb in call_dissector_only
/home/ivan/svnrepos/wireshark/epan/packet.c:3090
    #6 0x7fd8946f4645 in try_conversation_call_dissector_helper
/home/ivan/svnrepos/wireshark/epan/conversation.c:1245
    #7 0x7fd8946f4831 in try_conversation_dissector
/home/ivan/svnrepos/wireshark/epan/conversation.c:1275
    #8 0x7fd895bc7734 in decode_udp_ports
/home/ivan/svnrepos/wireshark/epan/dissectors/packet-udp.c:622
    #9 0x7fd895bcc1b5 in dissect
/home/ivan/svnrepos/wireshark/epan/dissectors/packet-udp.c:1127
    #10 0x7fd895bcc28c in dissect_udp
/home/ivan/svnrepos/wireshark/epan/dissectors/packet-udp.c:1133
    #11 0x7fd894724b9d in call_dissector_through_handle
/home/ivan/svnrepos/wireshark/epan/packet.c:692
    #12 0x7fd894725103 in call_dissector_work
/home/ivan/svnrepos/wireshark/epan/packet.c:777
    #13 0x7fd89472745d in dissector_try_uint_new
/home/ivan/svnrepos/wireshark/epan/packet.c:1359
    #14 0x7fd89518f436 in ip_try_dissect
/home/ivan/svnrepos/wireshark/epan/dissectors/packet-ip.c:1831
    #15 0x7fd895192da2 in dissect_ip_v4
/home/ivan/svnrepos/wireshark/epan/dissectors/packet-ip.c:2287
    #16 0x7fd894724b9d in call_dissector_through_handle
/home/ivan/svnrepos/wireshark/epan/packet.c:692
    #17 0x7fd894725103 in call_dissector_work
/home/ivan/svnrepos/wireshark/epan/packet.c:777
    #18 0x7fd89472745d in dissector_try_uint_new
/home/ivan/svnrepos/wireshark/epan/packet.c:1359
    #19 0x7fd8947274f4 in dissector_try_uint
/home/ivan/svnrepos/wireshark/epan/packet.c:1383
    #20 0x7fd894e97862 in dissect_ethertype
/home/ivan/svnrepos/wireshark/epan/dissectors/packet-ethertype.c:260
    #21 0x7fd894724b9d in call_dissector_through_handle
/home/ivan/svnrepos/wireshark/epan/packet.c:692
    #22 0x7fd894725103 in call_dissector_work
/home/ivan/svnrepos/wireshark/epan/packet.c:777
    #23 0x7fd89472d0bb in call_dissector_only
/home/ivan/svnrepos/wireshark/epan/packet.c:3090
    #24 0x7fd89472d0fe in call_dissector_with_data
/home/ivan/svnrepos/wireshark/epan/packet.c:3103
    #25 0x7fd895c5de06 in dissect_vlan
/home/ivan/svnrepos/wireshark/epan/dissectors/packet-vlan.c:350
    #26 0x7fd894724b9d in call_dissector_through_handle
/home/ivan/svnrepos/wireshark/epan/packet.c:692
    #27 0x7fd894725103 in call_dissector_work
/home/ivan/svnrepos/wireshark/epan/packet.c:777
    #28 0x7fd89472745d in dissector_try_uint_new
/home/ivan/svnrepos/wireshark/epan/packet.c:1359
    #29 0x7fd8947274f4 in dissector_try_uint
/home/ivan/svnrepos/wireshark/epan/packet.c:1383
    #30 0x7fd894e97862 in dissect_ethertype
/home/ivan/svnrepos/wireshark/epan/dissectors/packet-ethertype.c:260
    #31 0x7fd894724b9d in call_dissector_through_handle
/home/ivan/svnrepos/wireshark/epan/packet.c:692
    #32 0x7fd894725103 in call_dissector_work
/home/ivan/svnrepos/wireshark/epan/packet.c:777
    #33 0x7fd89472d0bb in call_dissector_only
/home/ivan/svnrepos/wireshark/epan/packet.c:3090
    #34 0x7fd89472d0fe in call_dissector_with_data
/home/ivan/svnrepos/wireshark/epan/packet.c:3103
    #35 0x7fd894e953e3 in dissect_eth_common
/home/ivan/svnrepos/wireshark/epan/dissectors/packet-eth.c:526
    #36 0x7fd894e965e8 in dissect_eth
/home/ivan/svnrepos/wireshark/epan/dissectors/packet-eth.c:802
    #37 0x7fd894724b9d in call_dissector_through_handle
/home/ivan/svnrepos/wireshark/epan/packet.c:692
    #38 0x7fd894725103 in call_dissector_work
/home/ivan/svnrepos/wireshark/epan/packet.c:777
    #39 0x7fd89472745d in dissector_try_uint_new
/home/ivan/svnrepos/wireshark/epan/packet.c:1359
    #40 0x7fd894f18894 in dissect_frame
/home/ivan/svnrepos/wireshark/epan/dissectors/packet-frame.c:579
    #41 0x7fd894724b9d in call_dissector_through_handle
/home/ivan/svnrepos/wireshark/epan/packet.c:692
    #42 0x7fd894725103 in call_dissector_work
/home/ivan/svnrepos/wireshark/epan/packet.c:777
    #43 0x7fd89472d0bb in call_dissector_only
/home/ivan/svnrepos/wireshark/epan/packet.c:3090
    #44 0x7fd89472d0fe in call_dissector_with_data
/home/ivan/svnrepos/wireshark/epan/packet.c:3103
    #45 0x7fd89472344d in dissect_record
/home/ivan/svnrepos/wireshark/epan/packet.c:566
    #46 0x7fd8947036f4 in epan_dissect_run_with_taps
/home/ivan/svnrepos/wireshark/epan/epan.c:542
    #47 0x5606ba6a3e43 in process_packet_single_pass
/home/ivan/svnrepos/wireshark/tshark.c:3541
    #48 0x5606ba6a2f17 in process_cap_file
/home/ivan/svnrepos/wireshark/tshark.c:3367
    #49 0x5606ba69e0b3 in main /home/ivan/svnrepos/wireshark/tshark.c:2051
    #50 0x7fd88cd7d82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #51 0x5606ba690f88 in _start
(/home/ivan/svnrepos/wireshark-build/run/tshark+0x2ff88)

0x7fd89f12cb50 is located 0 bytes to the right of global variable
'lchId_type_table' defined in './asn1/nbap/packet-nbap-template.c:701:8'
(0x7fd89f12cb40) of size 16
0x7fd89f12cb50 is located 48 bytes to the left of global variable
'lchId_rlc_map' defined in './asn1/nbap/packet-nbap-template.c:721:8'
(0x7fd89f12cb80) of size 16
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/ivan/svnrepos/wireshark/epan/dissectors/packet-umts_fp.c:3566 in
dissect_hsdsch_type_2_channel_info
Shadow bytes around the buggy address:
  0x0ffb93e1d910: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0ffb93e1d920: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0ffb93e1d930: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0ffb93e1d940: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ffb93e1d950: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
=>0x0ffb93e1d960: 00 f9 f9 f9 f9 f9 f9 f9 00 00[f9]f9 f9 f9 f9 f9
  0x0ffb93e1d970: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ffb93e1d980: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0ffb93e1d990: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0ffb93e1d9a0: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0ffb93e1d9b0: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11035==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.

___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 14698] New: ASAN: global-buffer-overflow epan/dissectors/packet-umts_fp.c:3566

Reply via email to