https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15450
Bug ID: 15450
Summary: Buildbot crash output: fuzz-2019-01-25-8773.pcap
Product: Wireshark
Version: unspecified
Hardware: x86-64
OS: Ubuntu
Status: CONFIRMED
Severity: Major
Priority: High
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: buildbot-do-not-re...@wireshark.org
Target Milestone: ---
Problems have been found with the following capture file:
https://www.wireshark.org/download/automated/captures/fuzz-2019-01-25-8773.pcap
stderr:
Input file:
/home/wireshark/menagerie/menagerie/10095-captura_smb2_1302201115_pdf_and_txt.pcapng
Build host information:
Linux wsbb04 4.15.0-43-generic #46-Ubuntu SMP Thu Dec 6 14:45:28 UTC 2018
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID: Ubuntu
Description: Ubuntu 18.04.1 LTS
Release: 18.04
Codename: bionic
Buildbot information:
BUILDBOT_WORKERNAME=clang-code-analysis
BUILDBOT_BUILDNUMBER=4994
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_URL=http://buildbot.wireshark.org/wireshark-master/
BUILDBOT_REPOSITORY=ssh://wireshark-build...@code.wireshark.org:29418/wireshark
BUILDBOT_GOT_REVISION=d09d33262b4c8f3287b00374e885162900c3b730
Return value: 0
Dissector bug: 0
Valgrind error count: 1
Git commit
commit d09d33262b4c8f3287b00374e885162900c3b730
Author: Aurelien Aptel <aap...@suse.com>
Date: Thu Jan 24 21:30:02 2019 +0100
test/suite_decryption.py: add smb2 decryption tests
add 3 tests and 2 sample captures to check smb2 decryption with:
- bad key (should fail gracefuly)
- smb3.0 AES-128-CCM
- smb3.1.1 AES-128-CCM
Change-Id: I099f5f00f83fd39ac6de9ce9ce374624297aef61
Reviewed-on: https://code.wireshark.org/review/31728
Petri-Dish: Peter Wu <pe...@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <pe...@lekensteyn.nl>
Command and args: ./tools/valgrind-wireshark.sh -b
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.plain/bin
==23384== Memcheck, a memory error detector
==23384== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==23384== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==23384== Command:
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.plain/bin/tshark
-nr /fuzz/buildbot/clangcodeanalysis/valgrind-fuzz/fuzz-2019-01-25-8773.pcap
==23384==
==23384== Conditional jump or move depends on uninitialised value(s)
==23384== at 0xC98D106: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.2.1)
==23384== by 0xC9855E4: ??? (in /lib/x86_64-linux-gnu/libgcrypt.so.20.2.1)
==23384== by 0x76AC6B4: update_preauth_hash (packet-smb2.c:834)
==23384== by 0x76A85BF: dissect_smb2_session_setup_request
(packet-smb2.c:3163)
==23384== by 0x76A6F7A: dissect_smb2_command (packet-smb2.c:9189)
==23384== by 0x76A62FE: dissect_smb2 (packet-smb2.c:9543)
==23384== by 0x76A2F19: dissect_smb2_heur (packet-smb2.c:9598)
==23384== by 0x816608F: dissector_try_heuristic (packet.c:2750)
==23384== by 0x7332DB4: dissect_netbios_payload (packet-nbt.c:1066)
==23384== by 0x7333336: dissect_nbss_packet (packet-nbt.c:1374)
==23384== by 0x7330D75: dissect_nbss (packet-nbt.c:1674)
==23384== by 0x8167DC7: call_dissector_through_handle (packet.c:706)
==23384==
==23384== Conditional jump or move depends on uninitialised value(s)
==23384== at 0x4C366F2: memmove (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23384== by 0x76AC722: update_preauth_hash (packet-smb2.c:837)
==23384== by 0x76A85BF: dissect_smb2_session_setup_request
(packet-smb2.c:3163)
==23384== by 0x76A6F7A: dissect_smb2_command (packet-smb2.c:9189)
==23384== by 0x76A62FE: dissect_smb2 (packet-smb2.c:9543)
==23384== by 0x76A2F19: dissect_smb2_heur (packet-smb2.c:9598)
==23384== by 0x816608F: dissector_try_heuristic (packet.c:2750)
==23384== by 0x7332DB4: dissect_netbios_payload (packet-nbt.c:1066)
==23384== by 0x7333336: dissect_nbss_packet (packet-nbt.c:1374)
==23384== by 0x7330D75: dissect_nbss (packet-nbt.c:1674)
==23384== by 0x8167DC7: call_dissector_through_handle (packet.c:706)
==23384== by 0x8163A99: call_dissector_work (packet.c:791)
==23384==
==23384== Conditional jump or move depends on uninitialised value(s)
==23384== at 0x4C36702: memmove (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23384== by 0x76AC722: update_preauth_hash (packet-smb2.c:837)
==23384== by 0x76A85BF: dissect_smb2_session_setup_request
(packet-smb2.c:3163)
==23384== by 0x76A6F7A: dissect_smb2_command (packet-smb2.c:9189)
==23384== by 0x76A62FE: dissect_smb2 (packet-smb2.c:9543)
==23384== by 0x76A2F19: dissect_smb2_heur (packet-smb2.c:9598)
==23384== by 0x816608F: dissector_try_heuristic (packet.c:2750)
==23384== by 0x7332DB4: dissect_netbios_payload (packet-nbt.c:1066)
==23384== by 0x7333336: dissect_nbss_packet (packet-nbt.c:1374)
==23384== by 0x7330D75: dissect_nbss (packet-nbt.c:1674)
==23384== by 0x8167DC7: call_dissector_through_handle (packet.c:706)
==23384== by 0x8163A99: call_dissector_work (packet.c:791)
==23384==
==23384== Use of uninitialised value of size 8
==23384== at 0x4C367E3: memmove (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23384== by 0x76AC722: update_preauth_hash (packet-smb2.c:837)
==23384== by 0x76A85BF: dissect_smb2_session_setup_request
(packet-smb2.c:3163)
==23384== by 0x76A6F7A: dissect_smb2_command (packet-smb2.c:9189)
==23384== by 0x76A62FE: dissect_smb2 (packet-smb2.c:9543)
==23384== by 0x76A2F19: dissect_smb2_heur (packet-smb2.c:9598)
==23384== by 0x816608F: dissector_try_heuristic (packet.c:2750)
==23384== by 0x7332DB4: dissect_netbios_payload (packet-nbt.c:1066)
==23384== by 0x7333336: dissect_nbss_packet (packet-nbt.c:1374)
==23384== by 0x7330D75: dissect_nbss (packet-nbt.c:1674)
==23384== by 0x8167DC7: call_dissector_through_handle (packet.c:706)
==23384== by 0x8163A99: call_dissector_work (packet.c:791)
==23384==
==23384== Invalid write of size 8
==23384== at 0x4C367E3: memmove (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23384== by 0x76AC722: update_preauth_hash (packet-smb2.c:837)
==23384== by 0x76A85BF: dissect_smb2_session_setup_request
(packet-smb2.c:3163)
==23384== by 0x76A6F7A: dissect_smb2_command (packet-smb2.c:9189)
==23384== by 0x76A62FE: dissect_smb2 (packet-smb2.c:9543)
==23384== by 0x76A2F19: dissect_smb2_heur (packet-smb2.c:9598)
==23384== by 0x816608F: dissector_try_heuristic (packet.c:2750)
==23384== by 0x7332DB4: dissect_netbios_payload (packet-nbt.c:1066)
==23384== by 0x7333336: dissect_nbss_packet (packet-nbt.c:1374)
==23384== by 0x7330D75: dissect_nbss (packet-nbt.c:1674)
==23384== by 0x8167DC7: call_dissector_through_handle (packet.c:706)
==23384== by 0x8163A99: call_dissector_work (packet.c:791)
==23384== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==23384==
==23384==
==23384== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==23384== Access not within mapped region at address 0x0
==23384== at 0x4C367E3: memmove (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23384== by 0x76AC722: update_preauth_hash (packet-smb2.c:837)
==23384== by 0x76A85BF: dissect_smb2_session_setup_request
(packet-smb2.c:3163)
==23384== by 0x76A6F7A: dissect_smb2_command (packet-smb2.c:9189)
==23384== by 0x76A62FE: dissect_smb2 (packet-smb2.c:9543)
==23384== by 0x76A2F19: dissect_smb2_heur (packet-smb2.c:9598)
==23384== by 0x816608F: dissector_try_heuristic (packet.c:2750)
==23384== by 0x7332DB4: dissect_netbios_payload (packet-nbt.c:1066)
==23384== by 0x7333336: dissect_nbss_packet (packet-nbt.c:1374)
==23384== by 0x7330D75: dissect_nbss (packet-nbt.c:1674)
==23384== by 0x8167DC7: call_dissector_through_handle (packet.c:706)
==23384== by 0x8163A99: call_dissector_work (packet.c:791)
==23384== If you believe this happened as a result of a stack
==23384== overflow in your program's main thread (unlikely but
==23384== possible), you can try to increase the size of the
==23384== main thread stack using the --main-stacksize= flag.
==23384== The main thread stack size used in this run was 2084864.
==23384==
==23384== HEAP SUMMARY:
==23384== in use at exit: 26,816,304 bytes in 282,650 blocks
==23384== total heap usage: 381,997 allocs, 99,347 frees, 42,473,838 bytes
allocated
==23384==
==23384== LEAK SUMMARY:
==23384== definitely lost: 0 bytes in 0 blocks
==23384== indirectly lost: 0 bytes in 0 blocks
==23384== possibly lost: 912 bytes in 3 blocks
==23384== still reachable: 26,809,905 bytes in 282,562 blocks
==23384== suppressed: 5,487 bytes in 85 blocks
==23384== Rerun with --leak-check=full to see details of leaked memory
==23384==
==23384== For counts of detected and suppressed errors, rerun with: -v
==23384== Use --track-origins=yes to see where uninitialised values come from
==23384== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 0 from 0)
[ no debug trace ]
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
