https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16241
Bug ID: 16241
Summary: [oss-fuzz] #19070: wireshark:fuzzshark_ip_proto-udp:
Heap-buffer-overflow in bytestring_to_str
Product: Wireshark
Version: Git
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: Major
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: lom...@gmail.com
Target Milestone: ---
Created attachment 17494
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17494&action=edit
The testcase
Build Information:
TShark (Wireshark) 3.3.0 (v3.3.0rc0-48-gbb7014731cfa)
Copyright 1998-2019 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.56.4, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with
Lua
5.2.4, with GnuTLS 3.5.18 and PKCS #11 support, with Gcrypt 1.8.1, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.30.0, with brotli, with LZ4,
with Zstandard, with Snappy, with libxml2 2.9.4.
Running on Linux 4.15.0-70-generic, with Intel(R) Core(TM) i7-4800MQ CPU @
2.70GHz (with SSE4.2), with 15946 MB of physical memory, with locale
LC_CTYPE=en_US.UTF-8, LC_NUMERIC=it_IT.UTF-8, LC_TIME=it_IT.UTF-8,
LC_COLLATE=en_US.UTF-8, LC_MONETARY=it_IT.UTF-8, LC_MESSAGES=en_US.UTF-8,
LC_PAPER=it_IT.UTF-8, LC_NAME=it_IT.UTF-8, LC_ADDRESS=it_IT.UTF-8,
LC_TELEPHONE=it_IT.UTF-8, LC_MEASUREMENT=it_IT.UTF-8,
LC_IDENTIFICATION=it_IT.UTF-8, with libpcap version 1.8.1, with GnuTLS 3.5.18,
with Gcrypt 1.8.1, with brotli 1.0.4, with zlib 1.2.11, binary plugins
supported
(0 loaded).
Built using clang 4.2.1 Compatible Clang 6.0.0 (tags/RELEASE_600/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19070
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark:
fuzzshark_ip_proto-udp
clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-5728342863249408
#0 0x701d5e in bytes_to_hexstr_punct /src/wireshark/epan/to_str.c:168:26
#1 0x701d5e in bytestring_to_str /src/wireshark/epan/to_str.c:206:12
#2 0x10f3ae4 in dissect_1722_acf_lin
/src/wireshark/epan/dissectors/packet-ieee1722.c:2835:44
#3 0x63bd90 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#4 0x63bd90 in call_dissector_work /src/wireshark/epan/packet.c:799:9
#5 0x63c364 in dissector_try_uint_new /src/wireshark/epan/packet.c:1399:8
#6 0x63c364 in dissector_try_uint /src/wireshark/epan/packet.c:1423:9
#7 0x10f314e in dissect_1722_acf
/src/wireshark/epan/dissectors/packet-ieee1722.c:2356:10
#8 0x63bd90 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#9 0x63bd90 in call_dissector_work /src/wireshark/epan/packet.c:799:9
#10 0x6386fb in call_dissector_only /src/wireshark/epan/packet.c:3183:8
#11 0x6386fb in call_dissector_with_data
/src/wireshark/epan/packet.c:3196:8
#12 0x10f22a8 in dissect_1722_ntscf
/src/wireshark/epan/dissectors/packet-ieee1722.c:2043:13
#13 0x63bd90 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#14 0x63bd90 in call_dissector_work /src/wireshark/epan/packet.c:799:9
#15 0x63c364 in dissector_try_uint_new /src/wireshark/epan/packet.c:1399:8
#16 0x63c364 in dissector_try_uint /src/wireshark/epan/packet.c:1423:9
#17 0x10ef942 in dissect_1722
/src/wireshark/epan/dissectors/packet-ieee1722.c:878:22
#18 0x63bd90 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#19 0x63bd90 in call_dissector_work /src/wireshark/epan/packet.c:799:9
#20 0x63c364 in dissector_try_uint_new /src/wireshark/epan/packet.c:1399:8
#21 0x63c364 in dissector_try_uint /src/wireshark/epan/packet.c:1423:9
#22 0x1af7d10 in decode_udp_ports
/src/wireshark/epan/dissectors/packet-udp.c:690:7
#23 0x1afd361 in dissect /src/wireshark/epan/dissectors/packet-udp.c:1222:5
#24 0x1af9eb1 in dissect_udp
/src/wireshark/epan/dissectors/packet-udp.c:1228:3
#25 0x63bd90 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#26 0x63bd90 in call_dissector_work /src/wireshark/epan/packet.c:799:9
#27 0x644e71 in call_dissector_only /src/wireshark/epan/packet.c:3183:8
#28 0x644e71 in call_all_postdissectors /src/wireshark/epan/packet.c:3558:3
#29 0xf18b62 in dissect_frame
/src/wireshark/epan/dissectors/packet-frame.c:737:5
#30 0x63bd90 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
#31 0x63bd90 in call_dissector_work /src/wireshark/epan/packet.c:799:9
#32 0x6386fb in call_dissector_only /src/wireshark/epan/packet.c:3183:8
#33 0x6386fb in call_dissector_with_data
/src/wireshark/epan/packet.c:3196:8
#34 0x637ecb in dissect_record /src/wireshark/epan/packet.c:580:3
#35 0x62bb67 in epan_dissect_run /src/wireshark/epan/epan.c:584:2
#36 0x4ccc7e in LLVMFuzzerTestOneInput
/src/wireshark/fuzz/fuzzshark.c:381:2
#37 0x27737ae in ExecuteFilesOnyByOne
/src/libfuzzer/afl/afl_driver.cpp:216:5
#38 0x27737ae in main /src/libfuzzer/afl/afl_driver.cpp:253:12
#39 0x7f83db4ee82f in __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
#40 0x4204a8 in _start
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
