[Wireshark-bugs] [Bug 16375] New: [oss-fuzz] Direct-leak in g_malloc (dissect_dhcpopt_sip_servers)

[bugzilla-daemon]

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16375

            Bug ID: 16375
           Summary: [oss-fuzz] Direct-leak in g_malloc
                    (dissect_dhcpopt_sip_servers)
           Product: Wireshark
           Version: Git
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: Major
          Priority: Low
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: ger...@wireshark.org
  Target Milestone: ---

Created attachment 17616
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17616&action=edit
Reproducer testcase

Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
OSS-Fuzz found an issue in the DHCP dissector:

[Environment]
ASAN_OPTIONS="alloc_dealloc_mismatch=0:allocator_may_return_null=1:allocator_release_to_os_interval_ms=500:allow_user_segv_handler=0:check_malloc_usable_size=0:detect_leaks=1:detect_odr_violation=0:detect_stack_use_after_return=1:fast_unwind_on_fatal=0:handle_abort=1:handle_segv=1:handle_sigbus=1:handle_sigfpe=1:handle_sigill=1:max_uar_stack_size_log=16:print_scariness=1:print_summary=1:print_suppressions=0:quarantine_size_mb=64:redzone=16:strict_memcmp=1:strip_path_prefix=/workspace/:symbolize=0:use_sigaltstack=1"
        +----------------------------------------Release Build
Stacktrace----------------------------------------+
        oss-fuzzshark: disabling: ip
        oss-fuzzshark: disabling: udp
        oss-fuzzshark: disabling: udplite
        oss-fuzzshark: disabling: ospf
        oss-fuzzshark: disabling: bgp
        oss-fuzzshark: disabling: json
        oss-fuzzshark: disabling: snort
        oss-fuzzshark: configured for dissector: dhcp in table: udp.port
        INFO: Seed: 2269737193
        INFO: Loaded 1 modules   (352024 inline 8-bit counters): 352024
[0xde25fb0, 0xde7bec8),
        INFO: Loaded 1 PC tables (352024 PCs): 352024 [0xde7bec8,0xe3db048),
        INFO: -fork=1: fuzzing in separate process(s)
        INFO: -fork=1: 3316 seed inputs, starting to fuzz in
/tmp/libFuzzerTemp.1.dir
        #13: cov: 1756 ft: 10898 corp: 3316 exec/s 0 oom/timeout/crash: 0/0/0
time: 7s job: 1 dft_time: 0
        INFO: log from the inner process:
        oss-fuzzshark: disabling: ip
        oss-fuzzshark: disabling: udp
        oss-fuzzshark: disabling: udplite
        oss-fuzzshark: disabling: ospf
        oss-fuzzshark: disabling: bgp
        oss-fuzzshark: disabling: json
        oss-fuzzshark: disabling: snort
        oss-fuzzshark: configured for dissector: dhcp in table: udp.port
        INFO: Seed: 2277012495
        INFO: Loaded 1 modules   (352024 inline 8-bit counters): 352024
[0xde25fb0, 0xde7bec8),
        INFO: Loaded 1 PC tables (352024 PCs): 352024 [0xde7bec8,0xe3db048),
        INFO:        0 files found in /tmp/libFuzzerTemp.1.dir/C1
        INFO: seed corpus: files: 57 min: 243b max: 972b total: 22780b rss:
273Mb

        =================================================================
        ==19==ERROR: LeakSanitizer: detected memory leaks

        Direct leak of 80 byte(s) in 1 object(s) allocated from:
            #0 0x523ecd in __interceptor_malloc
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
            #1 0x2815b48 in g_malloc
            #2 0x2737559 in tvb_new_composite
/src/wireshark/epan/tvbuff_composite.c:198:18
            #3 0xe38f2b in dissect_dhcpopt_sip_servers
/src/wireshark/epan/dissectors/packet-dhcp.c:2849:38
            #4 0x6d3a22 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
            #5 0x6d3a22 in call_dissector_work
/src/wireshark/epan/packet.c:799:9
            #6 0x6d34b9 in dissector_try_uint_new
/src/wireshark/epan/packet.c:1399:8
            #7 0xe424c2 in dhcp_option
/src/wireshark/epan/dissectors/packet-dhcp.c:2060:7
            #8 0xe34282 in dissect_dhcpopt_option_overload
/src/wireshark/epan/dissectors/packet-dhcp.c:2173:18
            #9 0x6d3a22 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
            #10 0x6d3a22 in call_dissector_work
/src/wireshark/epan/packet.c:799:9
            #11 0x6d34b9 in dissector_try_uint_new
/src/wireshark/epan/packet.c:1399:8
            #12 0xe424c2 in dhcp_option
/src/wireshark/epan/dissectors/packet-dhcp.c:2060:7
            #13 0xe32718 in dissect_dhcp
/src/wireshark/epan/dissectors/packet-dhcp.c:7037:18
            #14 0x6d3a22 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
            #15 0x6d3a22 in call_dissector_work
/src/wireshark/epan/packet.c:799:9
            #16 0x6dc961 in call_dissector_only
/src/wireshark/epan/packet.c:3208:8
            #17 0x6dc961 in call_all_postdissectors
/src/wireshark/epan/packet.c:3583:3
            #18 0xffcf9c in dissect_frame
/src/wireshark/epan/dissectors/packet-frame.c:737:5
            #19 0x6d3a22 in call_dissector_through_handle
/src/wireshark/epan/packet.c:706:9
            #20 0x6d3a22 in call_dissector_work
/src/wireshark/epan/packet.c:799:9
            #21 0x6d038b in call_dissector_only
/src/wireshark/epan/packet.c:3208:8
            #22 0x6d038b in call_dissector_with_data
/src/wireshark/epan/packet.c:3221:8
            #23 0x6cfb2f in dissect_record /src/wireshark/epan/packet.c:580:3
            #24 0x6c33f3 in epan_dissect_run /src/wireshark/epan/epan.c:584:2
            #25 0x557b4d in LLVMFuzzerTestOneInput
/src/wireshark/fuzz/fuzzshark.c:381:2
            #26 0x45c331 in fuzzer::Fuzzer::ExecuteCallback(unsigned char
const*, unsigned long)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
            #27 0x45ba55 in fuzzer::Fuzzer::RunOne(unsigned char const*,
unsigned long, bool, fuzzer::InputInfo*, bool*)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
            #28 0x45e487 in
fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile,
fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:765:7
            #29 0x45e7f9 in
fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile,
fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:792:3
            #30 0x44cc08 in fuzzer::FuzzerDriver(int*, char***, int
(*)(unsigned char const*, unsigned long))
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:824:6
            #31 0x476a32 in main
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
            #32 0x7fde94f5682f in __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291

       
================================================================================
        The following leaks are not necessarily related to the first leak.


        Indirect leak of 16 byte(s) in 1 object(s) allocated from:
            #0 0x523ecd in __interceptor_malloc
/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
            #1 0x2815b48 in g_malloc

        SUMMARY: AddressSanitizer: 96 byte(s) leaked in 2 allocation(s).

        INFO: a leak has been found in the initial corpus.

        INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.

        MS: 0 ; base unit: 0000000000000000000000000000000000000000
       
0x3,0x2b,0x2,0x0,0x0,0x0,0x21,0x0,0x5,0x0,0x0,0x0,0x0,0x7d,0xac,0x30,0x0,0x40,0x0,0x0,0x0,0x0,0x11,0x8b,0x97,0x1,0x6,0xb,0x2a,0x0,0x9,0x9,0x9,0x9,0x0,0x5,0x0,0x0,0x20,0x0,0x0,0xff,0xff,0xff,0xff,0x3,0x3,0x3,0x3,0x3,0x3,0x1,0x3,0x0,0x21,0x0,0x0,0x0,0x5,0x0,0xff,0xff,0xff,0x31,0x0,0x0,0x5,0x0,0x0,0x0,0x5,0x0,0x5,0x25,0x1,0x0,0x1,0x0,0x5,0x0,0x0,0x0,0x5,0x0,0x0,0x0,0x5,0x0,0x0,0x5,0x0,0x0,0x0,0x0,0x3,0x1,0x40,0x1,0x1,0x1,0x1,0x3,0x0,0x0,0x2b,0x0,0x1,0x0,0x19,0x0,0x5a,0xb,0x1,0x1,0xb3,0x0,0x19,0x0,0x1,0x1,0x0,0x0,0x0,0x0,0x5a,0xb,0x1,0xbf,0xfe,0xff,0xff,0xff,0xff,0xfe,0xa5,0x0,0x40,0x0,0x0,0x19,0xb,0x1,0x1,0x1,0x1,0x1,0x0,0x1,0x0,0x2b,0x0,0x2b,0x0,0x2b,0x0,0x2b,0x0,0x2b,0x0,0x0,0xa5,0x0,0x75,0x3,0x0,0x6,0x1,0x92,0x0,0x6,0x1,0x92,0x0,0x7b,0x10,0x0,0x6f,0x1,0x27,0x9c,0x0,0x0,0x5,0x1,0x0,0x0,0x78,0x1,0x0,0x78,0x1,0x0,0x78,0x1,0x0,0x0,0x2b,0x2b,0x0,0x2b,0x0,0x0,0xbc,0x0,0x4,0x0,0x0,0x0,0x0,0x0,0x2b,0x2b,0x0,0x2b,0x0,0x5a,0x0,0x0,0x2b,0x0,0x0,0x21,0x21,0x0,0x0,0x33,0x0,0x21,0x21,0x21,0x5b,0x21,0x21,0x21,0x0,0x0,0x63,0x82,0x53,0x63,0x34,0x1,0x3,0x35,0x1,0x2b,
       
\x03+\x02\x00\x00\x00!\x00\x05\x00\x00\x00\x00}\xac0\x00@\x00\x00\x00\x00\x11\x8b\x97\x01\x06\x0b*\x00\x09\x09\x09\x09\x00\x05\x00\x00
\x00\x00\xff\xff\xff\xff\x03\x03\x03\x03\x03\x03\x01\x03\x00!\x00\x00\x00\x05\x00\xff\xff\xff1\x00\x00\x05\x00\x00\x00\x05\x00\x05%\x01\x00\x01\x00\x05\x00\x00\x00\x05\x00\x00\x00\x05\x00\x00\x05\x00\x00\x00\x00\x03\x01@\x01\x01\x01\x01\x03\x00\x00+\x00\x01\x00\x19\x00Z\x0b\x01\x01\xb3\x00\x19\x00\x01\x01\x00\x00\x00\x00Z\x0b\x01\xbf\xfe\xff\xff\xff\xff\xfe\xa5\x00@\x00\x00\x19\x0b\x01\x01\x01\x01\x01\x00\x01\x00+\x00+\x00+\x00+\x00+\x00\x00\xa5\x00u\x03\x00\x06\x01\x92\x00\x06\x01\x92\x00{\x10\x00o\x01'\x9c\x00\x00\x05\x01\x00\x00x\x01\x00x\x01\x00x\x01\x00\x00++\x00+\x00\x00\xbc\x00\x04\x00\x00\x00\x00\x00++\x00+\x00Z\x00\x00+\x00\x00!!\x00\x003\x00!!![!!!\x00\x00c\x82Sc4\x01\x035\x01+
        artifact_prefix='/fuzzer-testcases/'; Test unit written to
/fuzzer-testcases/leak-615c401ad2f1af241e557fbd4f01370ed9a19989
        Base64:
AysCAAAAIQAFAAAAAH2sMABAAAAAABGLlwEGCyoACQkJCQAFAAAgAAD/////AwMDAwMDAQMAIQAAAAUA////MQAABQAAAAUABSUBAAEABQAAAAUAAAAFAAAFAAAAAAMBQAEBAQEDAAArAAEAGQBaCwEBswAZAAEBAAAAAFoLAb/+//////6lAEAAABkLAQEBAQEAAQArACsAKwArACsAAKUAdQMABgGSAAYBkgB7EABvASecAAAFAQAAeAEAeAEAeAEAACsrACsAALwABAAAAAAAKysAKwBaAAArAAAhIQAAMwAhISFbISEhAABjglNjNAEDNQEr
        stat::number_of_executed_units: 13
        stat::average_exec_per_sec:     0
        stat::new_units_added:          0
        stat::slowest_unit_time_sec:    0
        stat::peak_rss_mb:              304
        INFO: exiting: 77 time: 7s


        +----------------------------------------Release Build Unsymbolized
Stacktrace (diff)----------------------------------------+


        Direct leak of 80 byte(s) in 1 object(s) allocated from:
            #0 0x523ecd 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x523ecd)
            #1 0x2815b48 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x2815b48)
            #2 0x2737559 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x2737559)
            #3 0xe38f2b 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0xe38f2b)
            #4 0x6d3a22 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6d3a22)
            #5 0x6d34b9 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6d34b9)
            #6 0xe424c2 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0xe424c2)
            #7 0xe34282 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0xe34282)
            #8 0x6d3a22 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6d3a22)
            #9 0x6d34b9 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6d34b9)
            #10 0xe424c2 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0xe424c2)
            #11 0xe32718 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0xe32718)
            #12 0x6d3a22 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6d3a22)
            #13 0x6dc961 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6dc961)
            #14 0xffcf9c 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0xffcf9c)
            #15 0x6d3a22 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6d3a22)
            #16 0x6d038b 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6d038b)
            #17 0x6cfb2f 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6cfb2f)
            #18 0x6c33f3 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x6c33f3)
            #19 0x557b4d 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x557b4d)
            #20 0x45c331 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x45c331)
            #21 0x45ba55 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x45ba55)
            #22 0x45e487 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x45e487)
            #23 0x45e7f9 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x45e7f9)
            #24 0x44cc08 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x44cc08)
            #25 0x476a32 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x476a32)
            #26 0x7fde94f5682f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

        Indirect leak of 16 byte(s) in 1 object(s) allocated from:
            #0 0x523ecd 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x523ecd)
            #1 0x2815b48 
(/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dhcp+0x2815b48)

-- 
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe