https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16487
Bug ID: 16487
Summary: tshark live capture finishes with an out-of-bounds
read
Product: Wireshark
Version: 3.2.3
Hardware: All
OS: All
Status: CONFIRMED
Severity: Major
Priority: Medium
Component: TShark
Assignee: bugzilla-ad...@wireshark.org
Reporter: pe...@lekensteyn.nl
Target Milestone: ---
Build Information:
TShark (Wireshark) 3.3.0 (v3.3.0rc0-972-g43c4e886256a)
Copyright 1998-2020 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.62.2, with zlib 1.2.11, without SMI, with c-ares 1.15.0, with Lua
5.2.4, with GnuTLS 3.6.12 and PKCS #11 support, with Gcrypt 1.8.5, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4,
with Zstandard, with Snappy, with libxml2 2.9.10.
Running on Linux 5.5.6-arch1-1, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 64143 MB of physical memory, with locale en_US.UTF-8, with
libpcap version 1.9.1 (with TPACKET_V3), with GnuTLS 3.6.12, with Gcrypt 1.8.5,
with brotli 1.0.7, with zlib 1.2.11, binary plugins supported (0 loaded).
Built using clang Clang 9.0.1 .
--
On exiting tshark after a live capture, it crashes due to an out-of-bounds
read.
Steps to reproduce:
1. cmake -GNinja -DENABLE_ASAN=1
2. ninja tshark dumpcap randpktdump
3. tshark -i randpkt -c1
(This is a minimum non-interactive reproducer that does not require capture
permissions. It can also be reproduced with a real interface.)
Expected result:
Capture stops with no issues.
Actual result:
valgrind reports two invalid reads, ASAN blows up (see trace at the end).
More information:
This issue was introduced in commit v3.2.3rc0-57-g84cf682883 (fixing Bug 16457)
which has unfortunately been backported and released today. Apart from git
master, it affects 3.0.10 and 3.2.3 only. I initially triggered it on macOS and
could reproduce this regression on Linux.
ASAN trace:
$ tshark -i randpkt -c1
Capturing on 'Random packet generator: randpkt'
1 0.000000 → 0x7ad4 IEEE 802.15.4 3595 Reserved, Dst:
0x7ad4[Malformed Packet: length of contained item exceeds length of containing
item][Malformed Packet]
1 packet captured
=================================================================
==140142==ERROR: AddressSanitizer: heap-use-after-free on address
0x604000000550 at pc 0x7efc27003dc5 bp 0x7ffeed6852c0 sp 0x7ffeed6852b8
READ of size 8 at 0x604000000550 thread T0
#0 0x7efc27003dc4 in wtap_block_free_option wiretap/wtap_opttypes.c:200:16
#1 0x7efc26ffa024 in wtap_block_free_options wiretap/wtap_opttypes.c:224:9
#2 0x7efc26ff9c60 in wtap_block_free wiretap/wtap_opttypes.c:236:9
#3 0x7efc26ffa251 in wtap_block_array_free wiretap/wtap_opttypes.c:250:9
#4 0x7efc26ff3c37 in wtap_close wiretap/wtap.c:1254:2
#5 0x56238f9b7fc2 in cf_close tshark.c:4248:5
#6 0x56238f9adb35 in main tshark.c:2284:3
#7 0x7efc265f7022 in __libc_start_main (/usr/lib/libc.so.6+0x27022)
#8 0x56238f88602d in _start (run/tshark+0x13d02d)
0x604000000550 is located 0 bytes inside of 40-byte region
[0x604000000550,0x604000000578)
freed by thread T0 here:
#0 0x56238f927229 in free (run/tshark+0x1de229)
#1 0x7efc268720cd in array_free
/usr/src/debug/build/../glib/glib/garray.c:386:7
#2 0x7efc27008c7e in wtap_opttypes_cleanup wiretap/wtap_opttypes.c:1275:17
#3 0x7efc26ff8b9d in wtap_cleanup wiretap/wtap.c:1624:2
#4 0x56238f9adb24 in main tshark.c:2282:3
#5 0x7efc265f7022 in __libc_start_main (/usr/lib/libc.so.6+0x27022)
#6 0x56238f88602d in _start (run/tshark+0x13d02d)
previously allocated by thread T0 here:
#0 0x56238f927559 in malloc (run/tshark+0x1de559)
#1 0x7efc26843929 in g_malloc
/usr/src/debug/build/../glib/glib/gmem.c:99:13
#2 0x7efc268248f3 in g_slice_alloc
/usr/src/debug/build/../glib/glib/gslice.c:1024:11
#3 0x7efc268788d4 in g_array_sized_new
/usr/src/debug/build/../glib/glib/garray.c:194:11
#4 0x7efc270080ee in wtap_opttype_block_register
wiretap/wtap_opttypes.c:100:26
#5 0x7efc27004f2a in wtap_opttypes_initialize
wiretap/wtap_opttypes.c:1224:5
#6 0x7efc26ff8994 in wtap_init wiretap/wtap.c:1607:2
#7 0x56238f9a38da in main tshark.c:916:3
#8 0x7efc265f7022 in __libc_start_main (/usr/lib/libc.so.6+0x27022)
#9 0x56238f88602d in _start (run/tshark+0x13d02d)
SUMMARY: AddressSanitizer: heap-use-after-free wiretap/wtap_opttypes.c:200:16
in wtap_block_free_option
Shadow bytes around the buggy address:
0x0c087fff8050: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff8060: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
0x0c087fff8070: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fff8080: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
0x0c087fff8090: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
=>0x0c087fff80a0: fa fa fd fd fd fd fd fa fa fa[fd]fd fd fd fd fa
0x0c087fff80b0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff80c0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff80d0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
0x0c087fff80e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff80f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==140142==ABORTING
--
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe