[Wireshark-bugs] [Bug 16564] New: Buildbot crash output: fuzz-2020-05-13-12195.pcap

Wed, 13 May 2020 11:00:31 -0700 

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16564

            Bug ID: 16564
           Summary: Buildbot crash output: fuzz-2020-05-13-12195.pcap
           Product: Wireshark
           Version: unspecified
          Hardware: x86-64
                OS: Ubuntu
            Status: CONFIRMED
          Severity: Major
          Priority: High
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: buildbot-do-not-re...@wireshark.org
  Target Milestone: ---

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2020-05-13-12195.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/2782-Re-Auth.pcap

Build host information:
Linux build6 4.15.0-99-generic #100-Ubuntu SMP Wed Apr 22 20:32:56 UTC 2020
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.4 LTS
Release:        18.04
Codename:       bionic

Buildbot information:
BUILDBOT_WORKERNAME=clang-code-analysis
BUILDBOT_BUILDNUMBER=5211
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_URL=http://buildbot.wireshark.org/wireshark-master/
BUILDBOT_REPOSITORY=ssh://wireshark-build...@code.wireshark.org:29418/wireshark
BUILDBOT_GOT_REVISION=fb28b60e3f739dc805d1b7cefa3d62f6a9b8478f

Return value:  0

Dissector bug:  0

Valgrind error count:  0



Git commit
commit fb28b60e3f739dc805d1b7cefa3d62f6a9b8478f
Author: Alexis La Goutte <alexis.lagou...@gmail.com>
Date:   Mon Mar 2 20:49:17 2020 +0100

    QUIC: Fix frame type (it is also a varint)

    Draft 13 changed it from a byte to a varint. Found during implementation
    of draft-huitema-quic-ts-02 which uses 0x02F5.

    Bug: 13881
    Change-Id: I63d9469b539cf92b694bca85c00e07bd146abb5e
    Reviewed-on: https://code.wireshark.org/review/36259
    Petri-Dish: Peter Wu <pe...@lekensteyn.nl>
    Tested-by: Petri Dish Buildbot
    Reviewed-by: Peter Wu <pe...@lekensteyn.nl>


Command and args:
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark
 -nVxr

** (process:25605): WARNING **: 17:53:54.503: Dissector bug, protocol RADIUS,
in packet 156: Null pointer passed to bytes_to_str()

** (process:25605): WARNING **: 17:53:54.546: Dissector bug, protocol RADIUS,
in packet 201: Null pointer passed to bytes_to_str()
=================================================================
==25605==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000299810
at pc 0x7f2e694e1f53 bp 0x7ffd478b2b30 sp 0x7ffd478b2b28
READ of size 1 at 0x604000299810 thread T0
    #0 0x7f2e694e1f52 in print_hex_data_buffer
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/print.c:1976:13
    #1 0x7f2e694e19b1 in print_hex_data
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/print.c:1893:14
    #2 0x5653c7f84307 in print_packet
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:4213:10
    #3 0x5653c7f80712 in process_packet_single_pass
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:3779:7
    #4 0x5653c7f8284e in process_cap_file_single_pass
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:3418:9
    #5 0x5653c7f7c66c in process_cap_file
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:3573:26
    #6 0x5653c7f77af4 in main
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:2045:16
    #7 0x7f2e5b782b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #8 0x5653c7e74af9 in _start
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0x59af9)

0x604000299810 is located 0 bytes inside of 36-byte region
[0x604000299810,0x604000299834)
freed by thread T0 here:
    #0 0x5653c7f20142 in __interceptor_free
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0x105142)
    #1 0x7f2e67a7ce30 in vsa_buffer_destroy
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-radius.c:1373:2
    #2 0x7f2e5c1cb13f  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3a13f)

previously allocated by thread T0 here:
    #0 0x5653c7f208df in realloc
(/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0x1058df)
    #1 0x7f2e5c1e2b6f in g_realloc
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51b6f)
    #2 0x7f2e67a79a15 in dissect_radius
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-radius.c:2275:3
    #3 0x7f2e694d2b44 in call_dissector_through_handle
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:706:9
    #4 0x7f2e694c7b99 in call_dissector_work
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:799:9
    #5 0x7f2e694c74c3 in dissector_try_uint_new
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1399:8
    #6 0x7f2e694c7f6b in dissector_try_uint
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1423:9
    #7 0x7f2e680af90e in decode_udp_ports
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-udp.c:697:7
    #8 0x7f2e680b86ee in dissect
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-udp.c:1234:5
    #9 0x7f2e680b293d in dissect_udp
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-udp.c:1240:3
    #10 0x7f2e694d2b44 in call_dissector_through_handle
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:706:9
    #11 0x7f2e694c7b99 in call_dissector_work
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:799:9
    #12 0x7f2e694c74c3 in dissector_try_uint_new
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1399:8
    #13 0x7f2e67245d12 in ip_try_dissect
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ip.c:1829:7
    #14 0x7f2e6724b2fe in dissect_ip_v4
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ip.c:2288:10
    #15 0x7f2e694d2b44 in call_dissector_through_handle
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:706:9
    #16 0x7f2e694c7b99 in call_dissector_work
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:799:9
    #17 0x7f2e694c74c3 in dissector_try_uint_new
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1399:8
    #18 0x7f2e694c7f6b in dissector_try_uint
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1423:9
    #19 0x7f2e66e12eb0 in dissect_ethertype
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ethertype.c:265:21
    #20 0x7f2e694d2b44 in call_dissector_through_handle
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:706:9
    #21 0x7f2e694c7b99 in call_dissector_work
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:799:9
    #22 0x7f2e694cf3f0 in call_dissector_only
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3208:8
    #23 0x7f2e694c3c94 in call_dissector_with_data
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3221:8
    #24 0x7f2e6817b824 in dissect_vlan
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-vlan.c:360:5
    #25 0x7f2e694d2b44 in call_dissector_through_handle
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:706:9
    #26 0x7f2e694c7b99 in call_dissector_work
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:799:9
    #27 0x7f2e694c74c3 in dissector_try_uint_new
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1399:8
    #28 0x7f2e694c7f6b in dissector_try_uint
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1423:9
    #29 0x7f2e66e12eb0 in dissect_ethertype
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ethertype.c:265:21

SUMMARY: AddressSanitizer: heap-use-after-free
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/print.c:1976:13
in print_hex_data_buffer
Shadow bytes around the buggy address:
  0x0c088004b2b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c088004b2c0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 06
  0x0c088004b2d0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c088004b2e0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c088004b2f0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
=>0x0c088004b300: fa fa[fd]fd fd fd fd fa fa fa 00 00 00 00 06 fa
  0x0c088004b310: fa fa 00 00 00 00 00 03 fa fa fd fd fd fd fd fa
  0x0c088004b320: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c088004b330: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c088004b340: fa fa fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c088004b350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==25605==ABORTING

[ no debug trace ]

-- 
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

Reply via email to