[Wireshark-bugs] [Bug 14978] New: [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop

bugzilla-daemon Sun, 15 Jul 2018 12:46:07 -0700

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14978


            Bug ID: 14978
           Summary: [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu
                    would put more than 1000000 items in the tree --
                    possible infinite loop
           Product: Wireshark
           Version: Git
          Hardware: x86-64
               URL: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=
                    9367
                OS: Linux
            Status: CONFIRMED
          Severity: Major
          Priority: High
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: pe...@lekensteyn.nl
  Target Milestone: ---

Build Information:
TShark (Wireshark) 2.9.0 (v2.9.0rc0-1226-g599ee9f0)

Copyright 1998-2018 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.56.0, with zlib 1.2.11, without SMI, with c-ares 1.14.0, with Lua
5.2.4, with GnuTLS 3.5.18, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind
DB
resolver, with nghttp2 1.32.0, with LZ4, with Snappy, with libxml2 2.9.8.

Running on Linux 4.17.2-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31988 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.18, with Gcrypt 1.8.3, with zlib 1.2.11, binary
plugins supported (13 loaded).

Built using clang 4.2.1 Compatible Clang 6.0.0 (tags/RELEASE_600/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9367

Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark:
tshark -Vxr
clusterfuzz-testcase-minimized-fuzzshark_ip_proto-ospf-5128657784799232.pcap
--
** (process:12748): ERROR **: 21:45:15.099: Adding ospf.v3.prefix.options.nu
would put more than 1000000 items in the tree -- possible infinite loop
AddressSanitizer:DEADLYSIGNAL
=================================================================
==12748==ERROR: AddressSanitizer: ABRT on unknown address 0x03e8000031cc (pc
0x7f986d79c86b bp 0x7fff391129f0 sp 0x7fff39112790 T0)
    #0 0x7f986d79c86a in __GI_raise (/usr/lib/libc.so.6+0x3686a)
    #1 0x7f986d78740d in __GI_abort (/usr/lib/libc.so.6+0x2140d)
    #2 0x7f9887f83694 in abort_handler (libtrapabort.so+0x694)
    #3 0x7f986df53a7f  (/usr/lib/libpthread.so.0+0x11a7f)
    #4 0x7f986e1b1ed1 in _g_log_abort /build/src/glib/glib/gmessages.c:580
    #5 0x7f986e1b2f7c in g_log_default_handler
/build/src/glib/glib/gmessages.c:3158
    #6 0x5614552f8708 in tshark_log_handler tshark.c:522:3
    #7 0x7f986e1b321e in g_logv /build/src/glib/glib/gmessages.c:1370
    #8 0x7f986e1b339f in g_log /build/src/glib/glib/gmessages.c:1432
    #9 0x7f987c9c5cb1 in proto_tree_add_boolean64 epan/proto.c:4455:2
    #10 0x7f987c99bf83 in proto_item_add_bitmask_tree epan/proto.c:10790:4
    #11 0x7f987c99a6b7 in proto_tree_add_bitmask_with_flags
epan/proto.c:11127:3
    #12 0x7f987c999138 in proto_tree_add_bitmask epan/proto.c:11070:9
    #13 0x7f987a3f74f8 in dissect_ospf_v3_lsa
epan/dissectors/packet-ospf.c:3516:13
    #14 0x7f987a3f3249 in dissect_ospf_ls_upd
epan/dissectors/packet-ospf.c:1819:22
    #15 0x7f987a3f23b3 in dissect_ospf epan/dissectors/packet-ospf.c:1395:9
    #16 0x7f987c8641bb in call_dissector_through_handle epan/packet.c:692:9
    #17 0x7f987c84e797 in call_dissector_work epan/packet.c:777:9
    #18 0x7f987c84d7f5 in dissector_try_uint_new epan/packet.c:1359:8
    #19 0x7f98794cf275 in dissect_exported_pdu
epan/dissectors/packet-exported_pdu.c:370:17
    #20 0x7f987c8641bb in call_dissector_through_handle epan/packet.c:692:9
    #21 0x7f987c84e797 in call_dissector_work epan/packet.c:777:9
    #22 0x7f987c84d7f5 in dissector_try_uint_new epan/packet.c:1359:8
    #23 0x7f98795f59dd in dissect_frame epan/dissectors/packet-frame.c:579:11
    #24 0x7f987c8641bb in call_dissector_through_handle epan/packet.c:692:9
    #25 0x7f987c84e797 in call_dissector_work epan/packet.c:777:9
    #26 0x7f987c85d1a7 in call_dissector_only epan/packet.c:3090:8
    #27 0x7f987c846261 in call_dissector_with_data epan/packet.c:3103:8
    #28 0x7f987c845599 in dissect_record epan/packet.c:566:3
    #29 0x7f987c7f4068 in epan_dissect_run_with_taps epan/epan.c:551:2
    #30 0x561455305690 in process_packet_single_pass tshark.c:3547:5
    #31 0x5614552feb8b in process_cap_file tshark.c:3378:11
    #32 0x5614552f64b0 in main tshark.c:2050:17
    #33 0x7f986d78906a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)
    #34 0x5614551d8059 in _start (run/tshark+0xe5059)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/usr/lib/libc.so.6+0x3686a) in __GI_raise
==12748==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.

___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

[Wireshark-bugs] [Bug 14978] New: [oss-fuzz] ERROR: Adding ospf.v3.prefix.options.nu would put more than 1000000 items in the tree -- possible infinite loop

Reply via email to