Wireshark-bugs: [Wireshark-bugs] [Bug 8505] openSAFETY: New reassemble functionality, as well as
Date: Thu, 28 Mar 2013 15:27:55 +0000

Comment # 19 on bug 8505 from
Created attachment 10496 [details]
Fuzzed capture exposing bugs

Fuzz-testing under valgrind revealed the following errors with the attached
fuzzed capture:

==21351== Invalid read of size 1
==21351==    at 0x685470A: opensafety_package_dissector
(packet-opensafety.c:753)
==21351==    by 0x68568B5: dissect_opensafety_epl (packet-opensafety.c:1933)
==21351==    by 0x639353F: dissector_try_heuristic (packet.c:1804)
==21351==    by 0x65E0F57: dissect_epl (packet-epl.c:699)
==21351==    by 0x639171E: call_dissector_through_handle (packet.c:454)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==    by 0x639274F: dissector_try_uint_new (packet.c:966)
==21351==    by 0x63927A6: dissector_try_uint (packet.c:992)
==21351==    by 0x65EAC3E: ethertype (packet-ethertype.c:280)
==21351==    by 0x65E96D8: dissect_eth_common (packet-eth.c:404)
==21351==    by 0x63916D7: call_dissector_through_handle (packet.c:458)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==  Address 0x12bf10a6 is 0 bytes after a block of size 70 alloc'd
==21351==    at 0x4C2CD7B: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21351==    by 0x92C8CF0: g_malloc (gmem.c:159)
==21351==    by 0x6385305: emem_alloc_glib (emem.c:830)
==21351==    by 0x63856CD: emem_alloc (emem.c:860)
==21351==    by 0x63C2947: ep_tvb_memdup (tvbuff.c:1171)
==21351==    by 0x685468E: opensafety_package_dissector
(packet-opensafety.c:1716)
==21351==    by 0x68568B5: dissect_opensafety_epl (packet-opensafety.c:1933)
==21351==    by 0x639353F: dissector_try_heuristic (packet.c:1804)
==21351==    by 0x65E0F57: dissect_epl (packet-epl.c:699)
==21351==    by 0x639171E: call_dissector_through_handle (packet.c:454)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==    by 0x639274F: dissector_try_uint_new (packet.c:966)


==21351== Invalid read of size 1
==21351==    at 0x6854739: opensafety_package_dissector
(packet-opensafety.c:773)
==21351==    by 0x68568B5: dissect_opensafety_epl (packet-opensafety.c:1933)
==21351==    by 0x639353F: dissector_try_heuristic (packet.c:1804)
==21351==    by 0x65E0F57: dissect_epl (packet-epl.c:699)
==21351==    by 0x639171E: call_dissector_through_handle (packet.c:454)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==    by 0x639274F: dissector_try_uint_new (packet.c:966)
==21351==    by 0x63927A6: dissector_try_uint (packet.c:992)
==21351==    by 0x65EAC3E: ethertype (packet-ethertype.c:280)
==21351==    by 0x65E96D8: dissect_eth_common (packet-eth.c:404)
==21351==    by 0x63916D7: call_dissector_through_handle (packet.c:458)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==  Address 0x12bf10a8 is 2 bytes after a block of size 70 alloc'd
==21351==    at 0x4C2CD7B: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21351==    by 0x92C8CF0: g_malloc (gmem.c:159)
==21351==    by 0x6385305: emem_alloc_glib (emem.c:830)
==21351==    by 0x63856CD: emem_alloc (emem.c:860)
==21351==    by 0x63C2947: ep_tvb_memdup (tvbuff.c:1171)
==21351==    by 0x685468E: opensafety_package_dissector
(packet-opensafety.c:1716)
==21351==    by 0x68568B5: dissect_opensafety_epl (packet-opensafety.c:1933)
==21351==    by 0x639353F: dissector_try_heuristic (packet.c:1804)
==21351==    by 0x65E0F57: dissect_epl (packet-epl.c:699)
==21351==    by 0x639171E: call_dissector_through_handle (packet.c:454)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==    by 0x639274F: dissector_try_uint_new (packet.c:966)


==21351== Invalid read of size 1
==21351==    at 0x9074A58: crc8_0x2F (crc8.c:85)
==21351==    by 0x685478C: opensafety_package_dissector
(packet-opensafety.c:781)
==21351==    by 0x68568B5: dissect_opensafety_epl (packet-opensafety.c:1933)
==21351==    by 0x639353F: dissector_try_heuristic (packet.c:1804)
==21351==    by 0x65E0F57: dissect_epl (packet-epl.c:699)
==21351==    by 0x639171E: call_dissector_through_handle (packet.c:454)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==    by 0x639274F: dissector_try_uint_new (packet.c:966)
==21351==    by 0x63927A6: dissector_try_uint (packet.c:992)
==21351==    by 0x65EAC3E: ethertype (packet-ethertype.c:280)
==21351==    by 0x65E96D8: dissect_eth_common (packet-eth.c:404)
==21351==    by 0x63916D7: call_dissector_through_handle (packet.c:458)
==21351==  Address 0x12379d77 is 0 bytes after a block of size 87 alloc'd
==21351==    at 0x4C2CD7B: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21351==    by 0x92C8CF0: g_malloc (gmem.c:159)
==21351==    by 0x6385305: emem_alloc_glib (emem.c:830)
==21351==    by 0x63856CD: emem_alloc (emem.c:860)
==21351==    by 0x63C2947: ep_tvb_memdup (tvbuff.c:1171)
==21351==    by 0x685468E: opensafety_package_dissector
(packet-opensafety.c:1716)
==21351==    by 0x68568B5: dissect_opensafety_epl (packet-opensafety.c:1933)
==21351==    by 0x639353F: dissector_try_heuristic (packet.c:1804)
==21351==    by 0x65E0F57: dissect_epl (packet-epl.c:699)
==21351==    by 0x639171E: call_dissector_through_handle (packet.c:454)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==    by 0x639274F: dissector_try_uint_new (packet.c:966)


==21351== Invalid read of size 1
==21351==    at 0x9074A68: crc8_0x2F (crc8.c:84)
==21351==    by 0x685478C: opensafety_package_dissector
(packet-opensafety.c:781)
==21351==    by 0x68568B5: dissect_opensafety_epl (packet-opensafety.c:1933)
==21351==    by 0x639353F: dissector_try_heuristic (packet.c:1804)
==21351==    by 0x65E0F57: dissect_epl (packet-epl.c:699)
==21351==    by 0x639171E: call_dissector_through_handle (packet.c:454)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==    by 0x639274F: dissector_try_uint_new (packet.c:966)
==21351==    by 0x63927A6: dissector_try_uint (packet.c:992)
==21351==    by 0x65EAC3E: ethertype (packet-ethertype.c:280)
==21351==    by 0x65E96D8: dissect_eth_common (packet-eth.c:404)
==21351==    by 0x63916D7: call_dissector_through_handle (packet.c:458)
==21351==  Address 0x1238b0a7 is 0 bytes after a block of size 87 alloc'd
==21351==    at 0x4C2CD7B: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21351==    by 0x92C8CF0: g_malloc (gmem.c:159)
==21351==    by 0x6385305: emem_alloc_glib (emem.c:830)
==21351==    by 0x63856CD: emem_alloc (emem.c:860)
==21351==    by 0x63C2947: ep_tvb_memdup (tvbuff.c:1171)
==21351==    by 0x685468E: opensafety_package_dissector
(packet-opensafety.c:1716)
==21351==    by 0x68568B5: dissect_opensafety_epl (packet-opensafety.c:1933)
==21351==    by 0x639353F: dissector_try_heuristic (packet.c:1804)
==21351==    by 0x65E0F57: dissect_epl (packet-epl.c:699)
==21351==    by 0x639171E: call_dissector_through_handle (packet.c:454)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==    by 0x639274F: dissector_try_uint_new (packet.c:966)


==21351== Conditional jump or move depends on uninitialised value(s)
==21351==    at 0x63AFD19: fragment_add_seq_common (reassemble.c:1646)
==21351==    by 0x63AFF55: fragment_add_seq_check_work (reassemble.c:1789)
==21351==    by 0x63B05F7: fragment_add_seq_802_11 (reassemble.c:1845)
==21351==    by 0x66F75F5: dissect_ieee80211_common (packet-ieee80211.c:13419)
==21351==    by 0x66FB053: dissect_ieee80211 (packet-ieee80211.c:13582)
==21351==    by 0x63916D7: call_dissector_through_handle (packet.c:458)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==    by 0x6393C80: call_dissector_with_data (packet.c:2073)
==21351==    by 0x67854E6: dissect_lwapp (packet-lwapp.c:456)
==21351==    by 0x63916D7: call_dissector_through_handle (packet.c:458)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==    by 0x639274F: dissector_try_uint_new (packet.c:966)


==21351== Invalid read of size 1
==21351==    at 0x6854743: opensafety_package_dissector
(packet-opensafety.c:775)
==21351==    by 0x68568B5: dissect_opensafety_epl (packet-opensafety.c:1933)
==21351==    by 0x639353F: dissector_try_heuristic (packet.c:1804)
==21351==    by 0x65E0F57: dissect_epl (packet-epl.c:699)
==21351==    by 0x639171E: call_dissector_through_handle (packet.c:454)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==    by 0x639274F: dissector_try_uint_new (packet.c:966)
==21351==    by 0x63927A6: dissector_try_uint (packet.c:992)
==21351==    by 0x65EAC3E: ethertype (packet-ethertype.c:280)
==21351==    by 0x65E96D8: dissect_eth_common (packet-eth.c:404)
==21351==    by 0x63916D7: call_dissector_through_handle (packet.c:458)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==  Address 0x123e5169 is 3 bytes after a block of size 70 alloc'd
==21351==    at 0x4C2CD7B: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21351==    by 0x92C8CF0: g_malloc (gmem.c:159)
==21351==    by 0x6385305: emem_alloc_glib (emem.c:830)
==21351==    by 0x63856CD: emem_alloc (emem.c:860)
==21351==    by 0x63C2947: ep_tvb_memdup (tvbuff.c:1171)
==21351==    by 0x685468E: opensafety_package_dissector
(packet-opensafety.c:1716)
==21351==    by 0x68568B5: dissect_opensafety_epl (packet-opensafety.c:1933)
==21351==    by 0x639353F: dissector_try_heuristic (packet.c:1804)
==21351==    by 0x65E0F57: dissect_epl (packet-epl.c:699)
==21351==    by 0x639171E: call_dissector_through_handle (packet.c:454)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==    by 0x639274F: dissector_try_uint_new (packet.c:966)


==21351== Invalid read of size 1
==21351==    at 0x9074C38: crc16_0x5935 (crc16.c:204)
==21351==    by 0x6854947: opensafety_package_dissector
(packet-opensafety.c:778)
==21351==    by 0x68568B5: dissect_opensafety_epl (packet-opensafety.c:1933)
==21351==    by 0x639353F: dissector_try_heuristic (packet.c:1804)
==21351==    by 0x65E0F57: dissect_epl (packet-epl.c:699)
==21351==    by 0x639171E: call_dissector_through_handle (packet.c:454)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==    by 0x639274F: dissector_try_uint_new (packet.c:966)
==21351==    by 0x63927A6: dissector_try_uint (packet.c:992)
==21351==    by 0x65EAC3E: ethertype (packet-ethertype.c:280)
==21351==    by 0x65E96D8: dissect_eth_common (packet-eth.c:404)
==21351==    by 0x63916D7: call_dissector_through_handle (packet.c:458)
==21351==  Address 0x123e5166 is 0 bytes after a block of size 70 alloc'd
==21351==    at 0x4C2CD7B: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21351==    by 0x92C8CF0: g_malloc (gmem.c:159)
==21351==    by 0x6385305: emem_alloc_glib (emem.c:830)
==21351==    by 0x63856CD: emem_alloc (emem.c:860)
==21351==    by 0x63C2947: ep_tvb_memdup (tvbuff.c:1171)
==21351==    by 0x685468E: opensafety_package_dissector
(packet-opensafety.c:1716)
==21351==    by 0x68568B5: dissect_opensafety_epl (packet-opensafety.c:1933)
==21351==    by 0x639353F: dissector_try_heuristic (packet.c:1804)
==21351==    by 0x65E0F57: dissect_epl (packet-epl.c:699)
==21351==    by 0x639171E: call_dissector_through_handle (packet.c:454)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==    by 0x639274F: dissector_try_uint_new (packet.c:966)


==21351== Invalid read of size 1
==21351==    at 0x68547BB: opensafety_package_dissector
(packet-opensafety.c:802)
==21351==    by 0x68568B5: dissect_opensafety_epl (packet-opensafety.c:1933)
==21351==    by 0x639353F: dissector_try_heuristic (packet.c:1804)
==21351==    by 0x65E0F57: dissect_epl (packet-epl.c:699)
==21351==    by 0x639171E: call_dissector_through_handle (packet.c:454)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==    by 0x639274F: dissector_try_uint_new (packet.c:966)
==21351==    by 0x63927A6: dissector_try_uint (packet.c:992)
==21351==    by 0x65EAC3E: ethertype (packet-ethertype.c:280)
==21351==    by 0x65E96D8: dissect_eth_common (packet-eth.c:404)
==21351==    by 0x63916D7: call_dissector_through_handle (packet.c:458)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==  Address 0xfbc5b1d is 6 bytes after a block of size 87 alloc'd
==21351==    at 0x4C2CD7B: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21351==    by 0x92C8CF0: g_malloc (gmem.c:159)
==21351==    by 0x6385305: emem_alloc_glib (emem.c:830)
==21351==    by 0x63856CD: emem_alloc (emem.c:860)
==21351==    by 0x63C2947: ep_tvb_memdup (tvbuff.c:1171)
==21351==    by 0x685468E: opensafety_package_dissector
(packet-opensafety.c:1716)
==21351==    by 0x68568B5: dissect_opensafety_epl (packet-opensafety.c:1933)
==21351==    by 0x639353F: dissector_try_heuristic (packet.c:1804)
==21351==    by 0x65E0F57: dissect_epl (packet-epl.c:699)
==21351==    by 0x639171E: call_dissector_through_handle (packet.c:454)
==21351==    by 0x6391EFC: call_dissector_work (packet.c:549)
==21351==    by 0x639274F: dissector_try_uint_new (packet.c:966)


You are receiving this mail because:
  • You are watching all bug changes.