Wireshark-bugs: [Wireshark-bugs] [Bug 9579] New: Clang ASAN : global-buffer-overflow SNMP : diss
Date: Wed, 18 Dec 2013 17:23:37 +0000
Bug ID 9579
Summary Clang ASAN : global-buffer-overflow SNMP : dissect_ber_choice
Classification Unclassified
Product Wireshark
Version unspecified
Hardware All
OS Windows 8
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter alexis.lagoutte@gmail.com

Build Information:

--
I fuzzing wireshark with ASAN (
http://clang.llvm.org/docs/AddressSanitizer.html) and it found the following
issue :


Input file: ../menagerie/asan/03-13_los_altos.pcap


==27162==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7f9a5a81f0f8 at pc 0x7f9a564466bb bp 0x7fff4674ea10 sp 0x7fff4674ea08
READ of size 8 at 0x7f9a5a81f0f8 thread T0
    #0 0x7f9a564466ba in dissect_ber_choice
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ber.c:3345
    #1 0x7f9a5746def1 in dissect_snmp_RegisterResponse
/home/alagoutte/wireshark-clang/epan/dissectors/../../asn1/snmp/snmp.cnf:421
    #2 0x7f9a564461f4 in dissect_ber_choice
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ber.c:3432
    #3 0x7f9a5746dd43 in dissect_snmp_SMUX_PDUs
/home/alagoutte/wireshark-clang/epan/dissectors/../../asn1/snmp/snmp.cnf:475
    #4 0x7f9a562671a9 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:512
    #5 0x7f9a56266e03 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1030
    #6 0x7f9a56d4a736 in decode_tcp_ports
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tcp.c:3916
    #7 0x7f9a56d4d6a1 in process_tcp_payload
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tcp.c:3975
    #8 0x7f9a56d4b685 in desegment_tcp
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tcp.c:1800
    #9 0x7f9a56d55186 in dissect_tcp
/home/alagoutte/wireshark-clang/epan/dissectors/packet-tcp.c:4826
    #10 0x7f9a562671a9 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:512
    #11 0x7f9a56266e03 in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1030
    #12 0x7f9a568699b7 in dissect_ip
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ip.c:2403
    #13 0x7f9a562671a9 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:512
    #14 0x7f9a5626745b in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1030
    #15 0x7f9a566b532c in dissect_ethertype
/home/alagoutte/wireshark-clang/epan/dissectors/packet-ethertype.c:305
    #16 0x7f9a5626717d in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:508
    #17 0x7f9a5626a48c in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2139
    #18 0x7f9a566b3d82 in dissect_eth_common
/home/alagoutte/wireshark-clang/epan/dissectors/packet-eth.c:472
    #19 0x7f9a562671a9 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:512
    #20 0x7f9a5626745b in dissector_try_uint_new
/home/alagoutte/wireshark-clang/epan/packet.c:1030
    #21 0x7f9a56702fa0 in dissect_frame
/home/alagoutte/wireshark-clang/epan/dissectors/packet-frame.c:488
    #22 0x7f9a562671a9 in call_dissector_through_handle
/home/alagoutte/wireshark-clang/epan/packet.c:512
    #23 0x7f9a5626a48c in call_dissector_only
/home/alagoutte/wireshark-clang/epan/packet.c:2139
    #24 0x7f9a56265cc3 in call_dissector
/home/alagoutte/wireshark-clang/epan/packet.c:2169
    #25 0x7f9a56246828 in epan_dissect_run_with_taps
/home/alagoutte/wireshark-clang/epan/epan.c:329
    #26 0x4a0995 in process_packet
/home/alagoutte/wireshark-clang/tshark.c:3453
    #27 0x49c487 in load_cap_file /home/alagoutte/wireshark-clang/tshark.c:3256
    #28 0x7f9a4f1f8de4 in __libc_start_main
/build/buildd/eglibc-2.17/csu/libc-start.c:260
    #29 0x48595c in _start ??:?

0x7f9a5a81f0f8 is located 8 bytes to the left of global variable 'PDUs_choice'
from 'packet-snmp.c' (0x7f9a5a81f100) of size 400
0x7f9a5a81f0f8 is located 32 bytes to the right of global variable
'RegisterResponse_choice' from 'packet-snmp.c' (0x7f9a5a81f060) of size 120

SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0ff3cb4fbdc0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff3cb4fbdd0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff3cb4fbde0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff3cb4fbdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff3cb4fbe00: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x0ff3cb4fbe10: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9[f9]
  0x0ff3cb4fbe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff3cb4fbe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff3cb4fbe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff3cb4fbe50: 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0ff3cb4fbe60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==27162==ABORTING


You are receiving this mail because:
  • You are watching all bug changes.