Wireshark-bugs: [Wireshark-bugs] [Bug 11262] New: tshark -z io, stat, 1, SUM(ip.len) reports inv
Date: Mon, 08 Jun 2015 21:46:42 +0000
Bug ID 11262
Summary tshark -z io,stat,1,SUM(ip.len) reports invalid stats, triggers ASAN buffer overrun
Product Wireshark
Version Git
Hardware All
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component TShark
Assignee bugzilla-admin@wireshark.org
Reporter peter@lekensteyn.nl

Created attachment 13655 [details]
https.pcapng.gz - subject capture file

Build Information:
TShark (Wireshark) 1.99.7 (v1.99.7rc0-106-gc100e1c from master)

Copyright 1998-2015 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with libz 1.2.8, with GLib 2.44.1, without SMI, without c-ares, without ADNS,
with Lua 5.2, with GnuTLS 3.4.1, with Gcrypt 1.6.3, with MIT Kerberos, with
GeoIP.

Running on Linux 4.0.4-2-ARCH, with locale en_US.UTF-8, with libpcap version
1.6.2, with libz 1.2.8, with GnuTLS 3.4.1, with Gcrypt 1.6.3.
Intel(R) Core(TM) i5 CPU       M 560  @ 2.67GHz (with SSE4.2)

Built using gcc 5.1.0.
--
The attached attachment triggers an ASAN violation with this command:

    tshark -r https.pcapng.gz -z 'io,stat,1,SUM(ip.len)' -q

=========================
| IO Statistics         |
|                       |
=================================================================
==6655==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000212a8b
at pc 0x7f0e1ee9e679 bp 0x7ffcc15842c0 sp 0x7ffcc1583a38
READ of size 1 at 0x603000212a8b thread T0
    #0 0x7f0e1ee9e678 in printf_common
/build/gcc-multilib/src/gcc-5-20150519/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:542
    #1 0x7f0e1ee9ec87 in __interceptor_vprintf
/build/gcc-multilib/src/gcc-5-20150519/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:906
    #2 0x7f0e1ee9ed97 in __interceptor_printf
/build/gcc-multilib/src/gcc-5-20150519/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:942
    #3 0x45ca7d in iostat_draw /tmp/wireshark/ui/cli/tap-iostat.c:818
    #4 0x7f0e13097149 in draw_tap_listeners /tmp/wireshark/epan/tap.c:448
    #5 0x41c03b in main /tmp/wireshark/tshark.c:2257
    #6 0x7f0e0a17578f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #7 0x40ab78 in _start (/tmp/wsbuild/run/tshark+0x40ab78)

0x603000212a8b is located 1 bytes to the right of 26-byte region
[0x603000212a70,0x603000212a8a)
allocated by thread T0 here:
    #0 0x7f0e1eed69da in __interceptor_malloc
/build/gcc-multilib/src/gcc-5-20150519/libsanitizer/asan/asan_malloc_linux.cc:38
    #1 0x7f0e0b2564c9 in g_malloc (/usr/lib/libglib-2.0.so.0+0x4f4c9)
    #2 0x7f0e13097149 in draw_tap_listeners /tmp/wireshark/epan/tap.c:448
    #3 0x41c03b in main /tmp/wireshark/tshark.c:2257
    #4 0x7f0e0a17578f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/build/gcc-multilib/src/gcc-5-20150519/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:542
printf_common
Shadow bytes around the buggy address:
  0x0c068003a500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068003a510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068003a520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068003a530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068003a540: fa fa fa fa fa fa fa fa 00 00 00 05 fa fa 00 00
=>0x0c068003a550: 00[02]fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c068003a560: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
  0x0c068003a570: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x0c068003a580: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x0c068003a590: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c068003a5a0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==6655==ABORTING

gdb reports borderlen==25 and this is the head output without ASAN (on tshark
1.12.5-2 on Arch Linux x86_64):

=========================
| IO Statistics         |
|                       |
| Duration: 43.341901 secs|
| Interval:  1 secs     |
|                       |
| Col 1: SUM(ip.len)    |
|-----------------------|
|          |1    |      |
| Interval | SUM |      |
|----------------|      |
|  0 <>  1 |   0 |      |
|  1 <>  2 |   0 |      |
|  2 <>  3 |   0 |      |
|  3 <>  4 |   0 |      |
|  4 <>  5 |   0 |      |
|  5 <>  6 |   0 |      |
|  6 <>  7 |   0 |      |
|  7 <>  8 |   0 |      |

while this was the output for tshark 1.10.6-1 (Ubuntu 14.04 x86_64):

====================================
| IO Statistics                    |
|                                  |
| Interval size: 1 secs            |
| Col 1: Frames and bytes          |
|     2: SUM(ip.len)               |
|----------------------------------|
|          |1                |2    |
| Interval | Frames |  Bytes | SUM |
|----------------------------------|
|  0 <>  1 |     28 |   6205 |   0 |
|  1 <>  2 |      0 |      0 |   0 |
|  2 <>  3 |      6 |    396 |   0 |
|  3 <>  4 |      0 |      0 |   0 |
|  4 <>  5 |      2 |    114 |   0 |
|  5 <>  6 |     29 |   9019 |   0 |
|  6 <>  7 |     14 |   5476 |   0 |
|  7 <>  8 |    322 | 169038 |   0 |
|  8 <>  9 |     44 |  38627 |   0 |
|  9 <> 10 |      0 |      0 |   0 |

Something has regressed between 1.10 and 1.12, needs some investigation.


You are receiving this mail because:
  • You are watching all bug changes.