Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 12751] New: AddressSanitizer: SEGV on unknown address 0x0000000002c0

Wireshark-bugs: [Wireshark-bugs] [Bug 12751] New: AddressSanitizer: SEGV on unknown address 0x00

Date: Tue, 16 Aug 2016 20:29:40 +0000

Bug ID	12751
Summary	AddressSanitizer: SEGV on unknown address 0x0000000002c0
Product	Wireshark
Version	Git
Hardware	x86-64
OS	Ubuntu
Status	UNCONFIRMED
Severity	Major
Priority	Low
Component	TShark
Assignee	bugzilla-admin@wireshark.org
Reporter	mtowalski@pentest.net.pl

Created attachment 14817 [details]
PoC

Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-312-g13d0d10 from master)

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) without libpcap, with GLib 2.40.2, with zlib 1.2.8, without
SMI, without c-ares, without Lua, with GnuTLS 2.12.23, with Gcrypt 1.5.3, with
MIT Kerberos, without GeoIP.

Running on Linux 4.2.0-27-generic, with locale LC_CTYPE=en_US.UTF-8,
LC_NUMERIC=pl_PL.UTF-8, LC_TIME=pl_PL.UTF-8, LC_COLLATE=en_US.UTF-8,
LC_MONETARY=pl_PL.UTF-8, LC_MESSAGES=en_US.UTF-8, LC_PAPER=pl_PL.UTF-8,
LC_NAME=pl_PL.UTF-8, LC_ADDRESS=pl_PL.UTF-8, LC_TELEPHONE=pl_PL.UTF-8,
LC_MEASUREMENT=pl_PL.UTF-8, LC_IDENTIFICATION=pl_PL.UTF-8, with GnuTLS 2.12.23,
with Gcrypt 1.5.3, with zlib 1.2.8.
Intel(R) Core(TM) i7 CPU         860  @ 2.80GHz (with SSE4.2)

Built using clang 4.2.1 Compatible Clang 3.9.0 (trunk 274369).

--
=================================================================
==24244==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002c0 (pc
0x7fca234b654e bp 0x7fff73099e60 sp 0x7fff73098b40 T0)
==24244==The signal is caused by a WRITE memory access.
==24244==Hint: address points to the zero page.
    #0 0x7fca234b654d in dissect_hsdsch_channel_info
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-umts_fp.c:3193:50
    #1 0x7fca234b654d in dissect_fp_common
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-umts_fp.c:4459
    #2 0x7fca222672fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
    #3 0x7fca222672fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
    #4 0x7fca2226769d in dissector_try_uint_new
/media/Fuzzing/Targets/wireshark/epan/packet.c:1188:9
    #5 0x7fca2226769d in dissector_try_uint
/media/Fuzzing/Targets/wireshark/epan/packet.c:1214
    #6 0x7fca22513ab0 in dissect_reassembled_pdu
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-atm.c:1051:11
    #7 0x7fca22513ab0 in dissect_atm_common
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-atm.c:1634
    #8 0x7fca222672fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
    #9 0x7fca222672fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
    #10 0x7fca226bea87 in dissect_catapult_dct2000
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-catapult-dct2000.c:2810:32
    #11 0x7fca222672fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
    #12 0x7fca222672fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
    #13 0x7fca22266ea1 in dissector_try_uint_new
/media/Fuzzing/Targets/wireshark/epan/packet.c:1188:9
    #14 0x7fca229e8165 in dissect_frame
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-frame.c:507:11
    #15 0x7fca222672fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
    #16 0x7fca222672fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
    #17 0x7fca222648c8 in call_dissector_only
/media/Fuzzing/Targets/wireshark/epan/packet.c:2780:8
    #18 0x7fca222648c8 in call_dissector_with_data
/media/Fuzzing/Targets/wireshark/epan/packet.c:2793
    #19 0x7fca22263ecb in dissect_record
/media/Fuzzing/Targets/wireshark/epan/packet.c:532:3
    #20 0x7fca22246388 in epan_dissect_run_with_taps
/media/Fuzzing/Targets/wireshark/epan/epan.c:379:2
    #21 0x565409134435 in process_packet
/media/Fuzzing/Targets/wireshark/tshark.c:3433:5
    #22 0x565409134435 in load_cap_file
/media/Fuzzing/Targets/wireshark/tshark.c:3189
    #23 0x565409134435 in main /media/Fuzzing/Targets/wireshark/tshark.c:1893
    #24 0x7fca18f95f44 in __libc_start_main
/build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #25 0x565409060d15 in _start
(/media/Fuzzing/Targets/wireshark/run/tshark+0x48d15)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-umts_fp.c:3193:50 in
dissect_hsdsch_channel_info
==24244==ABORTING

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 12751] Invalid memory access in UMTS-FP dissector
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12751] Invalid memory access in UMTS-FP dissector
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12751] Invalid memory access in UMTS-FP dissector
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12751] Invalid memory access in UMTS-FP dissector
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12751] Invalid memory access in UMTS-FP dissector
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12751] Invalid memory access in UMTS-FP dissector
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 12751] Invalid memory access in UMTS-FP dissector
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 12750] New: AddressSanitizer: global-buffer-overflow on address 0x7fd2775186a0
Next by Date: [Wireshark-bugs] [Bug 12752] New: AddressSanitizer: stack-buffer-overflow on address 0x7ffee55f4350
Previous by thread: [Wireshark-bugs] [Bug 12750] Buffer overflow in Catapult DCT2000 dissector
Next by thread: [Wireshark-bugs] [Bug 12751] Invalid memory access in UMTS-FP dissector
Index(es):
- Date
- Thread