Bug 11794 - Wireshark static out-of-bounds read in ascend_seek
Summary: Wireshark static out-of-bounds read in ascend_seek
Status: RESOLVED FIXED
Alias: None
Product: Wireshark
Classification: Unclassified
Component: Capture file support (libwiretap) (show other bugs)
Version: Git
Hardware: All All
: Low Major (vote)
Target Milestone: ---
Assignee: Bugzilla Administrator
URL:
Depends on:
Blocks:
 
Reported: 2015-11-27 16:41 UTC by Mateusz Jurczyk
Modified: 2016-02-29 21:35 UTC (History)
1 user (show)

See Also:

Attachments
Reproducers. (559.59 KB, application/zip)
2015-11-27 16:41 UTC, Mateusz Jurczyk 		Details
unzip file 1 (68.93 KB, application/octet-stream)
2015-11-28 21:21 UTC, Michael Mann 		Details
unzip file 2 (798.60 KB, application/octet-stream)
2015-11-28 21:21 UTC, Michael Mann 		Details
unzip file 3 (27.73 KB, application/octet-stream)
2015-11-28 21:22 UTC, Michael Mann 		Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mateusz Jurczyk 2015-11-27 16:41:33 UTC 
Created attachment 14049 [details]
Reproducers.

Build Information:
Wireshark git master.
--
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):

Attached are three files which trigger the crash.

--- cut ---
==5629==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000044bf7e6 at pc 0x0000009eb451 bp 0x7ffcd2fd6050 sp 0x7ffcd2fd6048
READ of size 1 at 0x0000044bf7e6 thread T0
    #0 0x9eb450 in ascend_seek wireshark/wiretap/ascendtext.c:105:19
    #1 0x9ea5e0 in ascend_open wireshark/wiretap/ascendtext.c:167:12
    #2 0x83f7c6 in wtap_open_offline wireshark/wiretap/file_access.c:1042:13
    #3 0x53214d in cf_open wireshark/tshark.c:4195:9
    #4 0x52bc7e in main wireshark/tshark.c:2188:9

0x0000044bf7e6 is located 58 bytes to the left of global variable '<string literal>' defined in 'ascendtext.c:61:25' (0x44bf820) of size 10
  '<string literal>' is ascii string 'PRI-XMIT-'
0x0000044bf7e6 is located 0 bytes to the right of global variable '<string literal>' defined in 'ascendtext.c:117:30' (0x44bf7e0) of size 6
  '<string literal>' is ascii string 'Date:'
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/wiretap/ascendtext.c:105:19 in ascend_seek
Shadow bytes around the buggy address:
  0x00008088fea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008088feb0: 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x00008088fec0: 00 00 00 01 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
  0x00008088fed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008088fee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008088fef0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9[06]f9 f9 f9
  0x00008088ff00: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 01 f9 f9
  0x00008088ff10: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
  0x00008088ff20: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
  0x00008088ff30: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
  0x00008088ff40: f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 06 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5629==ABORTING
--- cut ---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Comment 1 Michael Mann 2015-11-28 21:21:15 UTC 
Created attachment 14067 [details]
unzip file 1
Comment 2 Michael Mann 2015-11-28 21:21:30 UTC 
Created attachment 14068 [details]
unzip file 2
Comment 3 Michael Mann 2015-11-28 21:22:50 UTC 
Created attachment 14069 [details]
unzip file 3

Unzip files for the fuzzbots.
Comment 4 Gerrit Code Review 2015-11-30 01:39:59 UTC 
Change 12266 merged by Michael Mann:
Fix out-of-bounds read in ascend_seek.

https://code.wireshark.org/review/12266
Comment 5 Gerrit Code Review 2015-11-30 01:40:15 UTC 
Change 12296 had a related patch set uploaded by Michael Mann:
Fix out-of-bounds read in ascend_seek.

https://code.wireshark.org/review/12296
Comment 6 Gerrit Code Review 2015-11-30 01:40:21 UTC 
Change 12296 merged by Michael Mann:
Fix out-of-bounds read in ascend_seek.

https://code.wireshark.org/review/12296
Comment 7 Gerrit Code Review 2015-11-30 01:40:35 UTC 
Change 12297 had a related patch set uploaded by Michael Mann:
Fix out-of-bounds read in ascend_seek.

https://code.wireshark.org/review/12297
Comment 8 Gerrit Code Review 2015-11-30 01:40:42 UTC 
Change 12297 merged by Michael Mann:
Fix out-of-bounds read in ascend_seek.

https://code.wireshark.org/review/12297
Comment 9 Gerrit Code Review 2016-02-05 20:44:00 UTC 
Change 13768 had a related patch set uploaded by Balint Reczey:
Fix out-of-bounds read in ascend_seek.

https://code.wireshark.org/review/13768
Comment 10 Gerrit Code Review 2016-02-05 20:44:07 UTC 
Change 13768 merged by Balint Reczey:
Fix out-of-bounds read in ascend_seek.

https://code.wireshark.org/review/13768
Comment 11 Gerrit Code Review 2016-02-29 21:35:33 UTC 
Change 14245 had a related patch set uploaded by Balint Reczey:
Fix out-of-bounds read in ascend_seek.

https://code.wireshark.org/review/14245
Comment 12 Gerrit Code Review 2016-02-29 21:35:56 UTC 
Change 14245 merged by Balint Reczey:
Fix out-of-bounds read in ascend_seek.

https://code.wireshark.org/review/14245