11796 – Wireshark static out-of-bounds read in dissect_ber_set

Bug 11796 - Wireshark static out-of-bounds read in dissect_ber_set

Summary: Wireshark static out-of-bounds read in dissect_ber_set

Status:	RESOLVED DUPLICATE of bug 12106

Alias:	None

Product:	Wireshark
Classification:	Unclassified
Component:	Dissection engine (libwireshark) (show other bugs)
Version:	Git
Hardware:	All All

Importance:	Low Major (vote)
Target Milestone:	---
Assignee:	Bugzilla Administrator

URL:

Depends on:
Blocks:

Reported:	2015-11-27 17:26 UTC by Mateusz Jurczyk
Modified:	2016-02-20 15:38 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Reproducers. (3.17 KB, application/zip) 2015-11-27 17:26 UTC, Mateusz Jurczyk	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mateusz Jurczyk 2015-11-27 17:26:05 UTC

Created attachment 14051 [details]
Reproducers.

Build Information:
Wireshark git master.
--
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):

Attached are three files which trigger the crash.

--- cut ---
==7855==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000005676c18 at pc 0x000001ab09d2 bp 0x7ffc9ce376b0 sp 0x7ffc9ce376a8
READ of size 8 at 0x000005676c18 thread T0
    #0 0x1ab09d1 in dissect_ber_set wireshark/epan/dissectors/packet-ber.c:2588:64
    #1 0x198e7c7 in dissect_ansi_tcap_T_paramSet wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:189:12
    #2 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
    #3 0x198e652 in dissect_ansi_tcap_T_parameter_03 wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:210:12
    #4 0x1aae8bc in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
    #5 0x198b2f7 in dissect_ansi_tcap_Reject wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:227:12
    #6 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
    #7 0x198aee2 in dissect_ansi_tcap_ComponentPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:256:12
    #8 0x1abba52 in dissect_ber_sq_of wireshark/epan/dissectors/packet-ber.c:3490:9
    #9 0x1abbe2f in dissect_ber_sequence_of wireshark/epan/dissectors/packet-ber.c:3521:12
    #10 0x198ae17 in dissect_ansi_tcap_SEQUENCE_OF_ComponentPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:270:12
    #11 0x1a966a7 in dissect_ber_tagged_type wireshark/epan/dissectors/packet-ber.c:691:9
    #12 0x19898ac in dissect_ansi_tcap_ComponentSequence wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:280:12
    #13 0x1aae8bc in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
    #14 0x198e887 in dissect_ansi_tcap_TransactionPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:145:12
    #15 0x1988ded in dissect_ansi_tcap_T_queryWithPerm wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:134:12
    #16 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
    #17 0x1988b30 in dissect_ansi_tcap_PackageType wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:173:12
    #18 0x1988830 in dissect_ansi_tcap wireshark/epan/dissectors/../../asn1/ansi_tcap/packet-ansi_tcap-template.c:385:5
    #19 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #20 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
    #21 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
    #22 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #23 0xaefba8 in call_dissector wireshark/epan/packet.c:2692:9
    #24 0x16c3f24 in dissect_tcap wireshark/epan/dissectors/../../asn1/tcap/packet-tcap-template.c:2004:14
    #25 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #26 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
    #27 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #28 0x11d6632 in dissect_sccp_data_param wireshark/epan/dissectors/packet-sccp.c:2346:31
    #29 0x11d47a1 in dissect_sccp_parameter wireshark/epan/dissectors/packet-sccp.c:2559:5
    #30 0x11d5169 in dissect_sccp_variable_parameter wireshark/epan/dissectors/packet-sccp.c:2640:3
    #31 0x11cec1e in dissect_sccp_message wireshark/epan/dissectors/packet-sccp.c:2951:5
    #32 0x11cc3f9 in dissect_sccp wireshark/epan/dissectors/packet-sccp.c:3402:3
    #33 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #34 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
    #35 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #36 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
    #37 0xefae51 in dissect_mtp3_payload wireshark/epan/dissectors/packet-mtp3.c:647:8
    #38 0xef8466 in dissect_mtp3 wireshark/epan/dissectors/packet-mtp3.c:767:3
    #39 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #40 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
    #41 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
    #42 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #43 0xaefba8 in call_dissector wireshark/epan/packet.c:2692:9
    #44 0x2da26b4 in dissect_protocol_data_1_parameter wireshark/epan/dissectors/packet-m2ua.c:507:3
    #45 0x2da11b2 in dissect_parameter wireshark/epan/dissectors/packet-m2ua.c:952:5
    #46 0x2da006b in dissect_parameters wireshark/epan/dissectors/packet-m2ua.c:1026:5
    #47 0x2d9fb58 in dissect_message wireshark/epan/dissectors/packet-m2ua.c:1041:3
    #48 0x2d9fa96 in dissect_m2ua wireshark/epan/dissectors/packet-m2ua.c:1058:3
    #49 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #50 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
    #51 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #52 0x39012a2 in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2517:9
    #53 0x38f7d37 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3443:16
    #54 0x38f0ac8 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c:4360:14
    #55 0x38ed8e6 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4515:9
    #56 0x38eb79f in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4678:3
    #57 0x38e95d5 in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4732:3
    #58 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #59 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
    #60 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #61 0x29c5318 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
    #62 0x29d0521 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
    #63 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #64 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
    #65 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #66 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
    #67 0x24e0824 in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
    #68 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #69 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
    #70 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
    #71 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #72 0x24dc752 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
    #73 0x24d499a in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
    #74 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #75 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
    #76 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #77 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
    #78 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #79 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
    #80 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
    #81 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #82 0xadffde in dissect_record wireshark/epan/packet.c:501:3
    #83 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
    #84 0x53c91b in process_packet wireshark/tshark.c:3728:5
    #85 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
    #86 0x52c1df in main wireshark/tshark.c:2197:13

0x000005676c18 is located 8 bytes to the left of global variable '<string literal>' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:131:43' (0x5676c20) of size 15
  '<string literal>' is ascii string 'queryWithPerm '
0x000005676c18 is located 24 bytes to the right of global variable 'T_paramSet_set' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:183:29' (0x5676be0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-ber.c:2588:64 in dissect_ber_set
Shadow bytes around the buggy address:
  0x000080ac6d30: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x000080ac6d40: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
  0x000080ac6d50: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x000080ac6d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9
  0x000080ac6d70: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
=>0x000080ac6d80: f9 f9 f9[f9]00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080ac6d90: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x000080ac6da0: 00 00 02 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
  0x000080ac6db0: 00 00 06 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
  0x000080ac6dc0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x000080ac6dd0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7855==ABORTING
--- cut ---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

Comment 1 Pascal Quantin 2015-11-28 14:16:09 UTC

Valgrind does not detect any issue with v2.1.0rc0-827-gaaa28a9.
Could you please indicate which version you tested?

Comment 2 Mateusz Jurczyk 2015-11-30 11:46:24 UTC

As noted in the original bug report, I'm testing current git master (just reproduced it again with today's code).

This is an out-of-bounds read in static memory, which I don't think is a condition valgrind can detect. Have you tried with AddressSanitizer?

Comment 3 Pascal Quantin 2015-11-30 11:48:48 UTC

(In reply to Mateusz Jurczyk from comment #2)
> As noted in the original bug report, I'm testing current git master (just
> reproduced it again with today's code).
> 
> This is an out-of-bounds read in static memory, which I don't think is a
> condition valgrind can detect. Have you tried with AddressSanitizer?

No I have not tried as I do not know how to run it :)

Could you post the callstack as the line numbers changed since your run? As I did not know which version you were using, I could not even check the code.

Comment 4 Mateusz Jurczyk 2015-11-30 12:03:38 UTC

Sure! It doesn't seem to me that line numbers have generally changed, but the ASAN report for version v2.1.0rc0-857-g370d32d is shown below.

I strongly recommend AddressSanitizer as the memory safety tool of choice, as it is considerably faster and detects a wider range of memory-related errors than valgrind. To use it, you can compile Wireshark with the additional "-fsanitize=address" flag, preferably with clang (although gcc also supports it), and then run the program as normal. See http://clang.llvm.org/docs/AddressSanitizer.html for more information.

--- cut ---
==30267==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f680de8fe18 at pc 0x7f6808fdacdd bp 0x7ffdd3221630 sp 0x7ffdd3221628
READ of size 8 at 0x7f680de8fe18 thread T0
    #0 0x7f6808fdacdc in dissect_ber_set wireshark/epan/dissectors/packet-ber.c:2588:64
    #1 0x7f680b1674df in dissect_ansi_tcap_T_paramSet wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:189:12
    #2 0x7f6808fde85c in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
    #3 0x7f680b16737a in dissect_ansi_tcap_T_parameter_03 wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:210:12
    #4 0x7f6808fd8d4a in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
    #5 0x7f680b16430f in dissect_ansi_tcap_Reject wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:227:12
    #6 0x7f6808fde85c in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
    #7 0x7f680b163f2a in dissect_ansi_tcap_ComponentPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:256:12
    #8 0x7f6808fe5695 in dissect_ber_sq_of wireshark/epan/dissectors/packet-ber.c:3490:9
    #9 0x7f6808fe5a3b in dissect_ber_sequence_of wireshark/epan/dissectors/packet-ber.c:3521:12
    #10 0x7f680b163e6f in dissect_ansi_tcap_SEQUENCE_OF_ComponentPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:270:12
    #11 0x7f6808fc195b in dissect_ber_tagged_type wireshark/epan/dissectors/packet-ber.c:691:9
    #12 0x7f680b1629e5 in dissect_ansi_tcap_ComponentSequence wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:280:12
    #13 0x7f6808fd8d4a in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
    #14 0x7f680b16758f in dissect_ansi_tcap_TransactionPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:145:12
    #15 0x7f680b162215 in dissect_ansi_tcap_T_response wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:142:12
    #16 0x7f6808fde85c in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
    #17 0x7f680b161c98 in dissect_ansi_tcap_PackageType wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:173:12
    #18 0x7f680b16199d in dissect_ansi_tcap wireshark/epan/dissectors/../../asn1/ansi_tcap/packet-ansi_tcap-template.c:385:5
    #19 0x7f6808afccc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #20 0x7f6808aef5ea in call_dissector_work wireshark/epan/packet.c:691:9
    #21 0x7f6808af92be in call_dissector_only wireshark/epan/packet.c:2662:8
    #22 0x7f6808aeaccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #23 0x7f6808af9344 in call_dissector wireshark/epan/packet.c:2692:9
    #24 0x7f680bd4cf78 in dissect_tcap wireshark/epan/dissectors/../../asn1/tcap/packet-tcap-template.c:2004:14
    #25 0x7f6808afccc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #26 0x7f6808aef5ea in call_dissector_work wireshark/epan/packet.c:691:9
    #27 0x7f6808aeedbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #28 0x7f680a6c209f in dissect_sccp_data_param wireshark/epan/dissectors/packet-sccp.c:2346:31
    #29 0x7f680a6c0372 in dissect_sccp_parameter wireshark/epan/dissectors/packet-sccp.c:2559:5
    #30 0x7f680a6c0caa in dissect_sccp_variable_parameter wireshark/epan/dissectors/packet-sccp.c:2640:3
    #31 0x7f680a6baae8 in dissect_sccp_message wireshark/epan/dissectors/packet-sccp.c:2951:5
    #32 0x7f680a6b8402 in dissect_sccp wireshark/epan/dissectors/packet-sccp.c:3402:3
    #33 0x7f6808afccc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #34 0x7f6808aef5ea in call_dissector_work wireshark/epan/packet.c:691:9
    #35 0x7f6808aeedbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #36 0x7f6808aef964 in dissector_try_uint wireshark/epan/packet.c:1174:9
    #37 0x7f680a08f811 in dissect_mtp3_payload wireshark/epan/dissectors/packet-mtp3.c:647:8
    #38 0x7f680a08d044 in dissect_mtp3 wireshark/epan/dissectors/packet-mtp3.c:767:3
    #39 0x7f6808afccc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #40 0x7f6808aef5ea in call_dissector_work wireshark/epan/packet.c:691:9
    #41 0x7f6808af92be in call_dissector_only wireshark/epan/packet.c:2662:8
    #42 0x7f6808aeaccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #43 0x7f6808af9344 in call_dissector wireshark/epan/packet.c:2692:9
    #44 0x7f6809ebba6f in dissect_protocol_data_1_parameter wireshark/epan/dissectors/packet-m2ua.c:507:3
    #45 0x7f6809eba62b in dissect_parameter wireshark/epan/dissectors/packet-m2ua.c:952:5
    #46 0x7f6809eb9577 in dissect_parameters wireshark/epan/dissectors/packet-m2ua.c:1026:5
    #47 0x7f6809eb90a4 in dissect_message wireshark/epan/dissectors/packet-m2ua.c:1041:3
    #48 0x7f6809eb8fed in dissect_m2ua wireshark/epan/dissectors/packet-m2ua.c:1058:3
    #49 0x7f6808afccc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #50 0x7f6808aef5ea in call_dissector_work wireshark/epan/packet.c:691:9
    #51 0x7f6808aeedbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #52 0x7f680a74898b in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2517:9
    #53 0x7f680a73fb88 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3443:16
    #54 0x7f680a738d99 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c:4360:14
    #55 0x7f680a735d03 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4515:9
    #56 0x7f680a733cdf in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4678:3
    #57 0x7f680a731cba in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4732:3
    #58 0x7f6808afccc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #59 0x7f6808aef5ea in call_dissector_work wireshark/epan/packet.c:691:9
    #60 0x7f6808aeedbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #61 0x7f6809bfc88b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
    #62 0x7f6809c072b9 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
    #63 0x7f6808afccc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #64 0x7f6808aef5ea in call_dissector_work wireshark/epan/packet.c:691:9
    #65 0x7f6808aeedbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #66 0x7f6808aef964 in dissector_try_uint wireshark/epan/packet.c:1174:9
    #67 0x7f680970e48d in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
    #68 0x7f6808afccc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #69 0x7f6808aef5ea in call_dissector_work wireshark/epan/packet.c:691:9
    #70 0x7f6808af92be in call_dissector_only wireshark/epan/packet.c:2662:8
    #71 0x7f6808aeaccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #72 0x7f680970a725 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
    #73 0x7f6809702f33 in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
    #74 0x7f6808afccc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #75 0x7f6808aef5ea in call_dissector_work wireshark/epan/packet.c:691:9
    #76 0x7f6808aeedbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #77 0x7f68097fe5f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
    #78 0x7f6808afccc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #79 0x7f6808aef5ea in call_dissector_work wireshark/epan/packet.c:691:9
    #80 0x7f6808af92be in call_dissector_only wireshark/epan/packet.c:2662:8
    #81 0x7f6808aeaccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #82 0x7f6808aea33b in dissect_record wireshark/epan/packet.c:501:3
    #83 0x7f6808a983c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
    #84 0x5264eb in process_packet wireshark/tshark.c:3728:5
    #85 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
    #86 0x515daf in main wireshark/tshark.c:2197:13

0x7f680de8fe18 is located 8 bytes to the left of global variable '<string literal>' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:131:43' (0x7f680de8fe20) of size 15
  '<string literal>' is ascii string 'queryWithPerm '
0x7f680de8fe18 is located 24 bytes to the right of global variable 'T_paramSet_set' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:183:29' (0x7f680de8fde0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-ber.c:2588:64 in dissect_ber_set
Shadow bytes around the buggy address:
  0x0fed81bc9f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fed81bc9f80: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0fed81bc9f90: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 05 f9 f9 f9
  0x0fed81bc9fa0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9
  0x0fed81bc9fb0: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
=>0x0fed81bc9fc0: f9 f9 f9[f9]00 07 f9 f9 f9 f9 f9 f9 00 00 02 f9
  0x0fed81bc9fd0: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 00 06 f9
  0x0fed81bc9fe0: f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9 07 f9 f9 f9
  0x0fed81bc9ff0: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 00 00
  0x0fed81bca000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fed81bca010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30267==ABORTING
--- cut ---

Comment 5 Peter Wu 2016-02-20 15:38:23 UTC


*** This bug has been marked as a duplicate of bug 12106 ***