Bug 11797 - Wireshark static buffer overflow in my_dgt_tbcd_unpack
Summary: Wireshark static buffer overflow in my_dgt_tbcd_unpack
Status: RESOLVED FIXED
Alias: None
Product: Wireshark
Classification: Unclassified
Component: Dissection engine (libwireshark) (show other bugs)
Version: Git
Hardware: All All
: Low Major (vote)
Target Milestone: ---
Assignee: Bugzilla Administrator
URL:
: 11804 11805 11806 11808 11811 12340 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-11-27 17:42 UTC by Mateusz Jurczyk
Modified: 2016-04-15 18:14 UTC (History)
3 users (show)

See Also:

Attachments
Reproducers. (1.05 KB, application/zip)
2015-11-27 17:42 UTC, Mateusz Jurczyk 		Details
unzip file 1 (140 bytes, application/vnd.tcpdump.pcap)
2015-11-28 02:06 UTC, Michael Mann 		Details
unzip file 2 (151 bytes, application/vnd.tcpdump.pcap)
2015-11-28 02:07 UTC, Michael Mann 		Details
unzip file 3 (146 bytes, application/vnd.tcpdump.pcap)
2015-11-28 02:08 UTC, Michael Mann 		Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mateusz Jurczyk 2015-11-27 17:42:46 UTC 
Created attachment 14052 [details]
Reproducers.

Build Information:
Wireshark git master.
--
The following crash due to a static buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):

Attached are three files which trigger the crash.

--- cut ---
==8089==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000df60580 at pc 0x000000d6eb8c bp 0x7ffc622f4a80 sp 0x7ffc622f4a78
WRITE of size 1 at 0x00000df60580 thread T0
    #0 0xd6eb8b in my_dgt_tbcd_unpack wireshark/epan/dissectors/packet-gsm_a_common.c:1972:16
    #1 0xd71258 in de_mid wireshark/epan/dissectors/packet-gsm_a_common.c:2270:9
    #2 0x3c7ce02 in dissect_uma_IE wireshark/epan/dissectors/packet-uma.c:912:3
    #3 0x3c7bfd1 in dissect_uma wireshark/epan/dissectors/packet-uma.c:1664:13
    #4 0x1317640 in tcp_dissect_pdus wireshark/epan/dissectors/packet-tcp.c:2740:13
    #5 0x3c7b62b in dissect_uma_tcp wireshark/epan/dissectors/packet-uma.c:1699:2
    #6 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #7 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
    #8 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #9 0x1318ea7 in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4610:9
    #10 0x131ea52 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13
    #11 0x1319ad8 in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4743:9
    #12 0x132fb70 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13
    #13 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #14 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
    #15 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #16 0x29c5318 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
    #17 0x29d0521 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
    #18 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #19 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
    #20 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #21 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
    #22 0x24e0824 in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
    #23 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #24 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
    #25 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
    #26 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #27 0x24dc752 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
    #28 0x24d499a in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
    #29 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #30 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
    #31 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #32 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
    #33 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #34 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
    #35 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
    #36 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #37 0xadffde in dissect_record wireshark/epan/packet.c:501:3
    #38 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
    #39 0x53c91b in process_packet wireshark/tshark.c:3728:5
    #40 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
    #41 0x52c1df in main wireshark/tshark.c:2197:13

0x00000df60580 is located 0 bytes to the right of global variable 'a_bigbuf' defined in 'packet-gsm_a_common.c:762:13' (0xdf60180) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-gsm_a_common.c:1972:16 in my_dgt_tbcd_unpack
Shadow bytes around the buggy address:
  0x000081be4060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000081be4070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000081be4080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000081be4090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000081be40a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000081be40b0:[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000081be40c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000081be40d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000081be40e0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x000081be40f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000081be4100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8089==ABORTING
--- cut ---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Comment 1 Michael Mann 2015-11-28 02:06:43 UTC 
Created attachment 14055 [details]
unzip file 1
Comment 2 Michael Mann 2015-11-28 02:07:03 UTC 
Created attachment 14056 [details]
unzip file 2
Comment 3 Michael Mann 2015-11-28 02:08:33 UTC 
Created attachment 14057 [details]
unzip file 3

Unzipping the files for future fuzztesting.
Comment 4 Michael Mann 2015-11-28 04:13:11 UTC 
Making public so Gerrit hooks work.
Comment 5 Gerrit Code Review 2015-11-28 04:14:24 UTC 
Change 12239 had a related patch set uploaded by Michael Mann:
[GSM A Interface] Prevent static buffer overflow

https://code.wireshark.org/review/12239
Comment 6 Gerrit Code Review 2015-11-29 00:02:52 UTC 
Change 12239 merged by Anders Broman:
Replace my_dgt_tbcd_unpack with the safer tvb_bcd_dig_to_wmem_packet_str.

https://code.wireshark.org/review/12239
Comment 7 Gerrit Code Review 2015-11-29 00:27:38 UTC 
Change 12272 had a related patch set uploaded by Michael Mann:
Replace my_dgt_tbcd_unpack with the safer tvb_bcd_dig_to_wmem_packet_str.

https://code.wireshark.org/review/12272
Comment 8 Gerrit Code Review 2015-11-29 00:36:25 UTC 
Change 12273 had a related patch set uploaded by Michael Mann:
Replace my_dgt_tbcd_unpack with the safer tvb_bcd_dig_to_wmem_packet_str.

https://code.wireshark.org/review/12273
Comment 9 Gerrit Code Review 2015-11-29 10:03:54 UTC 
Change 12280 had a related patch set uploaded by Pascal Quantin:
Fix bugs introduced in gcfc47c1

https://code.wireshark.org/review/12280
Comment 10 Pascal Quantin 2015-11-29 10:37:49 UTC 
*** Bug 11804 has been marked as a duplicate of this bug. ***
Comment 11 Pascal Quantin 2015-11-29 10:39:08 UTC 
*** Bug 11805 has been marked as a duplicate of this bug. ***
Comment 12 Gerrit Code Review 2015-11-29 13:38:11 UTC 
Change 12280 merged by Michael Mann:
Fix bugs introduced in gcfc47c1

https://code.wireshark.org/review/12280
Comment 13 Michael Mann 2015-11-29 16:56:13 UTC 
*** Bug 11808 has been marked as a duplicate of this bug. ***
Comment 14 Michael Mann 2015-11-29 16:57:59 UTC 
*** Bug 11806 has been marked as a duplicate of this bug. ***
Comment 15 Gerrit Code Review 2015-11-29 17:23:36 UTC 
Change 12272 merged by Pascal Quantin:
Replace my_dgt_tbcd_unpack with the safer tvb_bcd_dig_to_wmem_packet_str.

https://code.wireshark.org/review/12272
Comment 16 Gerrit Code Review 2015-11-29 17:35:04 UTC 
Change 12273 merged by Pascal Quantin:
Replace my_dgt_tbcd_unpack with the safer tvb_bcd_dig_to_wmem_packet_str.

https://code.wireshark.org/review/12273
Comment 17 Michael Mann 2015-11-30 01:54:18 UTC 
*** Bug 11811 has been marked as a duplicate of this bug. ***
Comment 18 Gerrit Code Review 2016-02-05 20:42:54 UTC 
Change 13766 had a related patch set uploaded by Balint Reczey:
Replace my_dgt_tbcd_unpack with the safer tvb_bcd_dig_to_wmem_packet_str.

https://code.wireshark.org/review/13766
Comment 19 Gerrit Code Review 2016-02-05 20:43:14 UTC 
Change 13766 merged by Balint Reczey:
Replace my_dgt_tbcd_unpack with the safer tvb_bcd_dig_to_wmem_packet_str.

https://code.wireshark.org/review/13766
Comment 20 Pascal Quantin 2016-04-15 18:14:26 UTC 
*** Bug 12340 has been marked as a duplicate of this bug. ***