11815 – Wireshark SIGSEGV in dissect_nbap_MACdPDU_Size

Bug 11815 - Wireshark SIGSEGV in dissect_nbap_MACdPDU_Size

Summary: Wireshark SIGSEGV in dissect_nbap_MACdPDU_Size

Status:	RESOLVED FIXED

Alias:	None

Product:	Wireshark
Classification:	Unclassified
Component:	Dissection engine (libwireshark) (show other bugs)
Version:	Git
Hardware:	All All

Importance:	Low Major (vote)
Target Milestone:	---
Assignee:	Bugzilla Administrator

URL:

Depends on:
Blocks:

Reported:	2015-11-30 12:19 UTC by Mateusz Jurczyk
Modified:	2016-02-05 20:45 UTC (History)
CC List:	0 users

See Also:

Attachments
Reproducers. (1002 bytes, application/zip) 2015-11-30 12:19 UTC, Mateusz Jurczyk	Details
unzip file 1 (100 bytes, application/vnd.tcpdump.pcap) 2015-12-01 21:50 UTC, Michael Mann	Details
unzip file 2 (100 bytes, application/vnd.tcpdump.pcap) 2015-12-01 21:51 UTC, Michael Mann	Details
unzip file 3 (107 bytes, application/vnd.tcpdump.pcap) 2015-12-01 21:52 UTC, Michael Mann	Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mateusz Jurczyk 2015-11-30 12:19:09 UTC

Created attachment 14076 [details]
Reproducers.

Build Information:
Wireshark git master.
--
The following SIGSEGV crash due to an invalid memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):

Attached are three files which trigger the crash.

--- cut ---
==31034==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc24e20fa84 (pc 0x7fbe445bb082 bp 0x7fff030fefb0 sp 0x7fff030fef00 T0)
    #0 0x7fbe445bb081 in dissect_nbap_MACdPDU_Size wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1622:79
    #1 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
    #2 0x7fbe445c760d in dissect_nbap_HSDSCH_Initial_Capacity_AllocationItem wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1650:12
    #3 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10
    #4 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9
    #5 0x7fbe445c7569 in dissect_nbap_HSDSCH_Initial_Capacity_Allocation wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1663:12
    #6 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
    #7 0x7fbe445da43d in dissect_nbap_CommonMACFlow_Specific_InfoItem_Response wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1682:12
    #8 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10
    #9 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9
    #10 0x7fbe445da399 in dissect_nbap_CommonMACFlow_Specific_InfoList_Response wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1695:12
    #11 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
    #12 0x7fbe445da2bd in dissect_nbap_HSDSCH_Common_System_Information_ResponseFDD wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:2120:12
    #13 0x7fbe44546230 in dissect_HSDSCH_Common_System_Information_ResponseFDD_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:2430:12
    #14 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #15 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9
    #16 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #17 0x7fbe4456f40e in dissect_ProtocolExtensionFieldExtensionValue wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:320:11
    #18 0x7fbe433addf0 in dissect_per_open_type_internal wireshark/epan/dissectors/packet-per.c:242:5
    #19 0x7fbe433ae10d in dissect_per_open_type_pdu_new wireshark/epan/dissectors/packet-per.c:263:9
    #20 0x7fbe4456f370 in dissect_nbap_T_extensionValue wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:200:12
    #21 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
    #22 0x7fbe4456f12d in dissect_nbap_ProtocolExtensionField wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:215:12
    #23 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10
    #24 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9
    #25 0x7fbe4456ef09 in dissect_nbap_ProtocolExtensionContainer wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:228:12
    #26 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
    #27 0x7fbe445f23bf in dissect_nbap_CommonMeasurementInitiationRequest wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:263:12
    #28 0x7fbe445644d0 in dissect_CommonMeasurementInitiationRequest_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:5030:12
    #29 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #30 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9
    #31 0x7fbe41b3802d in dissector_try_string wireshark/epan/packet.c:1443:9
    #32 0x7fbe4456e3ce in dissect_InitiatingMessageValue wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:326:11
    #33 0x7fbe433addf0 in dissect_per_open_type_internal wireshark/epan/dissectors/packet-per.c:242:5
    #34 0x7fbe433ae10d in dissect_per_open_type_pdu_new wireshark/epan/dissectors/packet-per.c:263:9
    #35 0x7fbe4456df10 in dissect_nbap_InitiatingMessage_value wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:702:12
    #36 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
    #37 0x7fbe4456d91d in dissect_nbap_InitiatingMessage wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:719:12
    #38 0x7fbe433cc861 in dissect_per_choice wireshark/epan/dissectors/packet-per.c:1714:13
    #39 0x7fbe4456d881 in dissect_nbap_NBAP_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:825:12
    #40 0x7fbe4456d740 in dissect_NBAP_PDU_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:8430:12
    #41 0x7fbe444e889b in dissect_nbap wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:457:9
    #42 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #43 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9
    #44 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #45 0x7fbe4378f98b in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2517:9
    #46 0x7fbe43786b88 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3443:16
    #47 0x7fbe4377fd99 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c:4360:14
    #48 0x7fbe4377cd03 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4515:9
    #49 0x7fbe4377acdf in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4678:3
    #50 0x7fbe43778cba in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4732:3
    #51 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #52 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9
    #53 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #54 0x7fbe428455f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
    #55 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #56 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9
    #57 0x7fbe41b402be in call_dissector_only wireshark/epan/packet.c:2662:8
    #58 0x7fbe41b31ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #59 0x7fbe41b3133b in dissect_record wireshark/epan/packet.c:501:3
    #60 0x7fbe41adf3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
    #61 0x5264eb in process_packet wireshark/tshark.c:3728:5
    #62 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
    #63 0x515daf in main wireshark/tshark.c:2197:13

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1622:79 in dissect_nbap_MACdPDU_Size
==31034==ABORTING
--- cut ---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

Comment 1 Michael Mann 2015-12-01 21:50:37 UTC

Created attachment 14103 [details]
unzip file 1

Comment 2 Michael Mann 2015-12-01 21:51:03 UTC

Created attachment 14104 [details]
unzip file 2

Comment 3 Michael Mann 2015-12-01 21:52:30 UTC

Created attachment 14105 [details]
unzip file 3

Unzip files for the fuzzbots.

Comment 4 Michael Mann 2015-12-02 03:04:47 UTC

Guess I didn't make this public in time for the Gerrit hooks.  Fixed at https://code.wireshark.org/review/12347/

Comment 5 Gerrit Code Review 2016-02-05 20:45:05 UTC

Change 13770 had a related patch set uploaded by Balint Reczey:
[NBAP] Fix SIGSEGV in dissect_nbap_MACdPDU_Size

https://code.wireshark.org/review/13770

Comment 6 Gerrit Code Review 2016-02-05 20:45:13 UTC

Change 13770 merged by Balint Reczey:
[NBAP] Fix SIGSEGV in dissect_nbap_MACdPDU_Size

https://code.wireshark.org/review/13770