Wireshark infinite / very deep recursion in dissect_ber_constrained_octet_string

This issue was migrated from bug 11822 in our old bug tracker.

Original bug information:

Reporter: Mateusz Jurczyk
Status: RESOLVED FIXED
Product: Wireshark
Component: Dissection engine (libwireshark)
OS: All
Platform: All
Version: Git

Attachments:

reproducers.zip: Reproducers.
ber-overflow.pcap: editcap -F pcap -r asan_generic_1a55377_2683_c0fcb70ae9b848c5e923b99d1c217ec6.pcap ber-overflow.pcap 4390-4458

See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4421

💬 Mateusz Jurczyk said:

Created attachment 14082

Reproducers.

Build Information:

Wireshark git master.

The following crash due to an infinite or very deep recursion can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):

Attached are three files which trigger the crash.

--- cut ---
==4042==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe55dd9f40 (pc 0x7f028c401c17 bp 0x7ffe55dda1e0 sp 0x7ffe55dd9f40 T0)
    #0 0x7f028c401c16 in dissect_ber_identifier wireshark/epan/dissectors/packet-ber.c:1248
    #1 0x7f028c40af29 in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1556:18
    #2 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #3 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #4 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #5 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #6 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #7 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #8 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #9 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #10 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #11 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #12 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #13 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #14 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #15 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #16 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #17 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #18 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #19 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #20 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #21 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #22 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #23 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #24 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #25 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #26 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #27 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #28 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #29 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #30 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #31 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #32 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #33 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #34 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #35 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #36 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #37 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #38 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #39 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #40 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #41 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #42 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #43 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #44 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #45 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #46 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #47 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #48 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #49 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #50 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #51 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #52 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #53 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #54 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #55 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #56 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #57 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #58 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #59 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #60 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #61 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #62 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #63 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #64 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #65 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #66 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #67 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #68 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #69 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #70 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #71 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #72 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #73 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #74 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #75 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #76 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #77 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #78 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #79 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #80 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #81 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #82 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #83 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #84 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #85 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #86 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #87 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #88 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #89 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #90 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #91 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #92 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #93 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #94 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #95 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #96 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #97 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #98 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #99 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #100 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #101 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #102 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #103 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #104 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #105 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #106 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #107 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #108 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #109 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #110 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #111 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #112 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #113 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #114 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #115 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #116 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #117 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #118 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #119 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #120 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #121 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #122 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #123 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #124 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #125 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #126 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #127 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #128 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #129 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #130 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #131 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #132 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #133 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #134 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #135 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #136 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #137 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #138 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #139 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #140 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #141 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #142 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #143 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #144 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #145 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #146 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #147 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #148 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #149 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #150 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #151 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #152 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #153 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #154 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #155 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #156 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #157 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #158 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #159 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #160 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #161 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #162 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #163 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #164 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #165 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #166 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #167 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #168 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #169 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #170 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #171 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #172 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #173 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #174 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #175 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #176 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #177 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #178 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #179 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #180 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #181 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #182 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #183 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #184 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #185 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #186 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #187 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #188 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #189 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #190 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #191 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #192 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #193 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #194 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #195 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #196 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #197 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #198 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #199 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #200 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #201 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #202 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #203 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #204 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #205 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #206 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #207 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #208 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #209 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #210 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #211 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #212 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #213 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #214 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #215 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #216 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #217 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #218 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #219 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #220 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #221 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #222 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #223 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #224 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #225 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #226 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #227 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #228 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #229 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #230 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #231 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #232 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #233 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #234 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #235 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #236 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #237 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #238 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #239 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #240 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #241 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #242 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #243 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #244 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #245 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #246 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #247 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #248 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10
    #249 0x7f028c40d2b3 in reassemble_octet_string wireshark/epan/dissectors/packet-ber.c:1446:18
    #250 0x7f028c40c08b in dissect_ber_constrained_octet_string wireshark/epan/dissectors/packet-ber.c:1615:22
    #251 0x7f028c40f0b7 in dissect_ber_octet_string wireshark/epan/dissectors/packet-ber.c:1764:10

SUMMARY: AddressSanitizer: stack-overflow wireshark/epan/dissectors/packet-ber.c:1248 in dissect_ber_identifier
==4042==ABORTING
--- cut ---

added libwireshark versiondev labels

💬 Peter Wu said:

Created attachment 14354
editcap -F pcap -r asan_generic_1a55377_2683_c0fcb70ae9b848c5e923b99d1c217ec6.pcap ber-overflow.pcap 4390-4458

Provided samples do not crash on me for v2.1.0rc0-2090-g8d256d2 and v2.0.2rc0-161-g3a9de63. Only asan_generic_1a55377_2683_c0fcb70ae9b848c5e923b99d1c217ec6.pcap (and the attached subset) still crashes on v1.12.10rc0-44-gce2a840.

It seems that not crashing is by sheer luck, there is a real stack overflow here by deep recursion. Bottom of the stack:

...
reassemble_octet_string (..., offset=4022, con_len=97, ind=0, out_tvb=0x7fffffe02910) at epan/dissectors/packet-ber.c:1447
dissect_ber_constrained_octet_string (..., offset=4022, ..., out_tvb=0x7fffffe02910) at epan/dissectors/packet-ber.c:1616
dissect_ber_octet_string (..., offset=4020, hf_id=69797, out_tvb=0x7fffffe02910) at epan/dissectors/packet-ber.c:1765

reassemble_octet_string (..., offset=4020, con_len=97, ind=0, out_tvb=0x7fffffe02d10) at epan/dissectors/packet-ber.c:1447
dissect_ber_constrained_octet_string (..., offset=4020, ..., out_tvb=0x7fffffe02d10) at epan/dissectors/packet-ber.c:1616
dissect_ber_octet_string (..., offset=4018, hf_id=69797, out_tvb=0x7fffffe02d10) at epan/dissectors/packet-ber.c:1765

reassemble_octet_string (..., offset=4018, con_len=97, ind=0, out_tvb=0x7fffffe03110) at epan/dissectors/packet-ber.c:1447
dissect_ber_constrained_octet_string (..., offset=4018, ..., out_tvb=0x7fffffe03110) at epan/dissectors/packet-ber.c:1616
dissect_ber_octet_string (..., offset=4016, hf_id=69797, out_tvb=0x7fffffe03110) at epan/dissectors/packet-ber.c:1765
...
reassemble_octet_string (..., offset=12, ..., out_tvb=0x7fffffff7d10) at epan/dissectors/packet-ber.c:1447
dissect_ber_constrained_octet_string (..., offset=12, ..., out_tvb=0x7fffffff7d10) at epan/dissectors/packet-ber.c:1616
dissect_ber_octet_string (..., offset=10, ..., out_tvb=0x7fffffff7d10) at epan/dissectors/packet-ber.c:1765

reassemble_octet_string (..., offset=10, ..., out_tvb=0x7fffffff8110) at epan/dissectors/packet-ber.c:1447
dissect_ber_constrained_octet_string (..., offset=10, ..., out_tvb=0x7fffffff8110) at epan/dissectors/packet-ber.c:1616
dissect_ber_octet_string (..., offset=8, ..., out_tvb=0x7fffffff8110) at epan/dissectors/packet-ber.c:1765


Problem boils down to this chain:

 dissect_ber_octet_string(gboolean implicit_tag, ...)
    return dissect_ber_constrained_octet_string(implicit_tag, ...);

 dissect_ber_constrained_octet_string(gboolean implicit_tag, ...)
    ...
    if (!implicit_tag) {
        hoffset = offset;
        /* read header and len for the octet string */
        offset = dissect_ber_identifier(...);
        offset = dissect_ber_length(...);
        end_offset = offset+len;
    ...
    if (pc) {
        /* constructed */
        end_offset = reassemble_octet_string(..., offset, ...);
 /* recurse with offset + 2 */

 reassemble_octet_string(...)
    while(!fd_head) {

        offset = dissect_ber_octet_string(FALSE, ..., offset, ...);
 /* recursion continues */

💬 Gerrit Code Review said:

Change 14108 had a related patch set uploaded by Peter Wu: ber: avoid deep recursion for constructed strings

https://code.wireshark.org/review/14108

💬 Gerrit Code Review said:

Change 14108 merged by Anders Broman: ber: avoid deep recursion for constructed strings

https://code.wireshark.org/review/14108

💬 Gerrit Code Review said:

Change 14110 had a related patch set uploaded by Anders Broman: ber: avoid deep recursion for constructed strings

https://code.wireshark.org/review/14110

💬 Gerrit Code Review said:

Change 14110 merged by Anders Broman: ber: avoid deep recursion for constructed strings

https://code.wireshark.org/review/14110

💬 Gerrit Code Review said:

Change 14111 had a related patch set uploaded by Anders Broman: ber: avoid deep recursion for constructed strings

https://code.wireshark.org/review/14111

💬 Gerrit Code Review said:

Change 14111 merged by Anders Broman: ber: avoid deep recursion for constructed strings

https://code.wireshark.org/review/14111

💬 Gerrit Code Review said:

Change 14348 had a related patch set uploaded by Balint Reczey: ber: avoid deep recursion for constructed strings

https://code.wireshark.org/review/14348

💬 Gerrit Code Review said:

Change 14348 merged by Balint Reczey: ber: avoid deep recursion for constructed strings

https://code.wireshark.org/review/14348

💬 Gerrit Code Review said:

Change 14376 had a related patch set uploaded by Balint Reczey: ber: avoid deep recursion for constructed strings

https://code.wireshark.org/review/14376

💬 Gerrit Code Review said:

Change 14376 merged by Balint Reczey: ber: avoid deep recursion for constructed strings

https://code.wireshark.org/review/14376

closed