Bug 11829 - Wireshark static out-of-bounds read in dissct_rsl_ipaccess_msg
Summary: Wireshark static out-of-bounds read in dissct_rsl_ipaccess_msg
Status: RESOLVED FIXED
Alias: None
Product: Wireshark
Classification: Unclassified
Component: Dissection engine (libwireshark) (show other bugs)
Version: Git
Hardware: All All
: Low Major (vote)
Target Milestone: ---
Assignee: Bugzilla Administrator
URL:
Depends on:
Blocks:
 
Reported: 2015-11-30 16:27 UTC by Mateusz Jurczyk
Modified: 2016-03-06 20:16 UTC (History)
0 users

See Also:

Attachments
Reproducers. (1.02 KB, application/zip)
2015-11-30 16:28 UTC, Mateusz Jurczyk 		Details
unzip file 1 (113 bytes, application/vnd.tcpdump.pcap)
2015-12-12 03:29 UTC, Michael Mann 		Details
unzip file 2 (123 bytes, application/vnd.tcpdump.pcap)
2015-12-12 03:30 UTC, Michael Mann 		Details
unzip file 3 (116 bytes, application/vnd.tcpdump.pcap)
2015-12-12 03:33 UTC, Michael Mann 		Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mateusz Jurczyk 2015-11-30 16:27:59 UTC 
Build Information:
Wireshark git master.
--
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):

Attached are three files which trigger the crash.

--- cut ---
==7557==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7ff755ab5a18 at pc 0x7ff74b48f257 bp 0x7ffc467efe50 sp 0x7ffc467efe48
READ of size 4 at 0x7ff755ab5a18 thread T0
    #0 0x7ff74b48f256 in dissct_rsl_ipaccess_msg wireshark/epan/dissectors/packet-rsl.c:3055:23
    #1 0x7ff74b48a788 in dissct_rsl_msg wireshark/epan/dissectors/packet-rsl.c:3181:18
    #2 0x7ff74b4951cb in dissect_rsl_ie_err_msg wireshark/epan/dissectors/packet-rsl.c:2206:14
    #3 0x7ff74b48bf1b in dissct_rsl_msg wireshark/epan/dissectors/packet-rsl.c:3383:22
    #4 0x7ff74b48a477 in dissect_rsl wireshark/epan/dissectors/packet-rsl.c:3847:14
    #5 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #6 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
    #7 0x7ff7499e32be in call_dissector_only wireshark/epan/packet.c:2662:8
    #8 0x7ff7499d4ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #9 0x7ff7499e3344 in call_dissector wireshark/epan/packet.c:2692:9
    #10 0x7ff74a88a7ee in dissect_ipa wireshark/epan/dissectors/packet-gsm_ipa.c:365:5
    #11 0x7ff74a889dab in dissect_ipa_tcp wireshark/epan/dissectors/packet-gsm_ipa.c:376:2
    #12 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #13 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
    #14 0x7ff7499d8dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #15 0x7ff74b98a9dd in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4615:9
    #16 0x7ff74b990043 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13
    #17 0x7ff74b98b39c in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4743:9
    #18 0x7ff74b9a07a3 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13
    #19 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #20 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
    #21 0x7ff7499d8dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #22 0x7ff74aae688b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
    #23 0x7ff74aaf12b9 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
    #24 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #25 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
    #26 0x7ff7499d8dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #27 0x7ff7499d9964 in dissector_try_uint wireshark/epan/packet.c:1174:9
    #28 0x7ff74a5f848d in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
    #29 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #30 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
    #31 0x7ff7499e32be in call_dissector_only wireshark/epan/packet.c:2662:8
    #32 0x7ff7499d4ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #33 0x7ff74a5f4725 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
    #34 0x7ff74a5ecf33 in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
    #35 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #36 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
    #37 0x7ff7499d8dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #38 0x7ff74a6e85f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
    #39 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #40 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
    #41 0x7ff7499e32be in call_dissector_only wireshark/epan/packet.c:2662:8
    #42 0x7ff7499d4ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #43 0x7ff7499d433b in dissect_record wireshark/epan/packet.c:501:3
    #44 0x7ff7499823c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
    #45 0x5264eb in process_packet wireshark/tshark.c:3728:5
    #46 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
    #47 0x515daf in main wireshark/tshark.c:2197:13

0x7ff755ab5a18 is located 0 bytes to the right of global variable 'rsl_att_tlvdef' defined in 'packet-rsl.c:685:30' (0x7ff755ab5220) of size 2040
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-rsl.c:3055:23 in dissct_rsl_ipaccess_msg
Shadow bytes around the buggy address:
  0x0fff6ab4eaf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff6ab4eb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff6ab4eb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff6ab4eb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fff6ab4eb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fff6ab4eb40: 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0fff6ab4eb50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0fff6ab4eb60: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0fff6ab4eb70: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0fff6ab4eb80: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0fff6ab4eb90: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7557==ABORTING
--- cut ---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Comment 1 Mateusz Jurczyk 2015-11-30 16:28:34 UTC 
Created attachment 14089 [details]
Reproducers.
Comment 2 Michael Mann 2015-12-12 03:29:14 UTC 
Created attachment 14137 [details]
unzip file 1
Comment 3 Michael Mann 2015-12-12 03:30:03 UTC 
Created attachment 14138 [details]
unzip file 2
Comment 4 Michael Mann 2015-12-12 03:33:19 UTC 
Created attachment 14139 [details]
unzip file 3

Unzip files for the fuzzbots
Comment 5 Michael Mann 2015-12-12 03:34:00 UTC 
Made public for Gerrit hooks.
Comment 6 Gerrit Code Review 2015-12-12 03:34:27 UTC 
Change 12558 had a related patch set uploaded by Michael Mann:
[RSL] Just return rest of packet if TLV type is unknown

https://code.wireshark.org/review/12558
Comment 7 Gerrit Code Review 2015-12-12 08:01:32 UTC 
Change 12558 merged by Anders Broman:
[RSL] Just return rest of packet if TLV type is unknown

https://code.wireshark.org/review/12558
Comment 8 Gerrit Code Review 2015-12-12 08:13:09 UTC 
Change 12563 had a related patch set uploaded by Anders Broman:
[RSL] Just return rest of packet if TLV type is unknown

https://code.wireshark.org/review/12563
Comment 9 Gerrit Code Review 2015-12-12 08:16:16 UTC 
Change 12563 merged by Anders Broman:
[RSL] Just return rest of packet if TLV type is unknown

https://code.wireshark.org/review/12563
Comment 10 Gerrit Code Review 2015-12-12 08:17:35 UTC 
Change 12564 had a related patch set uploaded by Anders Broman:
[RSL] Just return rest of packet if TLV type is unknown

https://code.wireshark.org/review/12564
Comment 11 Gerrit Code Review 2015-12-12 08:18:11 UTC 
Change 12564 merged by Anders Broman:
[RSL] Just return rest of packet if TLV type is unknown

https://code.wireshark.org/review/12564
Comment 12 Mateusz Jurczyk 2016-01-08 16:58:00 UTC 
Please note that the condition causing the AddressSanitizer crash hasn't been fixed properly, as the out-of-bounds memory access in line 3055:

switch (tdef->type) {

still takes place.
Comment 13 Gerrit Code Review 2016-02-19 17:46:29 UTC 
Change 14011 had a related patch set uploaded by Peter Wu:
rsl: avoid buffer overread

https://code.wireshark.org/review/14011
Comment 14 Gerrit Code Review 2016-02-19 17:47:44 UTC 
Change 14011 merged by Peter Wu:
rsl: avoid buffer overread

https://code.wireshark.org/review/14011
Comment 15 Gerrit Code Review 2016-02-19 17:48:26 UTC 
Change 14012 had a related patch set uploaded by Peter Wu:
rsl: avoid buffer overread

https://code.wireshark.org/review/14012
Comment 16 Gerrit Code Review 2016-02-19 17:48:41 UTC 
Change 14012 merged by Peter Wu:
rsl: avoid buffer overread

https://code.wireshark.org/review/14012
Comment 17 Gerrit Code Review 2016-02-19 17:49:20 UTC 
Change 14013 had a related patch set uploaded by Peter Wu:
rsl: avoid buffer overread

https://code.wireshark.org/review/14013
Comment 18 Gerrit Code Review 2016-02-19 17:49:42 UTC 
Change 14013 merged by Peter Wu:
rsl: avoid buffer overread

https://code.wireshark.org/review/14013
Comment 19 Gerrit Code Review 2016-03-04 15:35:50 UTC 
Change 14342 had a related patch set uploaded by Balint Reczey:
rsl: avoid buffer overread

https://code.wireshark.org/review/14342
Comment 20 Gerrit Code Review 2016-03-04 16:08:13 UTC 
Change 14342 merged by Balint Reczey:
rsl: avoid buffer overread

https://code.wireshark.org/review/14342
Comment 21 Gerrit Code Review 2016-03-05 09:01:47 UTC 
Change 14355 had a related patch set uploaded by Balint Reczey:
[RSL] Just return rest of packet if TLV type is unknown

https://code.wireshark.org/review/14355
Comment 22 Gerrit Code Review 2016-03-05 09:53:58 UTC 
Change 14355 merged by Balint Reczey:
[RSL] Just return rest of packet if TLV type is unknown

https://code.wireshark.org/review/14355
Comment 23 Gerrit Code Review 2016-03-05 10:01:43 UTC 
Change 14356 had a related patch set uploaded by Balint Reczey:
[RSL] Just return rest of packet if TLV type is unknown

https://code.wireshark.org/review/14356
Comment 24 Gerrit Code Review 2016-03-05 10:02:59 UTC 
Change 14356 merged by Balint Reczey:
[RSL] Just return rest of packet if TLV type is unknown

https://code.wireshark.org/review/14356
Comment 25 Gerrit Code Review 2016-03-06 20:16:36 UTC 
Change 14372 had a related patch set uploaded by Balint Reczey:
rsl: avoid buffer overread

https://code.wireshark.org/review/14372
Comment 26 Gerrit Code Review 2016-03-06 20:16:47 UTC 
Change 14372 merged by Balint Reczey:
rsl: avoid buffer overread

https://code.wireshark.org/review/14372