Bug 12175 - Wireshark heap-based out-of-bounds read in AirPDcapDecryptWPABroadcastKey
Summary: Wireshark heap-based out-of-bounds read in AirPDcapDecryptWPABroadcastKey
Status: RESOLVED FIXED
Alias: None
Product: Wireshark
Classification: Unclassified
Component: Dissection engine (libwireshark) (show other bugs)
Version: Git
Hardware: All All
: Low Major (vote)
Target Milestone: ---
Assignee: Bugzilla Administrator
URL:
Depends on:
Blocks:
 
Reported: 2016-02-25 10:49 UTC by Mateusz Jurczyk
Modified: 2016-06-09 17:35 UTC (History)
0 users

See Also:

Attachments
Reproducers. (1.03 KB, application/zip)
2016-02-25 10:49 UTC, Mateusz Jurczyk 		Details
unzip file 1 (109 bytes, application/vnd.tcpdump.pcap)
2016-05-10 15:37 UTC, Michael Mann 		Details
unzip file 2 (126 bytes, application/vnd.tcpdump.pcap)
2016-05-10 15:37 UTC, Michael Mann 		Details
unzip file 3 (109 bytes, application/vnd.tcpdump.pcap)
2016-05-10 15:37 UTC, Michael Mann 		Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mateusz Jurczyk 2016-02-25 10:49:23 UTC 
Created attachment 14361 [details]
Reproducers.

Build Information:
Wireshark git master.
--
The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):

Attached are three files which trigger the crash.

--- cut ---
==8910==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001335c at pc 0x0000004558a4 bp 0x7fffa0f13710 sp 0x7fffa0f12ec0
READ of size 16385 at 0x61b00001335c thread T0
    #0 0x4558a3 in memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438
    #1 0x7f1d70c97b65 in g_memdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x65b65)
    #2 0x7f1d78b4c531 in AirPDcapDecryptWPABroadcastKey wireshark/epan/crypt/airpdcap.c:360:32
    #3 0x7f1d78b4ba8c in AirPDcapRsna4WHandshake wireshark/epan/crypt/airpdcap.c:1522:21
    #4 0x7f1d78b424f6 in AirPDcapScanForKeys wireshark/epan/crypt/airpdcap.c:602:13
    #5 0x7f1d78b40d28 in AirPDcapPacketProcess wireshark/epan/crypt/airpdcap.c:815:21
    #6 0x7f1d79a70590 in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:17818:9
    #7 0x7f1d79a44406 in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18426:10
    #8 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8
    #9 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9
    #10 0x7f1d7897c89d in dissector_try_uint_new wireshark/epan/packet.c:1160:9
    #11 0x7f1d796c1235 in dissect_frame wireshark/epan/dissectors/packet-frame.c:493:11
    #12 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8
    #13 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9
    #14 0x7f1d78986c0e in call_dissector_only wireshark/epan/packet.c:2674:8
    #15 0x7f1d7897839f in call_dissector_with_data wireshark/epan/packet.c:2687:8
    #16 0x7f1d789778c1 in dissect_record wireshark/epan/packet.c:509:3
    #17 0x7f1d7892ac99 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
    #18 0x52eebb in process_packet wireshark/tshark.c:3748:5
    #19 0x5281ac in load_cap_file wireshark/tshark.c:3504:11
    #20 0x51e4bc in main wireshark/tshark.c:2213:13

0x61b00001335c is located 0 bytes to the right of 1500-byte region [0x61b000012d80,0x61b00001335c)
allocated by thread T0 here:
    #0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
    #1 0x7f1d70c80610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
    #2 0x7f1d8543f638 in wtap_open_offline wireshark/wiretap/file_access.c:1082:2
    #3 0x5244dd in cf_open wireshark/tshark.c:4215:9
    #4 0x51decd in main wireshark/tshark.c:2204:9

SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438 in memcpy
Shadow bytes around the buggy address:
  0x0c367fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fffa660: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
  0x0c367fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fffa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffa6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8910==ABORTING
--- cut ---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Comment 1 Gerrit Code Review 2016-05-10 00:42:55 UTC 
Change 15326 had a related patch set uploaded by Michael Mann:
Sanity check eapol_len in AirPDcapDecryptWPABroadcastKey

https://code.wireshark.org/review/15326
Comment 2 Gerrit Code Review 2016-05-10 15:20:53 UTC 
Change 15326 merged by Peter Wu:
Sanity check eapol_len in AirPDcapDecryptWPABroadcastKey

https://code.wireshark.org/review/15326
Comment 3 Gerrit Code Review 2016-05-10 15:23:32 UTC 
Change 15333 had a related patch set uploaded by Peter Wu:
Sanity check eapol_len in AirPDcapDecryptWPABroadcastKey

https://code.wireshark.org/review/15333
Comment 4 Gerrit Code Review 2016-05-10 15:24:38 UTC 
Change 15333 merged by Peter Wu:
Sanity check eapol_len in AirPDcapDecryptWPABroadcastKey

https://code.wireshark.org/review/15333
Comment 5 Michael Mann 2016-05-10 15:37:14 UTC 
Created attachment 14548 [details]
unzip file 1
Comment 6 Michael Mann 2016-05-10 15:37:28 UTC 
Created attachment 14549 [details]
unzip file 2
Comment 7 Michael Mann 2016-05-10 15:37:47 UTC 
Created attachment 14550 [details]
unzip file 3

unzipped for buildbots
Comment 8 Michael Mann 2016-05-10 15:38:25 UTC 
Fixed, so making public.