[oss-fuzz] UBSAN: load of null pointer of type 'guint16' (aka 'unsigned short') in packet-btatt.c:10019:103
This issue was migrated from bug 14049 in our old bug tracker.
Original bug information:
Reporter: Peter Wu
Status: RESOLVED FIXED
Product: Wireshark
Component: Dissection engine (libwireshark)
OS: Linux
Platform: x86-64
Version: Git
Attachments:
clusterfuzz-testcase-minimized-4559062802890752.pcap: Packet capture file
See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15192
Activity
Build Information: TShark (Wireshark) 2.5.0 (v2.5.0rc0-949-g371436cf)
Copyright 1998-2017 Gerald Combs <gerald@wireshark.org> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3, with GLib 2.52.2, with zlib 1.2.11, without SMI, with c-ares 1.13.0, with Lua 5.2.4, with GnuTLS 3.5.15, with Gcrypt 1.8.1, with MIT Kerberos, with GeoIP, with nghttp2 1.23.1, with LZ4, with Snappy, with libxml2 2.9.5.
Running on Linux 4.12.10-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz (with SSE4.2), with 32060 MB of physical memory, with locale C, with libpcap version 1.8.1, with GnuTLS 3.5.15, with Gcrypt 1.8.1, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 4.0.1 (tags/RELEASE_401/final).
A problem was found by the oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3293 Attached is the sample that triggers this error which can be reproduced with an ASAN+UBSAN build of Wireshark: tshark -Vxr clusterfuzz-testcase-minimized-4559062802890752.pcap -- epan/dissectors/packet-btatt.c:10019:103: runtime error: load of null pointer of type 'guint16' (aka 'unsigned short') #0 0x7fb439d91a2a in dissect_btatt epan/dissectors/packet-btatt.c:10019:103 #1 0x7fb43d8a387d in call_dissector_through_handle epan/packet.c:690:8 #2 0x7fb43d88d82f in call_dissector_work epan/packet.c:765:9 #3 0x7fb43d88c84d in dissector_try_uint_new epan/packet.c:1335:8 #4 0x7fb439f3c9da in dissect_btl2cap epan/dissectors/packet-btl2cap.c:2695:26 #5 0x7fb43d8a387d in call_dissector_through_handle epan/packet.c:690:8 #6 0x7fb43d88d82f in call_dissector_work epan/packet.c:765:9 #7 0x7fb43d88c84d in dissector_try_uint_new epan/packet.c:1335:8 #8 0x7fb43d88dd89 in dissector_try_uint epan/packet.c:1359:9 #9 0x7fb43af5d252 in dissect_snap epan/dissectors/packet-llc.c:682:9 #10 0x7fb43af5daae in dissect_llc epan/dissectors/packet-llc.c:439:3 #11 0x7fb43d8a387d in call_dissector_through_handle epan/packet.c:690:8 #12 0x7fb43d88d82f in call_dissector_work epan/packet.c:765:9 #13 0x7fb43d89c577 in call_dissector_only epan/packet.c:2998:8 #14 0x7fb43d8845d4 in call_dissector_with_data epan/packet.c:3011:8 #15 0x7fb43d89c5c1 in call_dissector epan/packet.c:3028:9 #16 0x7fb43ab9d7ed in dissect_802_3 epan/dissectors/packet-ieee8023.c:91:7 #17 0x7fb43a615816 in dissect_eth_common epan/dissectors/packet-eth.c:473:5 #18 0x7fb43a60c9ec in dissect_eth_withoutfcs epan/dissectors/packet-eth.c:810:3 #19 0x7fb43d8a387d in call_dissector_through_handle epan/packet.c:690:8 #20 0x7fb43d88d82f in call_dissector_work epan/packet.c:765:9 #21 0x7fb43d89c577 in call_dissector_only epan/packet.c:2998:8 #22 0x7fb43d8845d4 in call_dissector_with_data epan/packet.c:3011:8 #23 0x7fb43d89c5c1 in call_dissector epan/packet.c:3028:9 #24 0x7fb43b6197f0 in dissect_bcp_bpdu epan/dissectors/packet-ppp.c:5054:21 #25 0x7fb43d8a387d in call_dissector_through_handle epan/packet.c:690:8 #26 0x7fb43d88d82f in call_dissector_work epan/packet.c:765:9 #27 0x7fb43d88c84d in dissector_try_uint_new epan/packet.c:1335:8 #28 0x7fb43d88dd89 in dissector_try_uint epan/packet.c:1359:9 #29 0x7fb43b6262bd in dissect_ppp_common epan/dissectors/packet-ppp.c:4838:10 #30 0x7fb43b6259b3 in dissect_ppp_hdlc_common epan/dissectors/packet-ppp.c:5873:5 #31 0x7fb43b60b505 in dissect_ppp_raw_hdlc epan/dissectors/packet-ppp.c:6072:17 #32 0x7fb43d8a387d in call_dissector_through_handle epan/packet.c:690:8 #33 0x7fb43d88d82f in call_dissector_work epan/packet.c:765:9 #34 0x7fb43d88c84d in dissector_try_uint_new epan/packet.c:1335:8 #35 0x7fb43d88dd89 in dissector_try_uint epan/packet.c:1359:9 #36 0x7fb43a7f109a in dissect_gre epan/dissectors/packet-gre.c:513:14 #37 0x7fb43d8a387d in call_dissector_through_handle epan/packet.c:690:8 #38 0x7fb43d88d82f in call_dissector_work epan/packet.c:765:9 #39 0x7fb43d88c84d in dissector_try_uint_new epan/packet.c:1335:8 #40 0x7fb43abe7b52 in ip_try_dissect epan/dissectors/packet-ip.c:1865:7 #41 0x7fb43ac631ba in ipv6_dissect_next epan/dissectors/packet-ipv6.c:2462:9 #42 0x7fb43ac66b03 in dissect_ipv6 epan/dissectors/packet-ipv6.c:2410:5 #43 0x7fb43d8a387d in call_dissector_through_handle epan/packet.c:690:8 #44 0x7fb43d88d82f in call_dissector_work epan/packet.c:765:9 #45 0x7fb43d89c577 in call_dissector_only epan/packet.c:2998:8 #46 0x7fb43d8845d4 in call_dissector_with_data epan/packet.c:3011:8 #47 0x7fb43d89c5c1 in call_dissector epan/packet.c:3028:9 #48 0x7fb43abea899 in dissect_ip_v4 epan/dissectors/packet-ip.c:1934:9 #49 0x7fb43d8a387d in call_dissector_through_handle epan/packet.c:690:8 #50 0x7fb43d88d82f in call_dissector_work epan/packet.c:765:9 #51 0x7fb43d88c84d in dissector_try_uint_new epan/packet.c:1335:8 #52 0x7fb43d88dd89 in dissector_try_uint epan/packet.c:1359:9 #53 0x7fb43a61d048 in dissect_ethertype epan/dissectors/packet-ethertype.c:269:21 #54 0x7fb43d8a387d in call_dissector_through_handle epan/packet.c:690:8 #55 0x7fb43d88d82f in call_dissector_work epan/packet.c:765:9 #56 0x7fb43d89c577 in call_dissector_only epan/packet.c:2998:8 #57 0x7fb43d8845d4 in call_dissector_with_data epan/packet.c:3011:8 #58 0x7fb43a618eb5 in dissect_eth_common epan/dissectors/packet-eth.c:536:5 #59 0x7fb43a60e737 in dissect_eth epan/dissectors/packet-eth.c:800:5 #60 0x7fb43d8a387d in call_dissector_through_handle epan/packet.c:690:8 #61 0x7fb43d88d82f in call_dissector_work epan/packet.c:765:9 #62 0x7fb43d88c84d in dissector_try_uint_new epan/packet.c:1335:8 #63 0x7fb43a7540c0 in dissect_frame epan/dissectors/packet-frame.c:521:11 #64 0x7fb43d8a387d in call_dissector_through_handle epan/packet.c:690:8 #65 0x7fb43d88d82f in call_dissector_work epan/packet.c:765:9 #66 0x7fb43d89c577 in call_dissector_only epan/packet.c:2998:8 #67 0x7fb43d8845d4 in call_dissector_with_data epan/packet.c:3011:8 #68 0x7fb43d8835c5 in dissect_record epan/packet.c:573:3 #69 0x7fb43d818e18 in epan_dissect_run_with_taps epan/epan.c:480:2 #70 0x557ab97a9d88 in process_packet_single_pass tshark.c:3527:5 #71 0x557ab97a2715 in process_cap_file tshark.c:3353:11 #72 0x557ab979a249 in main tshark.c:2046:17 #73 0x7fb42f347f69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69) #74 0x557ab9680839 in _start (run/tshark+0xd8839) SUMMARY: AddressSanitizer: undefined-behavior epan/dissectors/packet-btatt.c:10019:103 inadded crash libwireshark oslinux versiondev labels
-
Change 23470 had a related patch set uploaded by Pascal Quantin: BTATT: add curr_layer_num to key tracking request / response
-
Change 23470 merged by Anders Broman: BTATT: add curr_layer_num to key tracking request / response
-
Change 23546 had a related patch set uploaded by Pascal Quantin: BTATT: add curr_layer_num to key tracking request / response
-
Change 23547 had a related patch set uploaded by Pascal Quantin: BTATT: add curr_layer_num to key tracking request / response
-
Change 23546 merged by Pascal Quantin: BTATT: add curr_layer_num to key tracking request / response
-
Change 23547 merged by Pascal Quantin: BTATT: add curr_layer_num to key tracking request / response