[oss-fuzz] UBSAN: null pointer passed as argument 1, which is declared to never be null in tvbuff.c:783:17
This issue was migrated from bug 14068 in our old bug tracker.
Original bug information:
Reporter: Peter Wu
Status: RESOLVED FIXED
Product: Wireshark
Component: Dissection engine (libwireshark)
OS: Linux
Platform: x86-64
Version: Git
Attachments:
clusterfuzz-testcase-minimized-4674256493346816.pcap: Packet capture file
See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15191
Activity
Build Information: TShark (Wireshark) 2.5.0 (v2.5.0rc0-1012-g257d674ad9)
Copyright 1998-2017 Gerald Combs <gerald@wireshark.org> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3, with GLib 2.52.2, with zlib 1.2.11, without SMI, with c-ares 1.13.0, with Lua 5.2.4, with GnuTLS 3.5.15, with Gcrypt 1.8.1, with MIT Kerberos, with GeoIP, with nghttp2 1.23.1, with LZ4, with Snappy, with libxml2 2.9.5.
Running on Linux 4.12.10-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz (with SSE4.2), with 32060 MB of physical memory, with locale C, with libpcap version 1.8.1, with GnuTLS 3.5.15, with Gcrypt 1.8.1, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 4.0.1 (tags/RELEASE_401/final).
A problem was found by the oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3372 Attached is the sample that triggers this error which can be reproduced with an ASAN+UBSAN build of Wireshark: tshark -Vxr clusterfuzz-testcase-minimized-4674256493346816.pcap -- epan/tvbuff.c:783:17: runtime error: null pointer passed as argument 1, which is declared to never be null /usr/include/string.h:43:28: note: nonnull attribute specified here #0 0x7f4d04387b30 in tvb_memcpy epan/tvbuff.c:783:10 #1 0x7f4d043884a3 in tvb_memdup epan/tvbuff.c:830:9 #2 0x7f4d00cb5de0 in dissect_7bit_string epan/dissectors/packet-dmp.c:1624:31 #3 0x7f4d00cb5517 in dissect_ipm_identifier epan/dissectors/packet-dmp.c:2720:14 #4 0x7f4d00ca5c3b in dissect_dmp_content epan/dissectors/packet-dmp.c:3809:18 #5 0x7f4d00c9c344 in dissect_dmp epan/dissectors/packet-dmp.c:3921:14 #6 0x7f4d0416493d in call_dissector_through_handle epan/packet.c:690:8 #7 0x7f4d0414e8ef in call_dissector_work epan/packet.c:765:9 #8 0x7f4d0414d90d in dissector_try_uint_new epan/packet.c:1335:8 #9 0x7f4d0414ee49 in dissector_try_uint epan/packet.c:1359:9 #10 0x7f4d028b6abb in decode_udp_ports epan/dissectors/packet-udp.c:679:7 #11 0x7f4d028cd572 in dissect epan/dissectors/packet-udp.c:1140:5 #12 0x7f4d028bc13f in dissect_udp epan/dissectors/packet-udp.c:1146:3 #13 0x7f4d0416493d in call_dissector_through_handle epan/packet.c:690:8 #14 0x7f4d0414e8ef in call_dissector_work epan/packet.c:765:9 #15 0x7f4d0414d90d in dissector_try_uint_new epan/packet.c:1335:8 #16 0x7f4d014a3f92 in ip_try_dissect epan/dissectors/packet-ip.c:1865:7 #17 0x7f4d0151f5fa in ipv6_dissect_next epan/dissectors/packet-ipv6.c:2462:9 #18 0x7f4d01522f43 in dissect_ipv6 epan/dissectors/packet-ipv6.c:2410:5 #19 0x7f4d0416493d in call_dissector_through_handle epan/packet.c:690:8 #20 0x7f4d0414e8ef in call_dissector_work epan/packet.c:765:9 #21 0x7f4d0415d637 in call_dissector_only epan/packet.c:2998:8 #22 0x7f4d04145694 in call_dissector_with_data epan/packet.c:3011:8 #23 0x7f4d0415d681 in call_dissector epan/packet.c:3028:9 #24 0x7f4d014a4b7c in dissect_ip epan/dissectors/packet-ip.c:2351:5 #25 0x7f4d0416493d in call_dissector_through_handle epan/packet.c:690:8 #26 0x7f4d0414e8ef in call_dissector_work epan/packet.c:765:9 #27 0x7f4d0414d90d in dissector_try_uint_new epan/packet.c:1335:8 #28 0x7f4d0414ee49 in dissector_try_uint epan/packet.c:1359:9 #29 0x7f4d01ee491d in dissect_ppp_common epan/dissectors/packet-ppp.c:4838:10 #30 0x7f4d01ee4013 in dissect_ppp_hdlc_common epan/dissectors/packet-ppp.c:5873:5 #31 0x7f4d01ec9b65 in dissect_ppp_raw_hdlc epan/dissectors/packet-ppp.c:6072:17 #32 0x7f4d0416493d in call_dissector_through_handle epan/packet.c:690:8 #33 0x7f4d0414e8ef in call_dissector_work epan/packet.c:765:9 #34 0x7f4d0414d90d in dissector_try_uint_new epan/packet.c:1335:8 #35 0x7f4d0414ee49 in dissector_try_uint epan/packet.c:1359:9 #36 0x7f4d010ace1a in dissect_gre epan/dissectors/packet-gre.c:513:14 #37 0x7f4d0416493d in call_dissector_through_handle epan/packet.c:690:8 #38 0x7f4d0414e8ef in call_dissector_work epan/packet.c:765:9 #39 0x7f4d0414d90d in dissector_try_uint_new epan/packet.c:1335:8 #40 0x7f4d014a3f92 in ip_try_dissect epan/dissectors/packet-ip.c:1865:7 #41 0x7f4d0151f5fa in ipv6_dissect_next epan/dissectors/packet-ipv6.c:2462:9 #42 0x7f4d01522f43 in dissect_ipv6 epan/dissectors/packet-ipv6.c:2410:5 #43 0x7f4d0416493d in call_dissector_through_handle epan/packet.c:690:8 #44 0x7f4d0414e8ef in call_dissector_work epan/packet.c:765:9 #45 0x7f4d0415d637 in call_dissector_only epan/packet.c:2998:8 #46 0x7f4d04145694 in call_dissector_with_data epan/packet.c:3011:8 #47 0x7f4d0415d681 in call_dissector epan/packet.c:3028:9 #48 0x7f4d014a6cd9 in dissect_ip_v4 epan/dissectors/packet-ip.c:1934:9 #49 0x7f4d0416493d in call_dissector_through_handle epan/packet.c:690:8 #50 0x7f4d0414e8ef in call_dissector_work epan/packet.c:765:9 #51 0x7f4d0414d90d in dissector_try_uint_new epan/packet.c:1335:8 #52 0x7f4d0414ee49 in dissector_try_uint epan/packet.c:1359:9 #53 0x7f4d00ed8dc8 in dissect_ethertype epan/dissectors/packet-ethertype.c:269:21 #54 0x7f4d0416493d in call_dissector_through_handle epan/packet.c:690:8 #55 0x7f4d0414e8ef in call_dissector_work epan/packet.c:765:9 #56 0x7f4d0415d637 in call_dissector_only epan/packet.c:2998:8 #57 0x7f4d04145694 in call_dissector_with_data epan/packet.c:3011:8 #58 0x7f4d00ed4c35 in dissect_eth_common epan/dissectors/packet-eth.c:536:5 #59 0x7f4d00eca4b7 in dissect_eth epan/dissectors/packet-eth.c:800:5 #60 0x7f4d0416493d in call_dissector_through_handle epan/packet.c:690:8 #61 0x7f4d0414e8ef in call_dissector_work epan/packet.c:765:9 #62 0x7f4d0414d90d in dissector_try_uint_new epan/packet.c:1335:8 #63 0x7f4d0100fe40 in dissect_frame epan/dissectors/packet-frame.c:521:11 #64 0x7f4d0416493d in call_dissector_through_handle epan/packet.c:690:8 #65 0x7f4d0414e8ef in call_dissector_work epan/packet.c:765:9 #66 0x7f4d0415d637 in call_dissector_only epan/packet.c:2998:8 #67 0x7f4d04145694 in call_dissector_with_data epan/packet.c:3011:8 #68 0x7f4d04144685 in dissect_record epan/packet.c:573:3 #69 0x7f4d040d9ed8 in epan_dissect_run_with_taps epan/epan.c:480:2 #70 0x55ea42acfd78 in process_packet_single_pass tshark.c:3523:5 #71 0x55ea42ac8705 in process_cap_file tshark.c:3349:11 #72 0x55ea42ac0249 in main tshark.c:2042:17 #73 0x7f4cf5bf9f69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69) #74 0x55ea429a6839 in _start (run/tshark+0xd8839) SUMMARY: AddressSanitizer: undefined-behavior epan/tvbuff.c:783:17 inadded crash libwireshark oslinux versiondev labels
-
Change 23591 had a related patch set uploaded by Pascal Quantin: DMP: check 7bit string length before decoding it
-
Change 23591 merged by Peter Wu: DMP: check 7bit string length before decoding it
-
Change 23593 had a related patch set uploaded by Pascal Quantin: DMP: check 7bit string length before decoding it
-
Change 23593 merged by Pascal Quantin: DMP: check 7bit string length before decoding it
-
Change 23594 had a related patch set uploaded by Pascal Quantin: DMP: check 7bit string length before decoding it
-
Change 23595 had a related patch set uploaded by Pascal Quantin: DMP: check 7bit string length before decoding it
-
Change 23594 merged by Michael Mann: DMP: check 7bit string length before decoding it
-
Change 23595 merged by Michael Mann: DMP: check 7bit string length before decoding it