Bug 14403 - Missing bounds check on memory allocation in pcapng.c
Summary: Missing bounds check on memory allocation in pcapng.c
Status: RESOLVED FIXED
Alias: None
Product: Wireshark
Classification: Unclassified
Component: Capture file support (libwiretap) (show other bugs)
Version: Git
Hardware: All All
: Low Major (vote)
Target Milestone: ---
Assignee: Bugzilla Administrator
URL:
Depends on:
Blocks:
 
Reported: 2018-02-08 14:03 UTC by Magnus Stubman
Modified: 2018-02-23 00:50 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Magnus Stubman 2018-02-08 14:03:56 UTC
Build Information:
** (process:47134): WARNING **: No such preference "capture.devices_buffersize" at line 286 of
/home/magnus/.wireshark/preferences (save preferences to remove this warning)
TShark (Wireshark) 2.5.1 (28960d79)

Copyright 1998-2018 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) without libpcap, with GLib 2.42.1, with zlib 1.2.8, without
SMI, with c-ares 1.10.0, with Lua 5.2.3, without GnuTLS, with Gcrypt 1.6.3,
without Kerberos, without GeoIP, without nghttp2, without LZ4, without Snappy,
with libxml2 2.9.1.

Running on Linux 3.16.0-5-amd64, with Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz
(with SSE4.2), with 7359 MB of physical memory, with locale en_US.UTF-8, with
Gcrypt 1.6.3, with zlib 1.2.8.

Built using gcc 4.9.2.
--
magnus@h4xb0x:~/projects/wireshark/fuzz/wiresharknoasan$ git rev-parse HEAD
28960d79cca262ac6b974f339697b299a1e28fef
magnus@h4xb0x:~/projects/wireshark/fuzz/wiresharknoasan$ cat ../hugealloc.pcap | base64
Cg0NCjgAAABNPCsaAQAAAP//////////BAARAEVkSHRjYXAgMi4xLjEtZ2l0AOsAAAAAADgAAAAE
AgAALAD//wAACAAIAP//////////CQABAAYAAAAAAAAALAAAAAYAAABEAQD////wAOIFBAAyVVRA
ZEwoTgBzQQEBAAAAZAEBDgoDDQo4AAAAZDwrRiAaAQAgAMZkKBr/gFQgTE0gFzMuMAD//wAACAAI
AP////////8BgAAAVXoATXM/Zm9ZIFdvcmtnd291cC4SWDAAMlUgVwBNPCsaAQAAAP//////////
BAARbwACTEFOTXM/Zm9ZIHJrAlNhbWJhAAJOAQBkAAAAIGYgaS7y8j4+Pj4+Pj4+Pj4+Pj4+Pj4+
PvLy8vIrGgEAAET4IBD//////wQXEdPTAAf58gD6AA==
magnus@h4xb0x:~/projects/wireshark/fuzz/wiresharknoasan$ sha256sum ../hugealloc.pcap 
d06e724d1404481916ceb5d31749e8da09eeba7a5ee74e227871c3d103b5450b  ../hugealloc.pcap
magnus@h4xb0x:~/projects/wireshark/fuzz/wiresharknoasan$ valgrind ./tshark -r ../hugealloc.pcap
==39549== Memcheck, a memory error detector
==39549== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==39549== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==39549== Command: ./tshark -r ../hugealloc.pcap
==39549== 
==39549== Thread 2 register_all_protocols_worker:
==39549== Conditional jump or move depends on uninitialised value(s)
==39549==    at 0x1150E32: ws_mempbrk_sse42_compile (ws_mempbrk_sse42.c:69)
==39549== 

** (process:39549): WARNING **: No such preference "capture.devices_buffersize" at line 286 of
/home/magnus/.wireshark/preferences (save preferences to remove this warning)
buffer->allocated: 2048
space: 4294901768

(process:39549): GLib-ERROR **: /build/glib2.0-y6934K/glib2.0-2.42.1/./glib/gmem.c:168: failed to allocate 4294904840 bytes
==39549== 
==39549== Process terminating with default action of signal 5 (SIGTRAP)
==39549==    at 0x541FD30: g_logv (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4200.1)
==39549==    by 0x541FF6E: g_log (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4200.1)
==39549==    by 0x541E8B6: g_realloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4200.1)
==39549==    by 0x114A37A: ws_buffer_assure_space (buffer.c:97)
==39549==    by 0x49CC54: wtap_read_packet_bytes (wtap.c:1337)
==39549==    by 0x490967: pcapng_read_sysdig_event_block (pcapng.c:2262)
==39549==    by 0x490967: pcapng_read_block (pcapng.c:2429)
==39549==    by 0x49220C: pcapng_read (pcapng.c:2640)
==39549==    by 0x49CAA7: wtap_read (wtap.c:1230)
==39549==    by 0x45B2CA: process_cap_file (tshark.c:3318)
==39549==    by 0x45B2CA: main (tshark.c:2024)
==39549== 
==39549== HEAP SUMMARY:
==39549==     in use at exit: 28,211,768 bytes in 42,733 blocks
==39549==   total heap usage: 52,260 allocs, 9,527 frees, 4,329,591,134 bytes allocated
==39549== 
==39549== LEAK SUMMARY:
==39549==    definitely lost: 0 bytes in 0 blocks
==39549==    indirectly lost: 0 bytes in 0 blocks
==39549==      possibly lost: 0 bytes in 0 blocks
==39549==    still reachable: 28,211,768 bytes in 42,733 blocks
==39549==         suppressed: 0 bytes in 0 blocks
==39549== Rerun with --leak-check=full to see details of leaked memory
==39549== 
==39549== For counts of detected and suppressed errors, rerun with: -v
==39549== Use --track-origins=yes to see where uninitialised values come from
==39549== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Trace/breakpoint trap
Comment 1 Gerrit Code Review 2018-02-09 05:35:17 UTC
Change 25702 had a related patch set uploaded by Guy Harris:
Do the maximum block size check in pcap_read_block().

https://code.wireshark.org/review/25702
Comment 2 Gerrit Code Review 2018-02-09 05:35:37 UTC
Change 25702 merged by Guy Harris:
Do the maximum block size check in pcap_read_block().

https://code.wireshark.org/review/25702
Comment 3 Gerrit Code Review 2018-02-09 05:39:07 UTC
Change 25703 had a related patch set uploaded by Guy Harris:
Do the maximum block size check in pcap_read_block().

https://code.wireshark.org/review/25703
Comment 4 Gerrit Code Review 2018-02-09 05:39:25 UTC
Change 25703 merged by Guy Harris:
Do the maximum block size check in pcap_read_block().

https://code.wireshark.org/review/25703
Comment 5 Gerrit Code Review 2018-02-09 08:13:06 UTC
Change 25704 had a related patch set uploaded by Guy Harris:
Do the maximum block size check in pcap_read_block().

https://code.wireshark.org/review/25704
Comment 6 Gerrit Code Review 2018-02-09 08:13:29 UTC
Change 25704 merged by Guy Harris:
Do the maximum block size check in pcap_read_block().

https://code.wireshark.org/review/25704