Missing bounds check on memory allocation in pcapng.c
Build Information: ** (process:47134): WARNING **: No such preference "capture.devices_buffersize" at line 286 of /home/magnus/.wireshark/preferences (save preferences to remove this warning) TShark (Wireshark) 2.5.1 (28960d79) Copyright 1998-2018 Gerald Combs <gerald@wireshark.org> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) without libpcap, with GLib 2.42.1, with zlib 1.2.8, without SMI, with c-ares 1.10.0, with Lua 5.2.3, without GnuTLS, with Gcrypt 1.6.3, without Kerberos, without GeoIP, without nghttp2, without LZ4, without Snappy, with libxml2 2.9.1. Running on Linux 3.16.0-5-amd64, with Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz (with SSE4.2), with 7359 MB of physical memory, with locale en_US.UTF-8, with Gcrypt 1.6.3, with zlib 1.2.8. Built using gcc 4.9.2. -- magnus@h4xb0x:~/projects/wireshark/fuzz/wiresharknoasan$ git rev-parse HEAD 28960d79cca262ac6b974f339697b299a1e28fef magnus@h4xb0x:~/projects/wireshark/fuzz/wiresharknoasan$ cat ../hugealloc.pcap | base64 Cg0NCjgAAABNPCsaAQAAAP//////////BAARAEVkSHRjYXAgMi4xLjEtZ2l0AOsAAAAAADgAAAAE AgAALAD//wAACAAIAP//////////CQABAAYAAAAAAAAALAAAAAYAAABEAQD////wAOIFBAAyVVRA ZEwoTgBzQQEBAAAAZAEBDgoDDQo4AAAAZDwrRiAaAQAgAMZkKBr/gFQgTE0gFzMuMAD//wAACAAI AP////////8BgAAAVXoATXM/Zm9ZIFdvcmtnd291cC4SWDAAMlUgVwBNPCsaAQAAAP////////// BAARbwACTEFOTXM/Zm9ZIHJrAlNhbWJhAAJOAQBkAAAAIGYgaS7y8j4+Pj4+Pj4+Pj4+Pj4+Pj4+ PvLy8vIrGgEAAET4IBD//////wQXEdPTAAf58gD6AA== magnus@h4xb0x:~/projects/wireshark/fuzz/wiresharknoasan$ sha256sum ../hugealloc.pcap d06e724d1404481916ceb5d31749e8da09eeba7a5ee74e227871c3d103b5450b ../hugealloc.pcap magnus@h4xb0x:~/projects/wireshark/fuzz/wiresharknoasan$ valgrind ./tshark -r ../hugealloc.pcap ==39549== Memcheck, a memory error detector ==39549== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==39549== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==39549== Command: ./tshark -r ../hugealloc.pcap ==39549== ==39549== Thread 2 register_all_protocols_worker: ==39549== Conditional jump or move depends on uninitialised value(s) ==39549== at 0x1150E32: ws_mempbrk_sse42_compile (ws_mempbrk_sse42.c:69) ==39549== ** (process:39549): WARNING **: No such preference "capture.devices_buffersize" at line 286 of /home/magnus/.wireshark/preferences (save preferences to remove this warning) buffer->allocated: 2048 space: 4294901768 (process:39549): GLib-ERROR **: /build/glib2.0-y6934K/glib2.0-2.42.1/./glib/gmem.c:168: failed to allocate 4294904840 bytes ==39549== ==39549== Process terminating with default action of signal 5 (SIGTRAP) ==39549== at 0x541FD30: g_logv (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4200.1) ==39549== by 0x541FF6E: g_log (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4200.1) ==39549== by 0x541E8B6: g_realloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4200.1) ==39549== by 0x114A37A: ws_buffer_assure_space (buffer.c:97) ==39549== by 0x49CC54: wtap_read_packet_bytes (wtap.c:1337) ==39549== by 0x490967: pcapng_read_sysdig_event_block (pcapng.c:2262) ==39549== by 0x490967: pcapng_read_block (pcapng.c:2429) ==39549== by 0x49220C: pcapng_read (pcapng.c:2640) ==39549== by 0x49CAA7: wtap_read (wtap.c:1230) ==39549== by 0x45B2CA: process_cap_file (tshark.c:3318) ==39549== by 0x45B2CA: main (tshark.c:2024) ==39549== ==39549== HEAP SUMMARY: ==39549== in use at exit: 28,211,768 bytes in 42,733 blocks ==39549== total heap usage: 52,260 allocs, 9,527 frees, 4,329,591,134 bytes allocated ==39549== ==39549== LEAK SUMMARY: ==39549== definitely lost: 0 bytes in 0 blocks ==39549== indirectly lost: 0 bytes in 0 blocks ==39549== possibly lost: 0 bytes in 0 blocks ==39549== still reachable: 28,211,768 bytes in 42,733 blocks ==39549== suppressed: 0 bytes in 0 blocks ==39549== Rerun with --leak-check=full to see details of leaked memory ==39549== ==39549== For counts of detected and suppressed errors, rerun with: -v ==39549== Use --track-origins=yes to see where uninitialised values come from ==39549== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Trace/breakpoint trap
Change 25702 had a related patch set uploaded by Guy Harris: Do the maximum block size check in pcap_read_block(). https://code.wireshark.org/review/25702
Change 25702 merged by Guy Harris: Do the maximum block size check in pcap_read_block(). https://code.wireshark.org/review/25702
Change 25703 had a related patch set uploaded by Guy Harris: Do the maximum block size check in pcap_read_block(). https://code.wireshark.org/review/25703
Change 25703 merged by Guy Harris: Do the maximum block size check in pcap_read_block(). https://code.wireshark.org/review/25703
Change 25704 had a related patch set uploaded by Guy Harris: Do the maximum block size check in pcap_read_block(). https://code.wireshark.org/review/25704
Change 25704 merged by Guy Harris: Do the maximum block size check in pcap_read_block(). https://code.wireshark.org/review/25704
