[oss-fuzz] #6159 IPMI: Null-dereference READ in rq17
Build Information: TShark (Wireshark) 2.5.1 (v2.5.1rc0-40-g4be24cfc) Copyright 1998-2018 Gerald Combs <gerald@wireshark.org> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) without libpcap, with GLib 2.42.2, with zlib 1.2.8, without SMI, without c-ares, without Lua, without GnuTLS, with Gcrypt 1.6.3, without Kerberos, without GeoIP, without nghttp2, without LZ4, without Snappy, without libxml2. Running on Linux 3.17.4-301.fc21.x86_64, with Intel(R) Xeon(R) CPU E5530 @ 2.40GHz (with SSE4.2), with 24093 MB of physical memory, with locale en_US.UTF-8, with Gcrypt 1.6.3, with zlib 1.2.8. Built using gcc 4.9.2 20150212 (Red Hat 4.9.2-6). -- A problem was found by the oss-fuzz project: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6159 Opening attached pcap crash in rq17 cause of NULL ipmi_get_hdr(pinfo), backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff451b4e9 in rq17 (tvb=0xfbec10, pinfo=0xfabb08, tree=0xfbeb70) at packet-ipmi-picmg.c:1208 1208 guint to_shmm = ipmi_get_hdr(pinfo)->rs_sa == 0x20; (gdb) bt #0 0x00007ffff451b4e9 in rq17 (tvb=0xfbec10, pinfo=0xfabb08, tree=0xfbeb70) at packet-ipmi-picmg.c:1208 #1 0x00007ffff4516352 in dissect_ipmi_cmd (tvb=tvb@entry=0xfbe7f0, pinfo=pinfo@entry=0xfabb08, tree=tree@entry=0xfbbd20, hf_parent_item=hf_parent_item@entry=66273, ett_tree=ett_tree@entry=15368, ctx=ctx@entry=0x7fffffffcf70) at packet-ipmi.c:738 #2 0x00007ffff4516c1a in do_dissect_ipmb (tvb=0xfbe7f0, pinfo=0xfabb08, tree=0xfbbd20, hf_parent_item=66273, ett_tree=15368, arg=0x0) at packet-ipmi.c:1698 #3 0x00007ffff40c8f3b in call_dissector_through_handle (handle=handle@entry=0x7fffec16df60, tvb=tvb@entry=0xfbe7f0, pinfo=pinfo@entry=0xfabb08, tree=tree@entry=0xfbbd20, data=data@entry=0x0) at packet.c:679 #4 0x00007ffff40c9ed2 in call_dissector_work (handle=0x7fffec16df60, tvb=0xfbe7f0, pinfo_arg=0xfabb08, tree=0xfbbd20, add_proto_name=1, data=0x0) at packet.c:764 #5 0x00007ffff40cbaf2 in call_dissector_with_data (handle=<optimized out>, tvb=0xfbe7f0, pinfo=0xfabb08, tree=0xfbbd20, data=<optimized out>) at packet.c:3090 #6 0x00007ffff45202ed in dissect_ipmi_session (tvb=0xfbe6a0, pinfo=0xfabb08, tree=0xfbbd20, data=<optimized out>) at packet-ipmi-session.c:239 (...)
Missing attached pcap
Change 25745 had a related patch set uploaded by Michael Mann: packet-ipmi-picmg.c: Add NULL check in rq17. https://code.wireshark.org/review/25745
Created attachment 16121 [details] capture file to trigger a crash Sorry, attaching pcap to trigger a crash.
Change 25745 merged by Anders Broman: packet-ipmi-picmg.c: Add NULL check in rq17. https://code.wireshark.org/review/25745
Change 25754 had a related patch set uploaded by Michael Mann: packet-ipmi-picmg.c: Add NULL check in rq17. https://code.wireshark.org/review/25754
Change 25755 had a related patch set uploaded by Michael Mann: packet-ipmi-picmg.c: Add NULL check in rq17. https://code.wireshark.org/review/25755
Change 25755 merged by Michael Mann: packet-ipmi-picmg.c: Add NULL check in rq17. https://code.wireshark.org/review/25755
Change 25754 merged by Michael Mann: packet-ipmi-picmg.c: Add NULL check in rq17. https://code.wireshark.org/review/25754