Bug 14410 - [oss-fuzz] sigcomp: failed to allocate 18446744073709551615 (-1) bytes
Summary: [oss-fuzz] sigcomp: failed to allocate 18446744073709551615 (-1) bytes
Status: RESOLVED FIXED
Alias: None
Product: Wireshark
Classification: Unclassified
Component: Dissection engine (libwireshark) (show other bugs)
Version: Git
Hardware: x86 Linux
: Low Normal (vote)
Target Milestone: ---
Assignee: Bugzilla Administrator
URL:
Depends on:
Blocks:
 
Reported: 2018-02-11 15:42 UTC by Jakub Zawadzki
Modified: 2018-02-23 00:48 UTC (History)
1 user (show)

See Also:

Attachments
Sample pcap file in which sigcomp calls wmem_alloc(..., -1) (129 bytes, application/vnd.tcpdump.pcap)
2018-02-11 15:42 UTC, Jakub Zawadzki 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Zawadzki 2018-02-11 15:42:11 UTC 
Created attachment 16115 [details]
Sample pcap file in which sigcomp calls wmem_alloc(..., -1)

Build Information:
TShark (Wireshark) 2.5.1 (v2.5.1rc0-73-ge438cf2e)

Copyright 1998-2018 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) without libpcap, with GLib 2.42.2, with zlib 1.2.8, without
SMI, without c-ares, without Lua, without GnuTLS, with Gcrypt 1.6.3, without
Kerberos, without GeoIP, without nghttp2, without LZ4, without Snappy, without
libxml2.

Running on Linux 3.17.4-301.fc21.x86_64, with Intel(R) Xeon(R) CPU          
E5530  @ 2.40GHz (with SSE4.2), with 24093 MB of physical memory, with locale
en_US.UTF-8, with Gcrypt 1.6.3, with zlib 1.2.8.

Built using gcc 4.9.2 20150212 (Red Hat 4.9.2-6).

--
Attaching pcap sample which triggers g_error() when tshark is run with WIRESHARK_DEBUG_WMEM_OVERRIDE=simple

(process:16842): GLib-ERROR **: gmem.c:103: failed to allocate 18446744073709551615 bytes

Backtrace:

(gdb) bt
#0  g_logv (log_domain=0x7ffff229944e "GLib", log_level=G_LOG_LEVEL_ERROR, format=<optimized out>, args=args@entry=0x7fffffffcba0) at gmessages.c:1046
#1  0x00007ffff2233baf in g_log (log_domain=log_domain@entry=0x7ffff229944e "GLib", log_level=log_level@entry=G_LOG_LEVEL_ERROR, format=format@entry=0x7ffff22a29b0 "%s: failed to allocate %lu bytes") at gmessages.c:1079
#2  0x00007ffff2232430 in g_malloc (n_bytes=18446744073709551615) at gmem.c:102
#3  0x00007ffff4d8898c in wmem_simple_alloc (private_data=<optimized out>, size=18446744073709551615) at wmem_allocator_simple.c:43
#4  0x00007ffff488195c in dissect_sigcomp_tcp (tvb=0xf8ff20, pinfo=0xff3d28, tree=0x0, _data=<optimized out>) at packet-sigcomp.c:4531

wmem_alloc(..., -1) is called by dissect_sigcomp_tcp:

#4  0x00007ffff488195c in dissect_sigcomp_tcp (tvb=0xf8ff20, pinfo=0xff3d28, tree=0x0, _data=<optimized out>) at packet-sigcomp.c:4531
4531	    buff = (guint8 *)wmem_alloc(pinfo->pool, length-offset);
(gdb) print length - offset
$2 = -1
(gdb) print length
$3 = 1
(gdb) print offset
$4 = 2


This have no oss-fuzz bug number yet, it was extracted from corpus file (sha1: beee3b13656f12ead54e9ecb9e055e0ff7994e74)
Comment 1 Gerrit Code Review 2018-02-11 20:13:42 UTC 
Change 25735 had a related patch set uploaded by Pascal Quantin:
SIGCOMP: use correct message length

https://code.wireshark.org/review/25735
Comment 2 Gerrit Code Review 2018-02-12 00:23:03 UTC 
Change 25735 merged by Michael Mann:
SIGCOMP: use correct message length

https://code.wireshark.org/review/25735
Comment 3 Gerrit Code Review 2018-02-12 00:23:42 UTC 
Change 25739 had a related patch set uploaded by Michael Mann:
SIGCOMP: use correct message length

https://code.wireshark.org/review/25739
Comment 4 Gerrit Code Review 2018-02-12 00:23:59 UTC 
Change 25740 had a related patch set uploaded by Michael Mann:
SIGCOMP: use correct message length

https://code.wireshark.org/review/25740
Comment 5 Gerrit Code Review 2018-02-12 03:29:28 UTC 
Change 25740 merged by Michael Mann:
SIGCOMP: use correct message length

https://code.wireshark.org/review/25740
Comment 6 Gerrit Code Review 2018-02-12 03:29:45 UTC 
Change 25739 merged by Michael Mann:
SIGCOMP: use correct message length

https://code.wireshark.org/review/25739