Bug 14442 - [oss-fuzz] #6336 ieee80211: Crash in _gcry_aes_cbc_enc (AirPDcapPacketProcess)
Summary: [oss-fuzz] #6336 ieee80211: Crash in _gcry_aes_cbc_enc (AirPDcapPacketProcess)
Status: RESOLVED FIXED
Alias: None
Product: Wireshark
Classification: Unclassified
Component: Dissection engine (libwireshark) (show other bugs)
Version: Git
Hardware: x86 Linux
: Low Major (vote)
Target Milestone: ---
Assignee: Bugzilla Administrator
URL:
Depends on:
Blocks:
 
Reported: 2018-02-18 10:18 UTC by Jakub Zawadzki
Modified: 2018-02-22 19:17 UTC (History)
0 users

See Also:

Attachments
Testcase (89 bytes, application/vnd.tcpdump.pcap)
2018-02-18 10:18 UTC, Jakub Zawadzki 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Zawadzki 2018-02-18 10:18:51 UTC 
Created attachment 16141 [details]
Testcase

Build Information:
TShark (Wireshark) 2.5.1 (v2.5.1rc0-182-gaef93dba)

Copyright 1998-2018 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) without libpcap, with GLib 2.42.2, with zlib 1.2.8, without
SMI, without c-ares, without Lua, without GnuTLS, with Gcrypt 1.6.3, without
Kerberos, without GeoIP, without nghttp2, without LZ4, without Snappy, without
libxml2.

Running on Linux 3.17.4-301.fc21.x86_64, with Intel(R) Xeon(R) CPU          
E5530  @ 2.40GHz (with SSE4.2), with 24093 MB of physical memory, with locale
pl_PL.UTF-8, with Gcrypt 1.6.3, with zlib 1.2.8.

Built using gcc 4.9.2 20150212 (Red Hat 4.9.2-6).

--
oss-fuzz found a crash in ieee80211 dissector https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6336

Top backtrace:
#0  0x00007ffff13d08f3 in buf_xor (len=16, _src2=<optimized out>, _src1=<optimized out>, _dst=<optimized out>) at bufhelp.h:108
#1  _gcry_aes_cbc_enc (context=0x85aeb0, iv=0x85ad00 "\036\344\071QS\274\037\326\374\fq\210zy>\223", outbuf_arg=<optimized out>, inbuf_arg=<optimized out>, nblocks=4294949649, cbc_mac=1) at rijndael.c:1785
#2  0x00007ffff13b6eb7 in cmac_write (inlen=18446744073709551589, inbuf=0x83112b "", c=0x85aca0) at cipher-cmac.c:72
#3  _gcry_cipher_cmac_authenticate (c=0x85aca0, abuf=<optimized out>, abuflen=<optimized out>) at cipher-cmac.c:211
#4  0x00007ffff13a8ec6 in gcry_mac_write (hd=0x85ac70, buf=buf@entry=0x831122, buflen=18446744073709551598) at visibility.c:913
#5  0x00007ffff403cc3a in AirPDcapTDLSDeriveKey (action=<optimized out>, offset_link=<optimized out>, offset_timeout=42, offset_fte=46, offset_rsne=40, data=0x8310e0 "K", ' ' <repeats 23 times>, "\252\252\003", 
    sa=0x7ffff7b1b900 <airpdcap_ctx>) at airpdcap.c:2266
#6  AirPDcapScanForKeys (ctx=ctx@entry=0x7ffff7b1b900 <airpdcap_ctx>, data=data@entry=0x8310e0 "K", ' ' <repeats 23 times>, "\252\252\003", mac_header_len=mac_header_len@entry=24, tot_len=<optimized out>, id=...) at airpdcap.c:741
#7  0x00007ffff40d3d04 in AirPDcapPacketProcess (ctx=ctx@entry=0x7ffff7b1b900 <airpdcap_ctx>, data=0x8310e0 "K", ' ' <repeats 23 times>, "\252\252\003", mac_header_len=mac_header_len@entry=24, tot_len=tot_len@entry=49, 
    decrypt_data=decrypt_data@entry=0x0, decrypt_len=decrypt_len@entry=0x0, key=0x0, scanHandshake=1) at airpdcap.c:820
#8  0x00007ffff44b9953 in dissect_ieee80211_common (tvb=0x8598c0, pinfo=<optimized out>, tree=0x0, option_flags=option_flags@entry=4, phdr=<optimized out>) at packet-ieee80211.c:20298
#9  0x00007ffff44bb3bc in dissect_ieee80211 (tvb=<optimized out>, pinfo=<optimized out>, tree=<optimized out>, data=<optimized out>) at packet-ieee80211.c:20888

The problem seems to be in AirPDcapTDLSDeriveKey() which pass negative buflen to gcry_mac_write:


#5  0x00007ffff403cc3a in AirPDcapTDLSDeriveKey (action=<optimized out>, offset_link=<optimized out>, offset_timeout=42, offset_fte=46, offset_rsne=40, data=0x8310e0 "K", ' ' <repeats 23 times>, "\252\252\003", 
    sa=0x7ffff7b1b900 <airpdcap_ctx>) at airpdcap.c:2266
2266	    gcry_mac_write(cmac_handle, &data[offset_fte + 20], data[offset_fte + 1] + 2 - 20);
(gdb) print data[offset_fte + 1]
$1 = 0 '\000'
(gdb) print data[offset_fte + 1] + 2 - 20
$2 = -18
(gdb) print (size_t) data[offset_fte + 1] + 2 - 20
$3 = 18446744073709551598
Comment 1 Gerrit Code Review 2018-02-20 19:50:59 UTC 
Change 25937 had a related patch set uploaded by Gerald Combs:
Airpdcap: Add length checks.

https://code.wireshark.org/review/25937
Comment 2 Gerrit Code Review 2018-02-20 20:00:06 UTC 
Change 25939 had a related patch set uploaded by Gerald Combs:
Airpdcap: Add length checks.

https://code.wireshark.org/review/25939
Comment 3 Gerrit Code Review 2018-02-21 01:05:32 UTC 
Change 25937 merged by Michael Mann:
Airpdcap: Add length checks.

https://code.wireshark.org/review/25937
Comment 4 Gerrit Code Review 2018-02-21 11:30:35 UTC 
Change 25939 merged by Michael Mann:
Airpdcap: Add length checks.

https://code.wireshark.org/review/25939
Comment 5 Gerrit Code Review 2018-02-22 00:00:11 UTC 
Change 25976 had a related patch set uploaded by Gerald Combs:
Airpdcap: Add length checks.

https://code.wireshark.org/review/25976
Comment 6 Gerrit Code Review 2018-02-22 05:08:54 UTC 
Change 25976 merged by Anders Broman:
Airpdcap: Add length checks.

https://code.wireshark.org/review/25976