Bug 14443 - [oss-fuzz] #5914 NBAP: Crash in dissect_nbap_TransportFormatSet_NrOfTransportBlocks
Summary: [oss-fuzz] #5914 NBAP: Crash in dissect_nbap_TransportFormatSet_NrOfTransport...
Status: RESOLVED FIXED
Alias: None
Product: Wireshark
Classification: Unclassified
Component: Dissection engine (libwireshark) (show other bugs)
Version: Git
Hardware: x86 Linux
: Low Major (vote)
Target Milestone: ---
Assignee: Bugzilla Administrator
URL:
Depends on:
Blocks:
 
Reported: 2018-02-18 11:56 UTC by Jakub Zawadzki
Modified: 2018-02-23 00:49 UTC (History)
1 user (show)

See Also:

Attachments
capture file (496 bytes, application/vnd.tcpdump.pcap)
2018-02-18 11:56 UTC, Jakub Zawadzki 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Zawadzki 2018-02-18 11:56:10 UTC 
Created attachment 16142 [details]
capture file

Build Information:
TShark (Wireshark) 2.5.1 (v2.5.1rc0-182-gaef93dba)

Copyright 1998-2018 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) without libpcap, with GLib 2.42.2, with zlib 1.2.8, without
SMI, without c-ares, without Lua, without GnuTLS, with Gcrypt 1.6.3, without
Kerberos, without GeoIP, without nghttp2, without LZ4, without Snappy, without
libxml2.

Running on Linux 3.17.4-301.fc21.x86_64, with Intel(R) Xeon(R) CPU          
E5530  @ 2.40GHz (with SSE4.2), with 24093 MB of physical memory, with locale
pl_PL.UTF-8, with Gcrypt 1.6.3, with zlib 1.2.8.

Built using gcc 4.9.2 20150212 (Red Hat 4.9.2-6).

--
oss-fuzz during fuzzing found a crash in nbap dissector (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5914)

It can be attached with tshark -V using attached capture file

Top backtrace:

(gdb) bt
#0  0x00007ffff4b42cb9 in dissect_nbap_TransportFormatSet_NrOfTransportBlocks (tvb=<optimized out>, offset=48, actx=0x7fffffffb9b0, tree=<optimized out>, hf_index=<optimized out>) at ./asn1/Nbap/nbap.cnf:1363
#1  0x00007ffff4735846 in dissect_per_sequence (tvb=tvb@entry=0x7fffe40cbcf0, offset=30, offset@entry=27, actx=actx@entry=0x7fffffffb9b0, parent_tree=parent_tree@entry=0x7fffe8a5faf0, hf_index=hf_index@entry=98249, 
    ett_index=<optimized out>, sequence=0x7ffff64f3b40 <TransportFormatSet_DynamicPartList_item_sequence>) at packet-per.c:1908
#2  0x00007ffff4b42691 in dissect_nbap_TransportFormatSet_DynamicPartList_item (tvb=0x7fffe40cbcf0, offset=27, actx=0x7fffffffb9b0, tree=0x7fffe8a5faf0, hf_index=98249) at ./asn1/Nbap/nbap.cnf:1344
#3  0x00007ffff4731a44 in dissect_per_sequence_of_helper (tvb=tvb@entry=0x7fffe40cbcf0, offset=offset@entry=27, actx=actx@entry=0x7fffffffb9b0, tree=tree@entry=0x7fffe8a5f940, 
    func=0x7ffff4b42640 <dissect_nbap_TransportFormatSet_DynamicPartList_item>, hf_index=98249, length=2) at packet-per.c:564
#4  0x00007ffff4734320 in dissect_per_constrained_sequence_of (tvb=tvb@entry=0x7fffe40cbcf0, offset=27, offset@entry=22, actx=actx@entry=0x7fffffffb9b0, parent_tree=parent_tree@entry=0x7fffe8a5f480, hf_index=hf_index@entry=98247, 
    ett_index=23345, seq=0x7ffff64f3af0 <TransportFormatSet_DynamicPartList_sequence_of>, min_len=1, max_len=32, has_extension=0) at packet-per.c:939
#5  0x00007ffff4b436e6 in dissect_nbap_TransportFormatSet_DynamicPartList (tvb=0x7fffe40cbcf0, offset=22, actx=0x7fffffffb9b0, tree=0x7fffe8a5f480, hf_index=98247) at ./asn1/Nbap/nbap.cnf:1340
#6  0x00007ffff4735846 in dissect_per_sequence (tvb=0x7fffe40cbcf0, offset=22, actx=0x7fffffffb9b0, parent_tree=<optimized out>, hf_index=<optimized out>, ett_index=<optimized out>, sequence=0x7ffff64f3740 <TransportFormatSet_sequence>)
    at packet-per.c:1908
Comment 1 Gerrit Code Review 2018-02-18 14:12:52 UTC 
Change 25874 had a related patch set uploaded by Pascal Quantin:
NBAP: check that DCH ID was initialized before using it

https://code.wireshark.org/review/25874
Comment 2 Gerrit Code Review 2018-02-18 14:49:16 UTC 
Change 25874 merged by Pascal Quantin:
NBAP: check that DCH ID was initialized before using it

https://code.wireshark.org/review/25874
Comment 3 Gerrit Code Review 2018-02-18 15:40:45 UTC 
Change 25881 had a related patch set uploaded by Pascal Quantin:
NBAP: check that DCH ID was initialized before using it

https://code.wireshark.org/review/25881
Comment 4 Gerrit Code Review 2018-02-18 15:44:06 UTC 
Change 25882 had a related patch set uploaded by Pascal Quantin:
NBAP: check that DCH ID was initialized before using it

https://code.wireshark.org/review/25882
Comment 5 Gerrit Code Review 2018-02-18 18:09:11 UTC 
Change 25882 merged by Pascal Quantin:
NBAP: check that DCH ID was initialized before using it

https://code.wireshark.org/review/25882
Comment 6 Gerrit Code Review 2018-02-19 08:13:33 UTC 
Change 25894 had a related patch set uploaded by Pascal Quantin:
NBAP: check that DCH ID was initialized before using it

https://code.wireshark.org/review/25894
Comment 7 Gerrit Code Review 2018-02-19 09:25:54 UTC 
Change 25894 merged by Pascal Quantin:
NBAP: check that DCH ID was initialized before using it

https://code.wireshark.org/review/25894