Bug 14446 - [oss-fuzz] #6458 DOCSIS: Stack-overflow in dissect_docsis
Summary: [oss-fuzz] #6458 DOCSIS: Stack-overflow in dissect_docsis
Status: RESOLVED FIXED
Alias: None
Product: Wireshark
Classification: Unclassified
Component: Dissection engine (libwireshark) (show other bugs)
Version: Git
Hardware: x86 Linux
: Low Major (vote)
Target Milestone: ---
Assignee: Bugzilla Administrator
URL:
Depends on:
Blocks:
 
Reported: 2018-02-19 17:42 UTC by Jakub Zawadzki
Modified: 2018-02-22 23:22 UTC (History)
0 users

See Also:

Attachments
capture file to crash wireshark (73 bytes, application/vnd.tcpdump.pcap)
2018-02-19 17:42 UTC, Jakub Zawadzki 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Zawadzki 2018-02-19 17:42:00 UTC 
Created attachment 16146 [details]
capture file to crash wireshark

Build Information:
TShark (Wireshark) 2.5.1 (v2.5.1rc0-182-gaef93dba)

Copyright 1998-2018 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) without libpcap, with GLib 2.42.2, with zlib 1.2.8, without
SMI, without c-ares, without Lua, without GnuTLS, with Gcrypt 1.6.3, without
Kerberos, without GeoIP, without nghttp2, without LZ4, without Snappy, without
libxml2.

Running on Linux 3.17.4-301.fc21.x86_64, with Intel(R) Xeon(R) CPU          
E5530  @ 2.40GHz (with SSE4.2), with 24093 MB of physical memory, with locale
pl_PL.UTF-8, with Gcrypt 1.6.3, with zlib 1.2.8.

Built using gcc 4.9.2 20150212 (Red Hat 4.9.2-6).

--
oss-fuzz found a packet to recursive call docsis dissector and crash wireshark https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6458

Backtrace:

#5  0x00007ffff4079900 in ws_vsnprintf (argptr=0x7fffff7ff8d8, format=0x7ffff4d6b878 "Bad checksum [should be 0x%0*x]", size_of_buffer=240, buffer=0x7fffff7ff790 "") at ../wsutil/ws_printf.h:66
#6  expert_set_info_vformat (pinfo=pinfo@entry=0x85aa88, pi=pi@entry=0x0, group=16777216, severity=8388608, hf_index=31184, use_vaformat=use_vaformat@entry=1, format=0x7ffff4d6b878 "Bad checksum [should be 0x%0*x]", ap=0x7fffff7ff8d8)
    at expert.c:529
#7  0x00007ffff407a6b0 in expert_add_info_format (pinfo=pinfo@entry=0x85aa88, pi=pi@entry=0x0, expindex=expindex@entry=0x7ffff69bf548 <ei_docsis_hcs_bad>, format=format@entry=0x7ffff4d6b878 "Bad checksum [should be 0x%0*x]")
    at expert.c:614
#8  0x00007ffff40abfa8 in proto_tree_add_checksum (tree=tree@entry=0x0, tvb=tvb@entry=0xebee80, offset=offset@entry=5, hf_checksum=<optimized out>, hf_checksum_status=31168, 
    bad_checksum_expert=bad_checksum_expert@entry=0x7ffff69bf548 <ei_docsis_hcs_bad>, pinfo=0x85aa88, computed_checksum=30358, encoding=0, flags=1) at proto.c:11789
#9  0x00007ffff4315422 in dissect_hcs_field (tvb=0xebee80, pinfo=0x85aa88, docsis_tree=0x0, hdrlen=<optimized out>) at packet-docsis.c:458
#10 0x00007ffff4315a4f in dissect_docsis (tvb=0xebee80, pinfo=0x85aa88, tree=0x0, data=<optimized out>) at packet-docsis.c:636
#11 0x00007ffff407fbdb in call_dissector_through_handle (handle=handle@entry=0x7fffe9671b30, tvb=tvb@entry=0xebee80, pinfo=pinfo@entry=0x85aa88, tree=tree@entry=0x0, data=data@entry=0x0) at packet.c:694
(...)
#104754 0x00007ffff4315b69 in dissect_docsis (tvb=0x8598c0, pinfo=0x85aa88, tree=<optimized out>, data=<optimized out>) at packet-docsis.c:825
#104755 0x00007ffff407fbdb in call_dissector_through_handle (handle=handle@entry=0x7fffe9671b30, tvb=tvb@entry=0x8598c0, pinfo=pinfo@entry=0x85aa88, tree=tree@entry=0x0, data=data@entry=0x834e70) at packet.c:694
#104756 0x00007ffff4080b72 in call_dissector_work (handle=0x7fffe9671b30, tvb=tvb@entry=0x8598c0, pinfo_arg=pinfo_arg@entry=0x85aa88, tree=tree@entry=0x0, add_proto_name=add_proto_name@entry=1, data=data@entry=0x834e70) at packet.c:779
#104757 0x00007ffff40814df in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=33, tvb=tvb@entry=0x8598c0, pinfo=pinfo@entry=0x85aa88, tree=tree@entry=0x0, add_proto_name=add_proto_name@entry=1, data=0x834e70)
    at packet.c:1361
#104758 0x00007ffff43af7ba in dissect_frame (tvb=0x8598c0, pinfo=0x85aa88, parent_tree=0x0, data=0x7fffffffdc80) at packet-frame.c:579


Most of dissect_docsis() items is in line 825 which is call_dissector():

822	          while (concatlen > 0)
823	          {
824	            next_tvb = tvb_new_subset_length_caplen (tvb, concatpos, -1, concatlen);
825	            call_dissector (docsis_handle, next_tvb, pinfo, docsis_tree);
826	          }


(gdb) frame 14
#14 0x00007ffff4315b69 in dissect_docsis (tvb=0xebee30, pinfo=0x85aa88, tree=<optimized out>, data=<optimized out>) at packet-docsis.c:825
825	            call_dissector (docsis_handle, next_tvb, pinfo, docsis_tree);

(gdb) print concatlen
$3 = 8224
(gdb) print concatpos
$4 = 6
(gdb) print tvb->length
$5 = 33
(gdb) print tvb->reported_length 
$6 = 8230


(gdb) frame 18
#18 0x00007ffff4315b69 in dissect_docsis (tvb=0xebed40, pinfo=0x85aa88, tree=<optimized out>, data=<optimized out>) at packet-docsis.c:825
825	            call_dissector (docsis_handle, next_tvb, pinfo, docsis_tree);

(gdb) print tvb->length
$14 = 33
(gdb) print tvb->reported_length
$15 = 8230
Comment 1 Gerald Combs 2018-02-19 21:28:29 UTC 
I can replicate this in master and master-2.4 but not master-2.2.
Comment 2 Gerrit Code Review 2018-02-19 21:42:03 UTC 
Change 25905 had a related patch set uploaded by Gerald Combs:
DOCSIS: Remove concatenated PDU dissection.

https://code.wireshark.org/review/25905
Comment 3 Gerrit Code Review 2018-02-19 21:49:35 UTC 
Change 25906 had a related patch set uploaded by Gerald Combs:
DOCSIS: Remove concatenated PDU dissection.

https://code.wireshark.org/review/25906
Comment 4 Gerrit Code Review 2018-02-20 06:19:56 UTC 
Change 25905 merged by Anders Broman:
DOCSIS: Remove concatenated PDU dissection.

https://code.wireshark.org/review/25905
Comment 5 Gerrit Code Review 2018-02-20 06:20:08 UTC 
Change 25906 merged by Anders Broman:
DOCSIS: Remove concatenated PDU dissection.

https://code.wireshark.org/review/25906