Buildbot crash output: fuzz-2018-07-19-10297.pcap

This issue was migrated from bug 14994 in our old bug tracker.

Original bug information:

Reporter: Buildbot Builder
Status: RESOLVED FIXED
Product: Wireshark
Component: Dissection engine (libwireshark)
OS: All
Platform: All
Version: unspecified

See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16056

Buildbot Builder said:

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2018-07-19-10297.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/16494-clusterfuzz-testcase-minimized-fuzzshark_ip-5721574211584000.pcap

Build host information:
Linux wsbb04 4.4.0-130-generic #156-Ubuntu SMP Thu Jun 14 08:53:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.4 LTS
Release:	16.04
Codename:	xenial

Buildbot information:
BUILDBOT_REPOSITORY=ssh://wireshark-buildbot@code.wireshark.org:29418/wireshark
BUILDBOT_WORKERNAME=clang-code-analysis
BUILDBOT_BUILDNUMBER=4830
BUILDBOT_URL=http://buildbot.wireshark.org/wireshark-master/
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_GOT_REVISION=065a76257935e0699b6cf4aa2352d2f7de914a87

Return value:  0

Dissector bug:  0

Valgrind error count:  0



Git commit
commit 065a76257935e0699b6cf4aa2352d2f7de914a87
Author: Guy Harris <guy@alum.mit.edu>
Date:   Thu Jul 19 02:27:02 2018 -0700

    Extcap programs must write to the packet pipe in binary mode.

    It doesn't matter on UN*X, but it definitely matters on Windows; we're
    writing a pcap file, not a text file, so every byte we write should go
    down the pipe as is.

    Bug: 14989
    Change-Id: I26c067b8ff5dba644a579846dd97b568a81c7053
    Reviewed-on: https://code.wireshark.org/review/28764
    Reviewed-by: Guy Harris <guy@alum.mit.edu>


Command and args: /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark  -nVxr
**
ERROR:../epan/packet.c:3089:call_dissector_only: assertion failed: (handle != NULL)

[ no debug trace ]

added crash libwireshark labels

Guy Harris said:

Reproducible, stack trace is:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib        	0x00007fff9399ad42 __pthread_kill + 10
1   libsystem_pthread.dylib       	0x00007fff93a88457 pthread_kill + 90
2   libsystem_c.dylib             	0x00007fff93900420 abort + 129
3   libglib-2.0.0.dylib           	0x0000000112e6a704 g_assertion_message + 276
4   libglib-2.0.0.dylib           	0x0000000112e6a755 g_assertion_message_expr + 69
5   libwireshark.0.dylib          	0x000000010dd6d6b9 call_dissector_with_data + 153 (packet.c:3109)
6   libwireshark.0.dylib          	0x000000010d0491e3 dissect_attribute_value + 8851 (packet-btatt.c:5289)
7   libwireshark.0.dylib          	0x000000010d042d58 dissect_btatt + 5800 (packet-btatt.c:10386)
8   libwireshark.0.dylib          	0x000000010dd718fd call_dissector_through_handle + 93
9   libwireshark.0.dylib          	0x000000010dd6e552 call_dissector_work + 242 (packet.c:777)
10  libwireshark.0.dylib          	0x000000010dd6e41c dissector_try_uint_new + 108 (packet.c:1360)
11  libwireshark.0.dylib          	0x000000010d08be72 dissect_btl2cap + 9906 (packet-btl2cap.c:2685)
12  libwireshark.0.dylib          	0x000000010dd718fd call_dissector_through_handle + 93
13  libwireshark.0.dylib          	0x000000010dd6e552 call_dissector_work + 242 (packet.c:777)
14  libwireshark.0.dylib          	0x000000010dd6e67a dissector_try_uint + 106 (packet.c:1360)
15  libwireshark.0.dylib          	0x000000010d448671 dissect_snap + 1057
16  libwireshark.0.dylib          	0x000000010d448adb dissect_llc + 587 (packet-llc.c:428)
17  libwireshark.0.dylib          	0x000000010dd718fd call_dissector_through_handle + 93
18  libwireshark.0.dylib          	0x000000010dd6e552 call_dissector_work + 242 (packet.c:777)
19  libwireshark.0.dylib          	0x000000010dd6d652 call_dissector_with_data + 50 (packet.c:3104)
20  libwireshark.0.dylib          	0x000000010d37bec7 dissect_802_3 + 343 (packet-ieee8023.c:90)
21  libwireshark.0.dylib          	0x000000010d213a7d dissect_eth_common + 2205 (packet-eth.c:463)
22  libwireshark.0.dylib          	0x000000010d212ac0 dissect_eth_withoutfcs + 16 (packet-eth.c:814)
23  libwireshark.0.dylib          	0x000000010dd718fd call_dissector_through_handle + 93
24  libwireshark.0.dylib          	0x000000010dd6e552 call_dissector_work + 242 (packet.c:777)
25  libwireshark.0.dylib          	0x000000010dd6d652 call_dissector_with_data + 50 (packet.c:3104)
26  libwireshark.0.dylib          	0x000000010d60bf9c dissect_bcp_bpdu + 572
27  libwireshark.0.dylib          	0x000000010dd718fd call_dissector_through_handle + 93
28  libwireshark.0.dylib          	0x000000010dd6e552 call_dissector_work + 242 (packet.c:777)
29  libwireshark.0.dylib          	0x000000010dd6e67a dissector_try_uint + 106 (packet.c:1360)
30  libwireshark.0.dylib          	0x000000010d611082 dissect_ppp_common + 258 (packet-ppp.c:4805)
31  libwireshark.0.dylib          	0x000000010d6072f7 dissect_ppp_raw_hdlc + 647 (packet-ppp.c:5984)
32  libwireshark.0.dylib          	0x000000010dd718fd call_dissector_through_handle + 93
33  libwireshark.0.dylib          	0x000000010dd6e552 call_dissector_work + 242 (packet.c:777)
34  libwireshark.0.dylib          	0x000000010dd6e41c dissector_try_uint_new + 108 (packet.c:1360)
35  libwireshark.0.dylib          	0x000000010d26e36e dissect_gre + 2670 (packet-gre.c:501)
36  libwireshark.0.dylib          	0x000000010dd718fd call_dissector_through_handle + 93
37  libwireshark.0.dylib          	0x000000010dd6e552 call_dissector_work + 242 (packet.c:777)
38  libwireshark.0.dylib          	0x000000010dd6e41c dissector_try_uint_new + 108 (packet.c:1360)
39  libwireshark.0.dylib          	0x000000010d38db6b ip_try_dissect + 139 (packet-ip.c:1831)
40  libwireshark.0.dylib          	0x000000010d3b0187 ipv6_dissect_next + 295 (packet-ipv6.c:2455)
41  libwireshark.0.dylib          	0x000000010d3b112a dissect_ipv6 + 2554 (packet-ipv6.c:2405)
42  libwireshark.0.dylib          	0x000000010dd718fd call_dissector_through_handle + 93
43  libwireshark.0.dylib          	0x000000010dd6e552 call_dissector_work + 242 (packet.c:777)
44  libwireshark.0.dylib          	0x000000010dd6d652 call_dissector_with_data + 50 (packet.c:3104)
45  libwireshark.0.dylib          	0x000000010d38ec80 dissect_ip_v4 + 480
46  libwireshark.0.dylib          	0x000000010dd718fd call_dissector_through_handle + 93
47  libwireshark.0.dylib          	0x000000010dd6e552 call_dissector_work + 242 (packet.c:777)
48  libwireshark.0.dylib          	0x000000010dd6e67a dissector_try_uint + 106 (packet.c:1360)
49  libwireshark.0.dylib          	0x000000010d21454e dissect_ethertype + 334 (packet-ethertype.c:260)
50  libwireshark.0.dylib          	0x000000010dd718fd call_dissector_through_handle + 93
51  libwireshark.0.dylib          	0x000000010dd6e552 call_dissector_work + 242 (packet.c:777)
52  libwireshark.0.dylib          	0x000000010dd6d652 call_dissector_with_data + 50 (packet.c:3104)
53  libwireshark.0.dylib          	0x000000010d213da1 dissect_eth_common + 3009 (packet-eth.c:530)
54  libwireshark.0.dylib          	0x000000010d2131bc dissect_eth + 380 (packet-eth.c:805)
55  libwireshark.0.dylib          	0x000000010dd718fd call_dissector_through_handle + 93
56  libwireshark.0.dylib          	0x000000010dd6e552 call_dissector_work + 242 (packet.c:777)
57  libwireshark.0.dylib          	0x000000010dd6e41c dissector_try_uint_new + 108 (packet.c:1360)
58  libwireshark.0.dylib          	0x000000010d249739 dissect_frame + 4841 (packet-frame.c:579)
59  libwireshark.0.dylib          	0x000000010dd718fd call_dissector_through_handle + 93
60  libwireshark.0.dylib          	0x000000010dd6e552 call_dissector_work + 242 (packet.c:777)
61  libwireshark.0.dylib          	0x000000010dd6d652 call_dissector_with_data + 50 (packet.c:3104)
62  libwireshark.0.dylib          	0x000000010dd6d50f dissect_record + 623 (packet.c:568)
63  libwireshark.0.dylib          	0x000000010dd63524 epan_dissect_run_with_taps + 68 (epan.c:552)
64  tshark                        	0x000000010cedb86b process_packet_single_pass + 331 (tshark.c:3552)
65  tshark                        	0x000000010ced9056 main + 10278 (tshark.c:3378)
66  libdyld.dylib                 	0x00007fff9386c235 start + 1

Gerrit Code Review said:

Change 28805 had a related patch set uploaded by Guy Harris: Don't assume a given btgatt.uuid0xXXXX dissector exists.

https://code.wireshark.org/review/28805

Gerrit Code Review said:

Change 28805 merged by Guy Harris: Don't assume a given btgatt.uuid0xXXXX dissector exists.

https://code.wireshark.org/review/28805

Gerrit Code Review said:

Change 28806 had a related patch set uploaded by Guy Harris: Don't assume a given btgatt.uuid0xXXXX dissector exists.

https://code.wireshark.org/review/28806

Gerrit Code Review said:

Change 28806 merged by Guy Harris: Don't assume a given btgatt.uuid0xXXXX dissector exists.

https://code.wireshark.org/review/28806

Gerrit Code Review said:

Change 28807 had a related patch set uploaded by Guy Harris: Don't assume a given btgatt.uuid0xXXXX dissector exists.

https://code.wireshark.org/review/28807

Gerrit Code Review said:

Change 28807 merged by Guy Harris: Don't assume a given btgatt.uuid0xXXXX dissector exists.

https://code.wireshark.org/review/28807

Gerrit Code Review said:

Change 28808 had a related patch set uploaded by Guy Harris: Don't assume a given btgatt.uuid0xXXXX dissector exists.

https://code.wireshark.org/review/28808

Gerrit Code Review said:

Change 28808 merged by Guy Harris: Don't assume a given btgatt.uuid0xXXXX dissector exists.

https://code.wireshark.org/review/28808

Guy Harris said:

Don't just blithely assume that, for any (hex) value of XXXX, there is a "btgatt.uuid0xXXXX" dissector registered. That's not guaranteed to be the case.

Guy Harris said:

*** Bug #14997 (closed) has been marked as a duplicate of this bug. ***

Guy Harris said:

*** Bug #15000 (closed) has been marked as a duplicate of this bug. ***

Guy Harris said:

*** Bug #15001 (closed) has been marked as a duplicate of this bug. ***

Guy Harris said:

*** Bug #15002 (closed) has been marked as a duplicate of this bug. ***

Gerrit Code Review said:

Change 28818 had a related patch set uploaded by Guy Harris: In bgatt.uuid0xXXXX names, hex digits in XXXX are lower case.

https://code.wireshark.org/review/28818

Gerrit Code Review said:

Change 28818 merged by Guy Harris: In bgatt.uuid0xXXXX names, hex digits in XXXX are lower case.

https://code.wireshark.org/review/28818

Guy Harris said:

(In reply to Gerrit Code Review from comment #16)  
> Change 28818 merged by Guy Harris:  
> In bgatt.uuid0xXXXX names, hex digits in XXXX are lower case.  
>  
> https://code.wireshark.org/review/28818  

So why is this not just done with a dissector table with an integer key (Bluetooth UUIDs are just 16-bit integral values)?

Michał Łabędzki said:

So, do you think that adding dissector table (add the item by uuid) to registration loop then call dissector table rather than call_dissector will be more efficient?

Guy Harris said:

*** Bug #15003 (closed) has been marked as a duplicate of this bug. ***

Peter Wu said:

*** Bug #14977 (closed) has been marked as a duplicate of this bug. ***

closed

mentioned in issue #14997 (closed)

mentioned in issue #15000 (closed)

mentioned in issue #15001 (closed)

mentioned in issue #15003 (closed)

mentioned in issue #15002 (closed)