Buildbot crash output: fuzz-2020-05-13-12195.pcap

This issue was migrated from bug 16564 in our old bug tracker.

Original bug information:

Reporter: Buildbot Builder
Status: RESOLVED FIXED
Product: Wireshark
Component: Dissection engine (libwireshark)
OS: Ubuntu
Platform: x86-64
Version: unspecified

Buildbot Builder said:

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2020-05-13-12195.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/2782-Re-Auth.pcap

Build host information:
Linux build6 4.15.0-99-generic #100-Ubuntu SMP Wed Apr 22 20:32:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.4 LTS
Release:	18.04
Codename:	bionic

Buildbot information:
BUILDBOT_WORKERNAME=clang-code-analysis
BUILDBOT_BUILDNUMBER=5211
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_URL=http://buildbot.wireshark.org/wireshark-master/
BUILDBOT_REPOSITORY=ssh://wireshark-buildbot@code.wireshark.org:29418/wireshark
BUILDBOT_GOT_REVISION=fb28b60e3f739dc805d1b7cefa3d62f6a9b8478f

Return value:  0

Dissector bug:  0

Valgrind error count:  0



Git commit
commit fb28b60e3f739dc805d1b7cefa3d62f6a9b8478f
Author: Alexis La Goutte <alexis.lagoutte@gmail.com>
Date:   Mon Mar 2 20:49:17 2020 +0100

    QUIC: Fix frame type (it is also a varint)

    Draft 13 changed it from a byte to a varint. Found during implementation
    of draft-huitema-quic-ts-02 which uses 0x02F5.

    Bug: 13881
    Change-Id: I63d9469b539cf92b694bca85c00e07bd146abb5e
    Reviewed-on: https://code.wireshark.org/review/36259
    Petri-Dish: Peter Wu <peter@lekensteyn.nl>
    Tested-by: Petri Dish Buildbot
    Reviewed-by: Peter Wu <peter@lekensteyn.nl>


Command and args: /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark  -nVxr

** (process:25605): WARNING **: 17:53:54.503: Dissector bug, protocol RADIUS, in packet 156: Null pointer passed to bytes_to_str()

** (process:25605): WARNING **: 17:53:54.546: Dissector bug, protocol RADIUS, in packet 201: Null pointer passed to bytes_to_str()
=================================================================
==25605==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000299810 at pc 0x7f2e694e1f53 bp 0x7ffd478b2b30 sp 0x7ffd478b2b28
READ of size 1 at 0x604000299810 thread T0
    #0 0x7f2e694e1f52 in print_hex_data_buffer /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/print.c:1976:13
    #1 0x7f2e694e19b1 in print_hex_data /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/print.c:1893:14
    #2 0x5653c7f84307 in print_packet /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:4213:10
    #3 0x5653c7f80712 in process_packet_single_pass /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:3779:7
    #4 0x5653c7f8284e in process_cap_file_single_pass /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:3418:9
    #5 0x5653c7f7c66c in process_cap_file /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:3573:26
    #6 0x5653c7f77af4 in main /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:2045:16
    #7 0x7f2e5b782b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #8 0x5653c7e74af9 in _start (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0x59af9)

0x604000299810 is located 0 bytes inside of 36-byte region [0x604000299810,0x604000299834)
freed by thread T0 here:
    #0 0x5653c7f20142 in __interceptor_free (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0x105142)
    #1 0x7f2e67a7ce30 in vsa_buffer_destroy /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-radius.c:1373:2
    #2 0x7f2e5c1cb13f  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3a13f)

previously allocated by thread T0 here:
    #0 0x5653c7f208df in realloc (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0x1058df)
    #1 0x7f2e5c1e2b6f in g_realloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51b6f)
    #2 0x7f2e67a79a15 in dissect_radius /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-radius.c:2275:3
    #3 0x7f2e694d2b44 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:706:9
    #4 0x7f2e694c7b99 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:799:9
    #5 0x7f2e694c74c3 in dissector_try_uint_new /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1399:8
    #6 0x7f2e694c7f6b in dissector_try_uint /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1423:9
    #7 0x7f2e680af90e in decode_udp_ports /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-udp.c:697:7
    #8 0x7f2e680b86ee in dissect /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-udp.c:1234:5
    #9 0x7f2e680b293d in dissect_udp /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-udp.c:1240:3
    #10 0x7f2e694d2b44 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:706:9
    #11 0x7f2e694c7b99 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:799:9
    #12 0x7f2e694c74c3 in dissector_try_uint_new /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1399:8
    #13 0x7f2e67245d12 in ip_try_dissect /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ip.c:1829:7
    #14 0x7f2e6724b2fe in dissect_ip_v4 /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ip.c:2288:10
    #15 0x7f2e694d2b44 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:706:9
    #16 0x7f2e694c7b99 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:799:9
    #17 0x7f2e694c74c3 in dissector_try_uint_new /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1399:8
    #18 0x7f2e694c7f6b in dissector_try_uint /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1423:9
    #19 0x7f2e66e12eb0 in dissect_ethertype /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ethertype.c:265:21
    #20 0x7f2e694d2b44 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:706:9
    #21 0x7f2e694c7b99 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:799:9
    #22 0x7f2e694cf3f0 in call_dissector_only /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3208:8
    #23 0x7f2e694c3c94 in call_dissector_with_data /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3221:8
    #24 0x7f2e6817b824 in dissect_vlan /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-vlan.c:360:5
    #25 0x7f2e694d2b44 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:706:9
    #26 0x7f2e694c7b99 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:799:9
    #27 0x7f2e694c74c3 in dissector_try_uint_new /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1399:8
    #28 0x7f2e694c7f6b in dissector_try_uint /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1423:9
    #29 0x7f2e66e12eb0 in dissect_ethertype /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ethertype.c:265:21

SUMMARY: AddressSanitizer: heap-use-after-free /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/print.c:1976:13 in print_hex_data_buffer
Shadow bytes around the buggy address:
  0x0c088004b2b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c088004b2c0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 06
  0x0c088004b2d0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c088004b2e0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c088004b2f0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
=>0x0c088004b300: fa fa[fd]fd fd fd fd fa fa fa 00 00 00 00 06 fa
  0x0c088004b310: fa fa 00 00 00 00 00 03 fa fa fd fd fd fd fd fa
  0x0c088004b320: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c088004b330: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c088004b340: fa fa fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c088004b350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==25605==ABORTING

[ no debug trace ]

added crash libwireshark osubuntu labels

Gerrit Code Review said:

Change 37200 had a related patch set uploaded by Uli Heilmeier: Radius: Fix NULL pointer call

https://code.wireshark.org/review/37200

Gerrit Code Review said:

Change 37200 merged by Anders Broman: Radius: Fix NULL pointer call

https://code.wireshark.org/review/37200

Gerrit Code Review said:

Change 37204 had a related patch set uploaded by Uli Heilmeier: Radius: Fix NULL pointer call

https://code.wireshark.org/review/37204

Gerrit Code Review said:

Change 37205 had a related patch set uploaded by Uli Heilmeier: Radius: Fix NULL pointer call

https://code.wireshark.org/review/37205

Gerrit Code Review said:

Change 37206 had a related patch set uploaded by Uli Heilmeier: Radius: Fix NULL pointer call

https://code.wireshark.org/review/37206

Gerrit Code Review said:

Change 37204 merged by Pascal Quantin: Radius: Fix NULL pointer call

https://code.wireshark.org/review/37204

Gerrit Code Review said:

Change 37205 merged by Pascal Quantin: Radius: Fix NULL pointer call

https://code.wireshark.org/review/37205

Gerrit Code Review said:

Change 37206 merged by Pascal Quantin: Radius: Fix NULL pointer call

https://code.wireshark.org/review/37206

Gerald Combs said:

This only crashes when WIRESHARK_ABORT_ON_DISSECTOR_BUG is set, so I don't plan on requesting a CVE.

closed