Buildbot crash output: fuzz-2015-10-10-13251.pcap
This issue was migrated from bug 11585 in our old bug tracker.
Original bug information:
Reporter: Buildbot Builder
Status: RESOLVED FIXED
Product: Wireshark
Component: Dissection engine (libwireshark)
OS: Ubuntu
Platform: x86-64
Version: unspecified
See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5351
Activity
Problems have been found with the following capture file: https://www.wireshark.org/download/automated/captures/fuzz-2015-10-10-13251.pcap stderr: Input file: /home/wireshark/menagerie/menagerie/13690-tdls_decrypt_wireshark.pcap Build host information: Linux wsbb04 3.13.0-65-generic #105-Ubuntu SMP Mon Sep 21 18:50:58 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux Distributor ID: Ubuntu Description: Ubuntu 14.04.3 LTS Release: 14.04 Codename: trusty Buildbot information: BUILDBOT_REPOSITORY=ssh://wireshark-buildbot@code.wireshark.org:29418/wireshark BUILDBOT_BUILDNUMBER=3334 BUILDBOT_URL=http://buildbot.wireshark.org/wireshark-master/ BUILDBOT_BUILDERNAME=Clang Code Analysis BUILDBOT_SLAVENAME=clang-code-analysis BUILDBOT_GOT_REVISION=2bd7c48b44af5ebedefdb4c98d1b8cb708463881 Return value: 0 Dissector bug: 0 Valgrind error count: 7 Git commit commit 2bd7c48b44af5ebedefdb4c98d1b8cb708463881 Author: Guy Harris <guy@alum.mit.edu> Date: Thu Oct 8 13:43:08 2015 -0700 The second argument to AC_PATH_PROGS is a list of program names. The *third* argument is the value to use if we don't find the program; we shouldn't fall back on "python3" if we can't find "python", we should try both "python" and "python3" and just set $PYTHON to nothing if we don't find either one. Change-Id: I5168455f09bc3165c49db4334f05856dec46bf62 Reviewed-on: https://code.wireshark.org/review/10890 Reviewed-by: Guy Harris <guy@alum.mit.edu> Command and args: ./tools/valgrind-wireshark.sh ==4817== Memcheck, a memory error detector ==4817== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==4817== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info ==4817== Command: /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/bin/tshark -nr /fuzz/buildbot/clangcodeanalysis/valgrind-fuzz/fuzz-2015-10-10-13251.pcap ==4817== ==4817== Conditional jump or move depends on uninitialised value(s) ==4817== at 0x684C8B5: AirPDcapDecryptWPABroadcastKey (airpdcap.c:415) ==4817== by 0x684BB14: AirPDcapScanForKeys (airpdcap.c:1428) ==4817== by 0x6BD8E3E: dissect_ieee80211_common (packet-ieee80211.c:17710) ==4817== by 0x6BD47A5: dissect_ieee80211 (packet-ieee80211.c:18317) ==4817== by 0x680167F: call_dissector_work (packet.c:618) ==4817== by 0x6800C3C: call_dissector_with_data (packet.c:2549) ==4817== by 0x680167F: call_dissector_work (packet.c:618) ==4817== by 0x6800C3C: call_dissector_with_data (packet.c:2549) ==4817== by 0x6BC393B: dissect_radiotap (packet-ieee80211-radiotap.c:1801) ==4817== by 0x680169D: call_dissector_work (packet.c:620) ==4817== by 0x680151E: dissector_try_uint_new (packet.c:1163) ==4817== by 0x6AED77F: dissect_frame (packet-frame.c:499) ==4817== ==4817== Conditional jump or move depends on uninitialised value(s) ==4817== at 0x684C8A2: AirPDcapDecryptWPABroadcastKey (airpdcap.c:409) ==4817== by 0x684BB14: AirPDcapScanForKeys (airpdcap.c:1428) ==4817== by 0x6BD8E3E: dissect_ieee80211_common (packet-ieee80211.c:17710) ==4817== by 0x6BD47A5: dissect_ieee80211 (packet-ieee80211.c:18317) ==4817== by 0x680167F: call_dissector_work (packet.c:618) ==4817== by 0x6800C3C: call_dissector_with_data (packet.c:2549) ==4817== by 0x680167F: call_dissector_work (packet.c:618) ==4817== by 0x6800C3C: call_dissector_with_data (packet.c:2549) ==4817== by 0x6BC393B: dissect_radiotap (packet-ieee80211-radiotap.c:1801) ==4817== by 0x680169D: call_dissector_work (packet.c:620) ==4817== by 0x680151E: dissector_try_uint_new (packet.c:1163) ==4817== by 0x6AED77F: dissect_frame (packet-frame.c:499) ==4817== ==4817== Use of uninitialised value of size 8 ==4817== at 0x684C8A9: AirPDcapDecryptWPABroadcastKey (airpdcap.c:415) ==4817== by 0x684BB14: AirPDcapScanForKeys (airpdcap.c:1428) ==4817== by 0x6BD8E3E: dissect_ieee80211_common (packet-ieee80211.c:17710) ==4817== by 0x6BD47A5: dissect_ieee80211 (packet-ieee80211.c:18317) ==4817== by 0x680167F: call_dissector_work (packet.c:618) ==4817== by 0x6800C3C: call_dissector_with_data (packet.c:2549) ==4817== by 0x680167F: call_dissector_work (packet.c:618) ==4817== by 0x6800C3C: call_dissector_with_data (packet.c:2549) ==4817== by 0x6BC393B: dissect_radiotap (packet-ieee80211-radiotap.c:1801) ==4817== by 0x680169D: call_dissector_work (packet.c:620) ==4817== by 0x680151E: dissector_try_uint_new (packet.c:1163) ==4817== by 0x6AED77F: dissect_frame (packet-frame.c:499) ==4817== ==4817== Conditional jump or move depends on uninitialised value(s) ==4817== at 0x684C8BC: AirPDcapDecryptWPABroadcastKey (airpdcap.c:416) ==4817== by 0x684BB14: AirPDcapScanForKeys (airpdcap.c:1428) ==4817== by 0x6BD8E3E: dissect_ieee80211_common (packet-ieee80211.c:17710) ==4817== by 0x6BD47A5: dissect_ieee80211 (packet-ieee80211.c:18317) ==4817== by 0x680167F: call_dissector_work (packet.c:618) ==4817== by 0x6800C3C: call_dissector_with_data (packet.c:2549) ==4817== by 0x680167F: call_dissector_work (packet.c:618) ==4817== by 0x6800C3C: call_dissector_with_data (packet.c:2549) ==4817== by 0x6BC393B: dissect_radiotap (packet-ieee80211-radiotap.c:1801) ==4817== by 0x680169D: call_dissector_work (packet.c:620) ==4817== by 0x680151E: dissector_try_uint_new (packet.c:1163) ==4817== by 0x6AED77F: dissect_frame (packet-frame.c:499) ==4817== ==4817== Use of uninitialised value of size 8 ==4817== at 0x684C88B: AirPDcapDecryptWPABroadcastKey (airpdcap.c:419) ==4817== by 0x684BB14: AirPDcapScanForKeys (airpdcap.c:1428) ==4817== by 0x6BD8E3E: dissect_ieee80211_common (packet-ieee80211.c:17710) ==4817== by 0x6BD47A5: dissect_ieee80211 (packet-ieee80211.c:18317) ==4817== by 0x680167F: call_dissector_work (packet.c:618) ==4817== by 0x6800C3C: call_dissector_with_data (packet.c:2549) ==4817== by 0x680167F: call_dissector_work (packet.c:618) ==4817== by 0x6800C3C: call_dissector_with_data (packet.c:2549) ==4817== by 0x6BC393B: dissect_radiotap (packet-ieee80211-radiotap.c:1801) ==4817== by 0x680169D: call_dissector_work (packet.c:620) ==4817== by 0x680151E: dissector_try_uint_new (packet.c:1163) ==4817== by 0x6AED77F: dissect_frame (packet-frame.c:499) ==4817== ==4817== ==4817== HEAP SUMMARY: ==4817== in use at exit: 1,038,163 bytes in 28,221 blocks ==4817== total heap usage: 442,946 allocs, 414,725 frees, 37,654,036 bytes allocated ==4817== ==4817== LEAK SUMMARY: ==4817== definitely lost: 2,908 bytes in 125 blocks ==4817== indirectly lost: 36,448 bytes in 48 blocks ==4817== possibly lost: 0 bytes in 0 blocks ==4817== still reachable: 998,807 bytes in 28,048 blocks ==4817== suppressed: 0 bytes in 0 blocks ==4817== Rerun with --leak-check=full to see details of leaked memory ==4817== ==4817== For counts of detected and suppressed errors, rerun with: -v ==4817== Use --track-origins=yes to see where uninitialised values come from ==4817== ERROR SUMMARY: 7 errors from 5 contexts (suppressed: 0 from 0) [ no debug trace ]added crash libwireshark osubuntu labels
-
With v2.1.0rc0-69-g2eb7e87 I get these reports from the packet,could it be related? epan/crypt/airpdcap_ccmp.c:228:7: runtime error: left shift of 170 by 24 places cannot be represented in type 'int' #0 0x7f753d854906 in AirPDcapCcmpDecrypt epan/crypt/airpdcap_ccmp.c:228:7 #1 0x7f753d8439ff in AirPDcapRsnaMng epan/crypt/airpdcap.c:1023:22 #2 0x7f753d83f577 in AirPDcapPacketProcess epan/crypt/airpdcap.c:747:21 #3 0x7f753ea18e50 in try_decrypt epan/dissectors/packet-ieee80211.c:18675:7 #4 0x7f753ea11802 in dissect_ieee80211_common epan/dissectors/packet-ieee80211.c:17816:16 #5 0x7f753e9df995 in dissect_ieee80211 epan/dissectors/packet-ieee80211.c:18317:10 #6 0x7f753d5daa81 in call_dissector_through_handle epan/packet.c:618:9 #7 0x7f753d5c88d2 in call_dissector_work epan/packet.c:706:9 #8 0x7f753d5d5aa7 in call_dissector_only epan/packet.c:2549:8 #9 0x7f753d5c1664 in call_dissector_with_data epan/packet.c:2562:8 #10 0x7f753e98dcb8 in dissect_wlan_radio epan/dissectors/packet-ieee80211-radio.c:976:10 #11 0x7f753d5daa81 in call_dissector_through_handle epan/packet.c:618:9 #12 0x7f753d5c88d2 in call_dissector_work epan/packet.c:706:9 #13 0x7f753d5d5aa7 in call_dissector_only epan/packet.c:2549:8 #14 0x7f753d5c1664 in call_dissector_with_data epan/packet.c:2562:8 #15 0x7f753e9a9d04 in dissect_radiotap epan/dissectors/packet-ieee80211-radiotap.c:1801:2 #16 0x7f753d5dabce in call_dissector_through_handle epan/packet.c:620:3 #17 0x7f753d5c88d2 in call_dissector_work epan/packet.c:706:9 #18 0x7f753d5c79d1 in dissector_try_uint_new epan/packet.c:1163:9 #19 0x7f753e67eb74 in dissect_frame epan/dissectors/packet-frame.c:499:11 #20 0x7f753d5daa81 in call_dissector_through_handle epan/packet.c:618:9 #21 0x7f753d5c88d2 in call_dissector_work epan/packet.c:706:9 #22 0x7f753d5d5aa7 in call_dissector_only epan/packet.c:2549:8 #23 0x7f753d5c1664 in call_dissector_with_data epan/packet.c:2562:8 #24 0x7f753d5c0a19 in dissect_record epan/packet.c:498:3 #25 0x7f753d52c958 in epan_dissect_run_with_taps epan/epan.c:345:2 #26 0x5589dbfda212 in process_packet tshark.c:3725:5 #27 0x5589dbfd28e0 in load_cap_file tshark.c:3481:11 #28 0x5589dbfc892d in main tshark.c:2206:13 #29 0x7f75332d760f in __libc_start_main (/usr/lib/libc.so.6+0x2060f) #30 0x5589dbee5988 in _start (/tmp/wsbuild/run/tshark+0xc3988) SUMMARY: AddressSanitizer: undefined-behavior epan/crypt/airpdcap_ccmp.c:228:7 in epan/tvbuff.c:783:17: runtime error: null pointer passed as argument 1, which is declared to never be null /usr/include/string.h:43:28: note: nonnull attribute specified here #0 0x7f753d79f102 in tvb_memcpy epan/tvbuff.c:783:10 #1 0x7f753d79f9d5 in tvb_memdup epan/tvbuff.c:830:9 #2 0x7f753e9994e6 in dissect_radiotap epan/dissectors/packet-ieee80211-radiotap.c:623:9 #3 0x7f753d5dabce in call_dissector_through_handle epan/packet.c:620:3 #4 0x7f753d5c88d2 in call_dissector_work epan/packet.c:706:9 #5 0x7f753d5c79d1 in dissector_try_uint_new epan/packet.c:1163:9 #6 0x7f753e67eb74 in dissect_frame epan/dissectors/packet-frame.c:499:11 #7 0x7f753d5daa81 in call_dissector_through_handle epan/packet.c:618:9 #8 0x7f753d5c88d2 in call_dissector_work epan/packet.c:706:9 #9 0x7f753d5d5aa7 in call_dissector_only epan/packet.c:2549:8 #10 0x7f753d5c1664 in call_dissector_with_data epan/packet.c:2562:8 #11 0x7f753d5c0a19 in dissect_record epan/packet.c:498:3 #12 0x7f753d52c958 in epan_dissect_run_with_taps epan/epan.c:345:2 #13 0x5589dbfda212 in process_packet tshark.c:3725:5 #14 0x5589dbfd28e0 in load_cap_file tshark.c:3481:11 #15 0x5589dbfc892d in main tshark.c:2206:13 #16 0x7f75332d760f in __libc_start_main (/usr/lib/libc.so.6+0x2060f) #17 0x5589dbee5988 in _start (/tmp/wsbuild/run/tshark+0xc3988) SUMMARY: AddressSanitizer: undefined-behavior epan/tvbuff.c:783:17 in epan/dissectors/packet-ieee80211.c:16400:37: runtime error: left shift of 161 by 24 places cannot be represented in type 'int' #0 0x7f753ea189ef in crc32_802_tvb_padded epan/dissectors/packet-ieee80211.c:16400:37 #1 0x7f753ea0d510 in dissect_ieee80211_common epan/dissectors/packet-ieee80211.c:17524:19 #2 0x7f753e9df995 in dissect_ieee80211 epan/dissectors/packet-ieee80211.c:18317:10 #3 0x7f753d5daa81 in call_dissector_through_handle epan/packet.c:618:9 #4 0x7f753d5c88d2 in call_dissector_work epan/packet.c:706:9 #5 0x7f753d5d5aa7 in call_dissector_only epan/packet.c:2549:8 #6 0x7f753d5c1664 in call_dissector_with_data epan/packet.c:2562:8 #7 0x7f753e98dcb8 in dissect_wlan_radio epan/dissectors/packet-ieee80211-radio.c:976:10 #8 0x7f753d5daa81 in call_dissector_through_handle epan/packet.c:618:9 #9 0x7f753d5c88d2 in call_dissector_work epan/packet.c:706:9 #10 0x7f753d5d5aa7 in call_dissector_only epan/packet.c:2549:8 #11 0x7f753d5c1664 in call_dissector_with_data epan/packet.c:2562:8 #12 0x7f753e9a9d04 in dissect_radiotap epan/dissectors/packet-ieee80211-radiotap.c:1801:2 #13 0x7f753d5dabce in call_dissector_through_handle epan/packet.c:620:3 #14 0x7f753d5c88d2 in call_dissector_work epan/packet.c:706:9 #15 0x7f753d5c79d1 in dissector_try_uint_new epan/packet.c:1163:9 #16 0x7f753e67eb74 in dissect_frame epan/dissectors/packet-frame.c:499:11 #17 0x7f753d5daa81 in call_dissector_through_handle epan/packet.c:618:9 #18 0x7f753d5c88d2 in call_dissector_work epan/packet.c:706:9 #19 0x7f753d5d5aa7 in call_dissector_only epan/packet.c:2549:8 #20 0x7f753d5c1664 in call_dissector_with_data epan/packet.c:2562:8 #21 0x7f753d5c0a19 in dissect_record epan/packet.c:498:3 #22 0x7f753d52c958 in epan_dissect_run_with_taps epan/epan.c:345:2 #23 0x5589dbfda212 in process_packet tshark.c:3725:5 #24 0x5589dbfd28e0 in load_cap_file tshark.c:3481:11 #25 0x5589dbfc892d in main tshark.c:2206:13 #26 0x7f75332d760f in __libc_start_main (/usr/lib/libc.so.6+0x2060f) #27 0x5589dbee5988 in _start (/tmp/wsbuild/run/tshark+0xc3988) SUMMARY: AddressSanitizer: undefined-behavior epan/dissectors/packet-ieee80211.c:16400:37 in -
*** Bug #11623 (closed) has been marked as a duplicate of this bug. ***
-
*** Bug #12447 (closed) has been marked as a duplicate of this bug. ***
-
Change 15540 had a related patch set uploaded by Michael Mann: Make sure EAPOL body is big enough for a EAPOL_RSN_KEY.
-
Change 15540 merged by Anders Broman: Make sure EAPOL body is big enough for a EAPOL_RSN_KEY.
-
Change 15543 had a related patch set uploaded by Michael Mann: Make sure EAPOL body is big enough for a EAPOL_RSN_KEY.
-
Change 15544 had a related patch set uploaded by Michael Mann: Make sure EAPOL body is big enough for a EAPOL_RSN_KEY.
-
Change 15543 merged by Jeff Morriss: Make sure EAPOL body is big enough for a EAPOL_RSN_KEY.
-
Change 15544 merged by Michael Mann: Make sure EAPOL body is big enough for a EAPOL_RSN_KEY.
-
Change 16139 had a related patch set uploaded by Balint Reczey: Make sure EAPOL body is big enough for a EAPOL_RSN_KEY.
-
Change 16139 merged by Balint Reczey: Make sure EAPOL body is big enough for a EAPOL_RSN_KEY.
mentioned in issue #11623 (closed)
mentioned in issue #12447 (closed)
Please register or sign in to reply