Wireshark NULL pointer dereference in wmem_tree_lookup32

Mateusz Jurczyk said:

Created attachment 14497 Reproducers.

Build Information: TShark (Wireshark) 2.1.0 (v2.1.0rc0-2738-g68ec6735 from master)

Copyright 1998-2016 Gerald Combs <gerald@‍wireshark.org> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, without POSIX capabilities, without libnl, with GLib 2.40.2, with zlib 1.2.8, without SMI, without c-ares, without Lua, without GnuTLS, without Gcrypt, with MIT Kerberos, without GeoIP.

Running on Linux 3.13.0-77-generic, with locale en_US.UTF-8, with libpcap version 1.5.3, with zlib 1.2.8. Intel(R) Xeon(R) CPU E5-1650 v2 @ 3.50GHz (with SSE4.2)

Built using clang 4.2.1 Compatible Clang 3.8.0 (trunk 251411).

The following crash due to a NULL pointer dereference can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):

Attached are two files which trigger the crash.

--- cut ---
==32181==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f3bb2b35930 bp 0x7fffbc35ce50 sp 0x7fffbc35cdd0 T0)
    #0 0x7f3bb2b3592f in wmem_tree_lookup32 wireshark/epan/wmem/wmem_tree.c:457:36
    #1 0x7f3bb1703342 in dissect_usb_ms_bulk wireshark/epan/dissectors/packet-usb-masstorage.c:252:28
    #2 0x7f3bb170510d in dissect_usb_ms_bulk_heur wireshark/epan/dissectors/packet-usb-masstorage.c:372:9
    #3 0x7f3baf431bbb in dissector_try_heuristic wireshark/epan/packet.c:2390:7
    #4 0x7f3bb1721c3a in try_dissect_next_protocol wireshark/epan/dissectors/packet-usb.c:3144:15
    #5 0x7f3bb171d7cc in dissect_usb_payload wireshark/epan/dissectors/packet-usb.c:3930:19
    #6 0x7f3bb1712877 in dissect_usb_common wireshark/epan/dissectors/packet-usb.c:4287:5
    #7 0x7f3bb171e1a2 in dissect_linux_usb wireshark/epan/dissectors/packet-usb.c:4294:5
    #8 0x7f3baf437911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #9 0x7f3baf42957a in call_dissector_work wireshark/epan/packet.c:731:9
    #10 0x7f3baf428d4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
    #11 0x7f3bb023a105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11
    #12 0x7f3baf437911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #13 0x7f3baf42957a in call_dissector_work wireshark/epan/packet.c:731:9
    #14 0x7f3baf433a1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #15 0x7f3baf4248ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #16 0x7f3baf423cd4 in dissect_record wireshark/epan/packet.c:539:3
    #17 0x7f3baf3d6db9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
    #18 0x52ef3f in process_packet wireshark/tshark.c:3727:5
    #19 0x52830c in load_cap_file wireshark/tshark.c:3483:11
    #20 0x51e67c in main wireshark/tshark.c:2192:13

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV wireshark/epan/wmem/wmem_tree.c:457:36 in wmem_tree_lookup32
==32181==ABORTING
--- cut ---