[oss-fuzz] #6458 DOCSIS: Stack-overflow in dissect_docsis

This issue was migrated from bug 14446 in our old bug tracker.

Original bug information:

Reporter: Jakub Zawadzki
Status: RESOLVED FIXED
Product: Wireshark
Component: Dissection engine (libwireshark)
OS: Linux
Platform: x86
Version: Git

Attachments:

clusterfuzz-testcase-minimized-fuzzshark_ip_proto-udp-5773052244656128.pcap: capture file to crash wireshark

See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7337

Jakub Zawadzki said:

Created attachment 16146 capture file to crash wireshark

Build Information: TShark (Wireshark) 2.5.1 (v2.5.1rc0-182-gaef93dba)

Copyright 1998-2018 Gerald Combs <gerald@‍wireshark.org> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) without libpcap, with GLib 2.42.2, with zlib 1.2.8, without SMI, without c-ares, without Lua, without GnuTLS, with Gcrypt 1.6.3, without Kerberos, without GeoIP, without nghttp2, without LZ4, without Snappy, without libxml2.

Running on Linux 3.17.4-301.fc21.x86_64, with Intel(R) Xeon(R) CPU E5530 @ 2.40GHz (with SSE4.2), with 24093 MB of physical memory, with locale pl_PL.UTF-8, with Gcrypt 1.6.3, with zlib 1.2.8.

Built using gcc 4.9.2 20150212 (Red Hat 4.9.2-6).

oss-fuzz found a packet to recursive call docsis dissector and crash wireshark https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6458

Backtrace:

#5  0x00007ffff4079900 in ws_vsnprintf (argptr=0x7fffff7ff8d8, format=0x7ffff4d6b878 "Bad checksum [should be 0x%0*x]", size_of_buffer=240, buffer=0x7fffff7ff790 "") at ../wsutil/ws_printf.h:66
#6  expert_set_info_vformat (pinfo=pinfo@entry=0x85aa88, pi=pi@entry=0x0, group=16777216, severity=8388608, hf_index=31184, use_vaformat=use_vaformat@entry=1, format=0x7ffff4d6b878 "Bad checksum [should be 0x%0*x]", ap=0x7fffff7ff8d8)
    at expert.c:529
#7  0x00007ffff407a6b0 in expert_add_info_format (pinfo=pinfo@entry=0x85aa88, pi=pi@entry=0x0, expindex=expindex@entry=0x7ffff69bf548 <ei_docsis_hcs_bad>, format=format@entry=0x7ffff4d6b878 "Bad checksum [should be 0x%0*x]")
    at expert.c:614
#8  0x00007ffff40abfa8 in proto_tree_add_checksum (tree=tree@entry=0x0, tvb=tvb@entry=0xebee80, offset=offset@entry=5, hf_checksum=<optimized out>, hf_checksum_status=31168,
    bad_checksum_expert=bad_checksum_expert@entry=0x7ffff69bf548 <ei_docsis_hcs_bad>, pinfo=0x85aa88, computed_checksum=30358, encoding=0, flags=1) at proto.c:11789
#9  0x00007ffff4315422 in dissect_hcs_field (tvb=0xebee80, pinfo=0x85aa88, docsis_tree=0x0, hdrlen=<optimized out>) at packet-docsis.c:458
#10 0x00007ffff4315a4f in dissect_docsis (tvb=0xebee80, pinfo=0x85aa88, tree=0x0, data=<optimized out>) at packet-docsis.c:636
#11 0x00007ffff407fbdb in call_dissector_through_handle (handle=handle@entry=0x7fffe9671b30, tvb=tvb@entry=0xebee80, pinfo=pinfo@entry=0x85aa88, tree=tree@entry=0x0, data=data@entry=0x0) at packet.c:694
(...)
#104754 0x00007ffff4315b69 in dissect_docsis (tvb=0x8598c0, pinfo=0x85aa88, tree=<optimized out>, data=<optimized out>) at packet-docsis.c:825
#104755 0x00007ffff407fbdb in call_dissector_through_handle (handle=handle@entry=0x7fffe9671b30, tvb=tvb@entry=0x8598c0, pinfo=pinfo@entry=0x85aa88, tree=tree@entry=0x0, data=data@entry=0x834e70) at packet.c:694
#104756 0x00007ffff4080b72 in call_dissector_work (handle=0x7fffe9671b30, tvb=tvb@entry=0x8598c0, pinfo_arg=pinfo_arg@entry=0x85aa88, tree=tree@entry=0x0, add_proto_name=add_proto_name@entry=1, data=data@entry=0x834e70) at packet.c:779
#104757 0x00007ffff40814df in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=33, tvb=tvb@entry=0x8598c0, pinfo=pinfo@entry=0x85aa88, tree=tree@entry=0x0, add_proto_name=add_proto_name@entry=1, data=0x834e70)
    at packet.c:1361
#104758 0x00007ffff43af7ba in dissect_frame (tvb=0x8598c0, pinfo=0x85aa88, parent_tree=0x0, data=0x7fffffffdc80) at packet-frame.c:579


Most of dissect_docsis() items is in line 825 which is call_dissector():

822	          while (concatlen > 0)
823	          {
824	            next_tvb = tvb_new_subset_length_caplen (tvb, concatpos, -1, concatlen);
825	            call_dissector (docsis_handle, next_tvb, pinfo, docsis_tree);
826	          }


(gdb) frame 14
#14 0x00007ffff4315b69 in dissect_docsis (tvb=0xebee30, pinfo=0x85aa88, tree=<optimized out>, data=<optimized out>) at packet-docsis.c:825
825	            call_dissector (docsis_handle, next_tvb, pinfo, docsis_tree);

(gdb) print concatlen
$3 = 8224
(gdb) print concatpos
$4 = 6
(gdb) print tvb->length
$5 = 33
(gdb) print tvb->reported_length
$6 = 8230


(gdb) frame 18
#18 0x00007ffff4315b69 in dissect_docsis (tvb=0xebed40, pinfo=0x85aa88, tree=<optimized out>, data=<optimized out>) at packet-docsis.c:825
825	            call_dissector (docsis_handle, next_tvb, pinfo, docsis_tree);

(gdb) print tvb->length
$14 = 33
(gdb) print tvb->reported_length
$15 = 8230

added crash libwireshark oslinux versiondev labels

Gerald Combs said:

I can replicate this in master and master-2.4 but not master-2.2.

Gerrit Code Review said:

Change 25905 had a related patch set uploaded by Gerald Combs: DOCSIS: Remove concatenated PDU dissection.

https://code.wireshark.org/review/25905

Gerrit Code Review said:

Change 25906 had a related patch set uploaded by Gerald Combs: DOCSIS: Remove concatenated PDU dissection.

https://code.wireshark.org/review/25906

Gerrit Code Review said:

Change 25905 merged by Anders Broman: DOCSIS: Remove concatenated PDU dissection.

https://code.wireshark.org/review/25905

Gerrit Code Review said:

Change 25906 merged by Anders Broman: DOCSIS: Remove concatenated PDU dissection.

https://code.wireshark.org/review/25906

closed