Skip to content
GitLab
    • Why GitLab
    • Pricing
    • Contact Sales
    • Explore
  • Why GitLab
  • Pricing
  • Contact Sales
  • Explore
  • Sign in
  • Get free trial
  • Wireshark FoundationWireshark Foundation
  • WiresharkWireshark
  • Issues
  • #17073

Buildbot crash output: fuzz-2020-12-09-3589621.pcap

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2020-12-09-3589621.pcap

stderr:

Input file: /home/wireshark/menagerie/menagerie/16072-rtcp_transport_cc.pcap

Build host information:
Linux build1 5.4.0-56-generic #62-Ubuntu SMP Mon Nov 23 19:20:19 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.1 LTS
Release:	20.04
Codename:	focal

Buildbot information:
BUILDBOT_REPOSITORY=git@gitlab.com:wireshark/wireshark.git
BUILDBOT_WORKERNAME=clang-code-analysis
BUILDBOT_URL=https://buildbot.wireshark.org/wireshark-master/
BUILDBOT_BUILDNUMBER=5360
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_GOT_REVISION=770746cca810f0979f4b8dc82e2b2f1150f98dcc

Return value:  0

Dissector bug:  0

Valgrind error count:  0



Latest (but not necessarily the problem) commit:
770746cca8 epan: Fix format_text treament of Greek, Arabic, etc.


Command and args: /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark  -nVxr
=================================================================
==3789690==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff2d57a755 at pc 0x5649451bcff6 bp 0x7fff2d57a690 sp 0x7fff2d579e38
READ of size 73 at 0x7fff2d57a755 thread T0
    #0 0x5649451bcff5 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0x71ff5)
    #1 0x5649451bd4ea in memcmp (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0x724ea)
    #2 0x7f4a99e28ac6 in quic_connection_equal /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-quic.c:794:39
    #3 0x7f4a99e22b30 in check_dcid_on_coalesced_packet /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-quic.c:3260:12
    #4 0x7f4a99e20410 in dissect_quic /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-quic.c:3333:14
    #5 0x7f4a9b9a4b21 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
    #6 0x7f4a9b999ad0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
    #7 0x7f4a9b9a13d0 in call_dissector_only /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3233:8
    #8 0x7f4a9b9515e1 in try_conversation_call_dissector_helper /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/conversation.c:1351:8
    #9 0x7f4a9b95104f in try_conversation_dissector /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/conversation.c:1381:7
    #10 0x7f4a9a49bc47 in decode_udp_ports /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-udp.c:652:7
    #11 0x7f4a9a4a4e9e in dissect /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-udp.c:1261:5
    #12 0x7f4a9a49ef5d in dissect_udp /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-udp.c:1267:3
    #13 0x7f4a9b9a4b21 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
    #14 0x7f4a9b999ad0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
    #15 0x7f4a9b9993e9 in dissector_try_uint_new /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1413:8
    #16 0x7f4a995ff9bb in ip_try_dissect /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ip.c:1817:7
    #17 0x7f4a99605089 in dissect_ip_v4 /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ip.c:2299:10
    #18 0x7f4a9b9a4b21 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
    #19 0x7f4a9b999ad0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
    #20 0x7f4a9b9993e9 in dissector_try_uint_new /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1413:8
    #21 0x7f4a9b999ebb in dissector_try_uint /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1437:9
    #22 0x7f4a991c1bfe in dissect_ethertype /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ethertype.c:292:21
    #23 0x7f4a9b9a4b21 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
    #24 0x7f4a9b999ad0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
    #25 0x7f4a9b9a13d0 in call_dissector_only /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3233:8
    #26 0x7f4a9b995b04 in call_dissector_with_data /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3246:8
    #27 0x7f4a991be72b in dissect_eth_common /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-eth.c:568:5
    #28 0x7f4a991bd197 in dissect_eth /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-eth.c:861:5
    #29 0x7f4a9b9a4b21 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
    #30 0x7f4a9b999ad0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
    #31 0x7f4a9b9a13d0 in call_dissector_only /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3233:8
    #32 0x7f4a9924ea42 in dissect_frame /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-frame.c:788:6
    #33 0x7f4a9b9a4b21 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
    #34 0x7f4a9b999ad0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
    #35 0x7f4a9b9a13d0 in call_dissector_only /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3233:8
    #36 0x7f4a9b995b04 in call_dissector_with_data /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3246:8
    #37 0x7f4a9b9952f9 in dissect_record /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:594:3
    #38 0x7f4a9b965118 in epan_dissect_run_with_taps /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/epan.c:598:2
    #39 0x56494528215b in process_packet_single_pass /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:3806:5
    #40 0x564945285ab6 in process_cap_file_single_pass /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:3460:9
    #41 0x56494527f490 in process_cap_file /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:3616:26
    #42 0x5649452791c0 in main /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:2057:16
    #43 0x7f4a8eb750b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
    #44 0x5649451a641d in _start (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0x5b41d)

Address 0x7fff2d57a755 is located in stack of thread T0 at offset 53 in frame
    #0 0x7f4a99e224df in check_dcid_on_coalesced_packet /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-quic.c:3226

  This frame has 1 object(s):
    [32, 53) 'dcid' (line 3229) <== Memory access at offset 53 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0x71ff5) in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
  0x100065aa7490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100065aa74a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100065aa74b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100065aa74c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100065aa74d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100065aa74e0: 00 00 00 00 f1 f1 f1 f1 00 00[05]f3 f3 f3 f3 f3
  0x100065aa74f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100065aa7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100065aa7510: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 05 f2
  0x100065aa7520: f2 f2 f2 f2 00 00 05 f2 f2 f2 f2 f2 f8 f2 f8 f2
  0x100065aa7530: f8 f8 f8 f2 f2 f2 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3789690==ABORTING

no debug trace

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking