Buildbot crash output: fuzz-2020-12-09-3589621.pcap
Problems have been found with the following capture file:
https://www.wireshark.org/download/automated/captures/fuzz-2020-12-09-3589621.pcap
stderr:
Input file: /home/wireshark/menagerie/menagerie/16072-rtcp_transport_cc.pcap
Build host information:
Linux build1 5.4.0-56-generic #62-Ubuntu SMP Mon Nov 23 19:20:19 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Distributor ID: Ubuntu
Description: Ubuntu 20.04.1 LTS
Release: 20.04
Codename: focal
Buildbot information:
BUILDBOT_REPOSITORY=git@gitlab.com:wireshark/wireshark.git
BUILDBOT_WORKERNAME=clang-code-analysis
BUILDBOT_URL=https://buildbot.wireshark.org/wireshark-master/
BUILDBOT_BUILDNUMBER=5360
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_GOT_REVISION=770746cca810f0979f4b8dc82e2b2f1150f98dcc
Return value: 0
Dissector bug: 0
Valgrind error count: 0
Latest (but not necessarily the problem) commit:
770746cca8 epan: Fix format_text treament of Greek, Arabic, etc.
Command and args: /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark -nVxr
=================================================================
==3789690==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff2d57a755 at pc 0x5649451bcff6 bp 0x7fff2d57a690 sp 0x7fff2d579e38
READ of size 73 at 0x7fff2d57a755 thread T0
#0 0x5649451bcff5 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0x71ff5)
#1 0x5649451bd4ea in memcmp (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0x724ea)
#2 0x7f4a99e28ac6 in quic_connection_equal /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-quic.c:794:39
#3 0x7f4a99e22b30 in check_dcid_on_coalesced_packet /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-quic.c:3260:12
#4 0x7f4a99e20410 in dissect_quic /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-quic.c:3333:14
#5 0x7f4a9b9a4b21 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
#6 0x7f4a9b999ad0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
#7 0x7f4a9b9a13d0 in call_dissector_only /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3233:8
#8 0x7f4a9b9515e1 in try_conversation_call_dissector_helper /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/conversation.c:1351:8
#9 0x7f4a9b95104f in try_conversation_dissector /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/conversation.c:1381:7
#10 0x7f4a9a49bc47 in decode_udp_ports /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-udp.c:652:7
#11 0x7f4a9a4a4e9e in dissect /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-udp.c:1261:5
#12 0x7f4a9a49ef5d in dissect_udp /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-udp.c:1267:3
#13 0x7f4a9b9a4b21 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
#14 0x7f4a9b999ad0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
#15 0x7f4a9b9993e9 in dissector_try_uint_new /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1413:8
#16 0x7f4a995ff9bb in ip_try_dissect /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ip.c:1817:7
#17 0x7f4a99605089 in dissect_ip_v4 /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ip.c:2299:10
#18 0x7f4a9b9a4b21 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
#19 0x7f4a9b999ad0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
#20 0x7f4a9b9993e9 in dissector_try_uint_new /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1413:8
#21 0x7f4a9b999ebb in dissector_try_uint /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1437:9
#22 0x7f4a991c1bfe in dissect_ethertype /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ethertype.c:292:21
#23 0x7f4a9b9a4b21 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
#24 0x7f4a9b999ad0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
#25 0x7f4a9b9a13d0 in call_dissector_only /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3233:8
#26 0x7f4a9b995b04 in call_dissector_with_data /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3246:8
#27 0x7f4a991be72b in dissect_eth_common /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-eth.c:568:5
#28 0x7f4a991bd197 in dissect_eth /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-eth.c:861:5
#29 0x7f4a9b9a4b21 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
#30 0x7f4a9b999ad0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
#31 0x7f4a9b9a13d0 in call_dissector_only /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3233:8
#32 0x7f4a9924ea42 in dissect_frame /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-frame.c:788:6
#33 0x7f4a9b9a4b21 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
#34 0x7f4a9b999ad0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
#35 0x7f4a9b9a13d0 in call_dissector_only /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3233:8
#36 0x7f4a9b995b04 in call_dissector_with_data /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3246:8
#37 0x7f4a9b9952f9 in dissect_record /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:594:3
#38 0x7f4a9b965118 in epan_dissect_run_with_taps /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/epan.c:598:2
#39 0x56494528215b in process_packet_single_pass /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:3806:5
#40 0x564945285ab6 in process_cap_file_single_pass /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:3460:9
#41 0x56494527f490 in process_cap_file /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:3616:26
#42 0x5649452791c0 in main /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:2057:16
#43 0x7f4a8eb750b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
#44 0x5649451a641d in _start (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0x5b41d)
Address 0x7fff2d57a755 is located in stack of thread T0 at offset 53 in frame
#0 0x7f4a99e224df in check_dcid_on_coalesced_packet /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-quic.c:3226
This frame has 1 object(s):
[32, 53) 'dcid' (line 3229) <== Memory access at offset 53 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0x71ff5) in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
0x100065aa7490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100065aa74a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100065aa74b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100065aa74c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100065aa74d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100065aa74e0: 00 00 00 00 f1 f1 f1 f1 00 00[05]f3 f3 f3 f3 f3
0x100065aa74f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100065aa7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100065aa7510: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 05 f2
0x100065aa7520: f2 f2 f2 f2 00 00 05 f2 f2 f2 f2 f2 f8 f2 f8 f2
0x100065aa7530: f8 f8 f8 f2 f2 f2 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3789690==ABORTING
no debug trace