Buildbot crash output: fuzz-2021-02-22-1012761.pcap
Problems have been found with the following capture file:
https://www.wireshark.org/download/automated/captures/fuzz-2021-02-22-1012761.pcap
stderr:
Input file: /home/wireshark/menagerie/menagerie/issue-17245-clusterfuzz-testcase-minimized-fuzzshark_ip-5444637764485120.pcap
Build host information:
Linux build1 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal
Buildbot information:
BUILDBOT_REPOSITORY=git@gitlab.com:wireshark/wireshark.git
BUILDBOT_WORKERNAME=clang-code-analysis
BUILDBOT_URL=https://buildbot.wireshark.org/wireshark-master/
BUILDBOT_BUILDNUMBER=5457
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_GOT_REVISION=2e7f2ffb7ae0b56646b96321cfaa3920dc5903c6
Return value: 0
Dissector bug: 0
Valgrind error count: 0
Latest (but not necessarily the problem) commit:
2e7f2ffb7a Added "Follow DCCP stream" feature.
Command and args: /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark -nVxr
=================================================================
==1138249==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcfea222cf at pc 0x560c266649aa bp 0x7ffcfea21790 sp 0x7ffcfea20f58
WRITE of size 49 at 0x7ffcfea222cf thread T0
#0 0x560c266649a9 in __asan_memcpy (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0xd49a9)
#1 0x7f6532664505 in tvb_memcpy /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/tvbuff.c:859:10
#2 0x7f6532676245 in composite_memcpy /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/tvbuff_composite.c:142:10
#3 0x7f65326646c6 in tvb_memcpy /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/tvbuff.c:863:10
#4 0x7f6532677f79 in subset_memcpy /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/tvbuff_subset.c:50:9
#5 0x7f65326646c6 in tvb_memcpy /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/tvbuff.c:863:10
#6 0x7f6532677f79 in subset_memcpy /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/tvbuff_subset.c:50:9
#7 0x7f65326646c6 in tvb_memcpy /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/tvbuff.c:863:10
#8 0x7f6532670f5f in _tvb_get_nstringz /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/tvbuff.c:3595:2
#9 0x7f65326711ea in tvb_get_nstringz0 /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/tvbuff.c:3634:8
#10 0x7f653048416b in dissect_megaco_text /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-megaco.c:643:9
#11 0x7f65304899d7 in dissect_megaco_text_tcp /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-megaco.c:495:9
#12 0x7f6532543241 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
#13 0x7f65325381e0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
#14 0x7f6532537af9 in dissector_try_uint_new /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1413:8
#15 0x7f6530e8b380 in decode_tcp_ports /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-tcp.c:6130:9
#16 0x7f6530e91fab in process_tcp_payload /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-tcp.c:6199:13
#17 0x7f6530e8d368 in dissect_tcp_payload /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-tcp.c:6281:9
#18 0x7f6530e9f82b in dissect_tcp /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-tcp.c:7226:17
#19 0x7f6532543241 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
#20 0x7f65325381e0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
#21 0x7f6532537af9 in dissector_try_uint_new /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1413:8
#22 0x7f653013980b in ip_try_dissect /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ip.c:1817:7
#23 0x7f653013eebe in dissect_ip_v4 /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ip.c:2295:10
#24 0x7f653013a092 in dissect_ip /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ip.c:2319:12
#25 0x7f6532543241 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
#26 0x7f65325381e0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
#27 0x7f653253faf0 in call_dissector_only /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3233:8
#28 0x7f6532534204 in call_dissector_with_data /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3246:8
#29 0x7f65310e38f9 in dissect_vjc_uncomp /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-vj-comp.c:358:12
#30 0x7f6532543241 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
#31 0x7f65325381e0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
#32 0x7f6532537af9 in dissector_try_uint_new /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1413:8
#33 0x7f65325385cb in dissector_try_uint /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1437:9
#34 0x7f65309018ff in dissect_ppp_common /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ppp.c:4786:10
#35 0x7f65308ec83a in dissect_ppp /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ppp.c:5769:5
#36 0x7f6532543241 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
#37 0x7f65325381e0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
#38 0x7f6532537af9 in dissector_try_uint_new /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1413:8
#39 0x7f65325385cb in dissector_try_uint /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1437:9
#40 0x7f65308190b6 in dissect_osi /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-osi.c:468:7
#41 0x7f6532543241 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
#42 0x7f65325381e0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
#43 0x7f6532537af9 in dissector_try_uint_new /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1413:8
#44 0x7f653013980b in ip_try_dissect /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ip.c:1817:7
#45 0x7f653013eebe in dissect_ip_v4 /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ip.c:2295:10
#46 0x7f6532543241 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
#47 0x7f65325381e0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
#48 0x7f6532537af9 in dissector_try_uint_new /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1413:8
#49 0x7f65325385cb in dissector_try_uint /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:1437:9
#50 0x7f652fcee49e in dissect_ethertype /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-ethertype.c:292:21
#51 0x7f6532543241 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
#52 0x7f65325381e0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
#53 0x7f653253faf0 in call_dissector_only /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3233:8
#54 0x7f6532534204 in call_dissector_with_data /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3246:8
#55 0x7f652fceafcb in dissect_eth_common /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-eth.c:568:5
#56 0x7f652fce9a37 in dissect_eth /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-eth.c:861:5
#57 0x7f6532543241 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
#58 0x7f65325381e0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
#59 0x7f653253faf0 in call_dissector_only /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3233:8
#60 0x7f652fd7b8f2 in dissect_frame /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-frame.c:788:6
#61 0x7f6532543241 in call_dissector_through_handle /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:720:9
#62 0x7f65325381e0 in call_dissector_work /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:813:9
#63 0x7f653253faf0 in call_dissector_only /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3233:8
#64 0x7f6532534204 in call_dissector_with_data /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:3246:8
#65 0x7f65325339f9 in dissect_record /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/packet.c:594:3
#66 0x7f65325037f8 in epan_dissect_run_with_taps /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/epan.c:607:2
#67 0x560c266c73fb in process_packet_single_pass /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:3849:5
#68 0x560c266cad96 in process_cap_file_single_pass /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:3503:9
#69 0x560c266c4730 in process_cap_file /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:3659:26
#70 0x560c266be34a in main /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../tshark.c:2097:16
#71 0x7f65250540b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#72 0x560c265eb42d in _start (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0x5b42d)
Address 0x7ffcfea222cf is located in stack of thread T0 at offset 79 in frame
#0 0x7f6530483e0f in dissect_megaco_text /home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/build/cmbuild/../epan/dissectors/packet-megaco.c:578
This frame has 7 object(s):
[32, 40) 'sub_ti' (line 585)
[64, 79) 'word' (line 587)
[96, 126) 'TermID' (line 588) <== Memory access at offset 79 partially underflows this variable
[160, 161) 'needle' (line 593)
[176, 177) 'ber_class' (line 670)
[192, 196) 'pc' (line 671)
[208, 212) 'tag' (line 672)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.asan/bin/tshark+0xd49a9) in __asan_memcpy
Shadow bytes around the buggy address:
0x10001fd3c400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001fd3c410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001fd3c420: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10001fd3c430: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10001fd3c440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10001fd3c450: f1 f1 f1 f1 00 f2 f2 f2 00[07]f2 f2 00 00 00 06
0x10001fd3c460: f2 f2 f2 f2 01 f2 f8 f2 f8 f2 f8 f3 00 00 00 00
0x10001fd3c470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001fd3c480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001fd3c490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001fd3c4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1138249==ABORTINGno debug trace