Skip to content
GitLab
Closed
Issue created by Doneing@DoneingCK

Heap-buffer-overflow in canonify_unencrypted_header at packet-c1222-template.c

Summary

In Wireshark-3.5.1rc0, the epsem dissector could cause out-of-bounds memory reads.

Bug information

In line 789 at packet-c1222-template.c

image

Steps to reproduce

  • First, compile the program fuzzshark through ASAN. cmake -GNinja -DCMAKE_C_COMPILER=clang-12 -DCMAKE_CXX_COMPILER=clang++-12 -DDISABLE_WERROR=ON -DOSS_FUZZ=ON -DENABLE_STATIC=ON -DENABLE_PLUGINS=OFF -DENABLE_PCAP=OFF -DENABLE_GNUTLS=OFF -DBUILD_wireshark=OFF /wireshark-3.5.1rc0 && ninja all-fuzzers
  • Second, set environment variables. export FUZZSHARK_TARGET=tcp
  • Third, run the program with payload packet. ./fuzzshark tcp-crash-sample-001tcp-crash-sample-001

Crash state with ASAN

image image

Sample capture file

tcp-crash-sample-001

Edited by Gerald Combs
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information