Wireshark stability - multiple dissector bugs - runtime errors
Summary
This is my naive attempt to fix (hopefully) all of Wireshark dissector runtime errors. In the last few weeks ran fuzzers and wrote some tools to find and disclose security and stability bugs with the sole goal of making Wireshark as stable as possible. I've gathered a decent list of naughty dissectors that are passing NULL pointers to functions when they shouldn't. Obviously this could cause undefined behaviors in runtime and sometimes even crash Wireshark/tshark - runtime error: null pointer passed as argument
.
I decided to concentrate everything into a single issue so I won't spam with many "NULL pointer is passed" issues.
To reproduce these issues, one would need to compile tshark with address sanitizers (and specifically UBS - UndefinedBehaviorSanitizer). There are 5 main categories of runtime errors:
- NULL pointer passed to
bytes_to_str_punct_maxlen()
- NULL pointer passed as argument to
epan/tvbuff.c:932:17
- NULL pointer passed as argument to
wsutil/wmem/wmem_array.c:119:63
- Store to misaligned address
- X is outside the range of representable values of type
unsigned int
[Fixed?] Dissector
-
ZigBee-ZCL -
ACF-LIN -
ACF-CAN -
ANSI C12.22 -
SMB2 (SMB3) -
CIP -
DTLS -
LTP -
SSLv3 -
CSN1 (X2AP) -
DNS -
SNMP -
ENIP -
Bundle -
NBAP -
TCP -
CoAP -
IPDC -
CL-PRES -
802.11 -
NFS -
DCERPC -
RPC -
BPv7 -
5co-legacy -
6LoWPAN -
JXTA
Samples
ZigBee-ZCL (zbee_zcl)
** (tshark:66662) 17:07:59.843905 [(none) CRITICAL] wsutil/to_str.c:229 -- bytes_to_str_punct_maxlen(): Null pointer 'src' passed to bytes_to_str_punct_maxlen()
0.000000 1 00:00:a0:45:df:06:a6:26 → 0x0101 ZigBee ZCL: Write Attributes No Response, Seq: 10[BoundErrorUnreassembled Packet] 112
ACF-LIN
** (tshark:66684) 17:08:05.983981 [(none) CRITICAL] wsutil/to_str.c:229 -- bytes_to_str_punct_maxlen(): Null pointer 'src' passed to bytes_to_str_punct_maxlen()
0.000000 1 00:00:06:66:29:21 → 70:b3:d5:8e:f6:de ACF-LIN ACF-LIN(31): 0xfb fb fb 116
ACF-CAN
** (tshark:66710) 17:08:15.849287 [(none) CRITICAL] wsutil/to_str.c:229 -- bytes_to_str_punct_maxlen(): Null pointer 'src' passed to bytes_to_str_punct_maxlen()
0.000000 1 00:00:00:66:29:21 → 70:b3:d5:8e:f6:de ACF-CAN ACF-CAN(4): 0x04040404 7c 50 00 00 01 00 04 04 119
ANSI C12.22
tshark_errors/error/e607ffef414486cb75738d15e41a7fbea057137a.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 ANSI C12.22 169 1153 → 36659 [PSH, CWR, Reserved] Seq=553674532 Win=34952[BoundErrorUnreassembled Packet][BoundErrorUnreassembled Packet][Malformed Packet]
SMB2 (SMB3)
tshark_errors/error/f85d55d45096d2b94e9794ea7342935770fc70aa.pcap
../wsutil/wmem/wmem_array.c:119:63: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../wsutil/wmem/wmem_array.c:119:63 in
../epan/tvbuff_lznt1.c:135:10: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff_lznt1.c:135:10 in
1 0.000000 170.170.170.170 → 170.170.170.170 SMB2 112 Decomp. SMB3[BoundErrorUnreassembled Packet]
tshark_errors/error/762ec73eaa1361726383f30fa3e1d6c787c5d9fe.pcap
../wsutil/wmem/wmem_array.c:119:63: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../wsutil/wmem/wmem_array.c:119:63 in
1 0.000000 170.170.170.170 → 170.170.170.170 SMB2 120 Comp. SMB3 (unknown)
CIP
tshark_errors/error/2a616f06df5882de9dbf1925fa6e3843e14dc078.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 CIP 109 Multiple Service Packet: Start, [BoundErrorUnreassembled Packet][BoundErrorUnreassembled Packet]
tshark_errors/error/a513e0347ba7c4f33abc310247c0644e03fc22ae.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 CIP 108 Service (0x00)
DTLS
tshark_errors/error/14041d11455b0a6fdc9a940ff356982be32142dd.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 DTLS 1.0 (OpenSSL pre 0.9.8f) 112 Certificate Request (Fragment), Certificate Request[BoundErrorUnreassembled Packet][BoundErrorUnreassembled Packet]
LTP
tshark_errors/error/1901d52c701302cf5de33c95f652b64e532dade8.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 LTP Segment 101 Protocol Error
SSLv3
tshark_errors/error/94be75d690a7301ade3e70769a1f1dbc9a3e3df7.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 SSLv3 124 New Session Ticket, New Session Ticket, End of Early Data, End of Early Data, Continuation Data, Continuation Data
tshark_errors/error/30a018ee7c96129f081ca38dda267cd83139095b.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 SSLv3 124 End of Early Data, New Session Ticket, End of Early Data, End of Early Data, Continuation Data, Continuation Data, Continuation Data
CSN1 (X2AP)
tshark_errors/error/5da74e09f3d5a3a0af8d8c8a6142bf644217bcc0.pcap
../epan/dissectors/packet-csn1.c:773:17: runtime error: store to misaligned address 0x7f61f9e375b1 for type 'guint16' (aka 'unsigned short'), which requires 2 byte alignment
0x7f61f9e375b1: note: pointer points here
00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/dissectors/packet-csn1.c:773:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 X2AP 117 ENDCConfigurationTransfer, MobilityFromEUTRACommand:GPRS DL CTRL: PACKET_SYSTEM_INFO_3:GPRS DL CTRL: PACKET_SYSTEM_INFO_3[Malformed Packet][Malformed Packet][Malformed Packet]
tshark_errors/error/dd7fe5d01f155faebb8021e22a2fa27c9d2b9825.pcap
../epan/dissectors/packet-csn1.c:773:17: runtime error: store to misaligned address 0x7f3861c3ab5d for type 'guint16' (aka 'unsigned short'), which requires 2 byte alignment
0x7f3861c3ab5d: note: pointer points here
00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/dissectors/packet-csn1.c:773:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 X2AP 116 GNBStatusIndication, MobilityFromEUTRACommand[Malformed Packet]:GPRS DL CTRL: PACKET_CELL_CHANGE_ORDER[Malformed Packet][Malformed Packet]
DNS
tshark_errors/error/746d5475691e3bd7b74e7a78ae3cd9491d9f724d.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 DNS 151 Unknown operation (9) 0x0000 HTTPS[BoundErrorUnreassembled Packet]
tshark_errors/error/1d3bb7805e95fba0ae43bc87ec0963acc13a32f4.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 DNS 154 Standard query 0x0267 SVCB[BoundErrorUnreassembled Packet]
SNMP
tshark_errors/error/42458338bed52e817ef07d6caa391106bf9a3a3e.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 SNMP 126 get-response itu-t
ENIP
tshark_errors/error/64112d632148396fe46936637ca6e019c40bb53d.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 ENIP 119 Get Attribute List | Unknown Command (0x0232) (Req)[BoundErrorUnreassembled Packet]
Bundle
tshark_errors/error/88b8ef634bfa18e1ec595a9b0d6382637ce8f827.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 Bundle 106 Protocol Error
NBAP
tshark_errors/error/f33b37100c1014ebde8859eb17c23021c47ed010.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 NBAP 123 id-cellReconfiguration (MasterInformationBlock[Malformed Packet][Malformed Packet]
TCP
tshark_errors/error/22247efd63b724b44633847393617375d026d315.pcap
../epan/tvbuff.c:2232:35: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:92:34: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:2232:35 in
1 0.000000 196.0.0.0 → 0.0.160.158 TCP 129 54051 → 30028 [SYN, PSH, ACK, CWR, Reserved] Seq=0 Ack=1 Win=39578 Len=26
tshark_errors/error/ea86b73f7579aa746d04ba6d186c52f6497d8f4e.pcap
../epan/tvbuff.c:2232:35: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:92:34: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:2232:35 in
1 0.000000 0.0.0.0 → 160.158.211.35 TCP 127 30028 → 28928 [SYN, PSH, ACK, CWR, Reserved] Seq=0 Ack=1 Win=65467 Len=24
CoAP
tshark_errors/error/feada1a8b3048fd4b263cbfd2c8f4932f77b007e.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 CoAP 143 RST, MID:32667, Unknown 255[BoundErrorUnreassembled Packet]
IPDC
tshark_errors/error/8583c6e8b477b0b8a15e31ac207a02d8abf50200.pcap
../epan/dissectors/packet-ipdc.c:828:25: runtime error: 2.69599e+67 is outside the range of representable values of type 'unsigned int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/dissectors/packet-ipdc.c:828:25 in
1 0.000000 170.170.170.170 → 170.170.170.170 IPDC 126 14001 → 6668 [PSH, URG, NS, Reserved] Seq=0 Win=17717 Urg=8960r=0 s=0 TID=f100000f UNDEFINED [BoundErrorUnreassembled Packet]r=0 s=0 TID=ff000006 UNDEFINED [BoundErrorUnreassembled Packet]
CL-PRES
tshark_errors/error/6d96ffe15d77326b3877e1837ba633d3bc2df741.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 CL-PRES 122 [Malformed Packet]
802.11
tshark_errors/error/6d9b3270b75a036f6ccff68aed5a863add4084dc.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 802.11 167 PV1 Management[Malformed Packet]
NFS
tshark_errors/error/e2d684637c2c6810639d33d11b1fd95adf94b169.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 NFS CB 119 FragmentFragmentFragment ; V3844603904 proc-3137388032 Call
DCERPC
tshark_errors/error/7c04dfdd49cef00fa85cebf2a7af47181a12f9ad.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 DCERPC 134 RPC-over-HTTP RTS: call_id: 12763842, Fragment: Mid[BoundErrorUnreassembled Packet]
RPC
tshark_errors/error/d6ca8adc49c920a3e628c909e144b717112eb236.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 RPC 116 FragmentFragmentFragmentFragment
BPv7
tshark_errors/error/34c6678ceeeb0676f126bd8fd3c4a60a53cbbf2b.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 BPv7 80 [Malformed Packet]
5co-legacy
tshark_errors/error/bd87afea90f7f96919d2af8895c3fb2ddb6c9d54.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 170.170.170.170 → 170.170.170.170 5co-legacy 126 I2C Read and write with ack ID=1799 Len=0 [BAD CHECKSUM !!], I2C Read and write with ack ID=1799 Len=0 [BAD CHECKSUM !!], I2C Read and write with ack ID=1799 Len=16 [BAD CHECKSUM !!]
6LoWPAN
tshark_errors/error/695ec0c3565e61008b761ccb37bb9351efb2c1b2.pcap
../epan/tvbuff.c:932:17: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:932:17 in
1 0.000000 0x8888 → 6LoWPAN 101 Data, Src: 0x8888[BoundErrorUnreassembled Packet]
JXTA
tshark_errors/error/daa5b5267078cc99209152a253546e0665989768.pcap
../epan/tvbuff.c:2232:35: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:92:34: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../epan/tvbuff.c:2232:35 in
1 0.000000 136.136.136.136 → 136.131.18.2 JXTA 129 Welcome
Build information
TShark (Wireshark) 3.7.0 (v3.7.0rc0-844-g14a1dfbe1083)