Fuzz job crash output: fuzz-2022-02-07-6714.pcap
Problems have been found with the following capture file:
https://www.wireshark.org/download/automated/captures/fuzz-2022-02-07-6714.pcap
stderr:
Branch: HEAD
Input file: /var/menagerie/menagerie/13895-x509-ce-distribution-points-dissection-problem.pcapng
Build host information:
Linux 5.4.0-96-generic #109-Ubuntu SMP Wed Jan 12 16:49:16 UTC 2022 x86_64
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
Branch: release-3.4
CI job name: ASan Menagerie Fuzz, ID: 2060427609
Return value: 0
Dissector bug: 0
Valgrind error count: 0
Latest (but not necessarily the problem) commit:
e9c3dfe05 [Automatic update for 2022-02-06]
Command and args: /builds/wireshark/wireshark/_install/bin/tshark -2 -nVxr
Running as user "root" and group "root". This could be dangerous.
=================================================================
==87972==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000886420 at pc 0x5604c9392069 bp 0x7ffe62ef3be0 sp 0x7ffe62ef33a0
READ of size 28 at 0x606000886420 thread T0
#0 0x5604c9392068 in strlen (/builds/wireshark/wireshark/_install/bin/tshark+0x6e068)
#1 0x7f9e573a6147 in g_strdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72147)
#2 0x7f9e63f2bc6b in find_string_dtbl_entry /builds/wireshark/wireshark/build/../epan/packet.c:1496:9
#3 0x7f9e63f2c041 in dissector_try_string_new /builds/wireshark/wireshark/build/../epan/packet.c:1692:15
#4 0x7f9e63f2c206 in dissector_try_string /builds/wireshark/wireshark/build/../epan/packet.c:1739:9
#5 0x7f9e6100e26d in call_ber_oid_callback /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:1101:17
#6 0x7f9e631995f1 in dissect_cms_T_parameters /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:220:10
#7 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
#8 0x7f9e63199477 in dissect_cms_SMIMECapability /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:236:12
#9 0x7f9e61020437 in dissect_ber_sq_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3556:9
#10 0x7f9e610206f2 in dissect_ber_sequence_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3584:12
#11 0x7f9e63199407 in dissect_cms_SMIMECapabilities /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:249:12
#12 0x7f9e63194397 in dissect_SMIMECapabilities_PDU /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:893:12
#13 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#14 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#15 0x7f9e63f2c136 in dissector_try_string_new /builds/wireshark/wireshark/build/../epan/packet.c:1714:9
#16 0x7f9e63f2c206 in dissector_try_string /builds/wireshark/wireshark/build/../epan/packet.c:1739:9
#17 0x7f9e6100e26d in call_ber_oid_callback /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:1101:17
#18 0x7f9e63ba9279 in dissect_x509af_T_extnValue /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:146:10
#19 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
#20 0x7f9e63ba6447 in dissect_x509af_Extension /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:163:12
#21 0x7f9e61020437 in dissect_ber_sq_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3556:9
#22 0x7f9e610206f2 in dissect_ber_sequence_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3584:12
#23 0x7f9e63ba64b7 in dissect_x509af_Extensions /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:176:12
#24 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
#25 0x7f9e63ba9367 in dissect_x509af_T_signedCertificate /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:199:12
#26 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
#27 0x7f9e63ba6527 in dissect_x509af_Certificate /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:226:12
#28 0x7f9e6293c5e9 in ssl_dissect_hnd_cert /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls-utils.c:8838:13
#29 0x7f9e629656ca in dissect_tls_handshake_full /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls.c:2676:17
#30 0x7f9e629632fa in dissect_tls_handshake /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls.c:2495:9
#31 0x7f9e6295ed72 in dissect_ssl3_record /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls.c:2005:13
#32 0x7f9e6295aa21 in dissect_ssl /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls.c:745:26
#33 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#34 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#35 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
#36 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
#37 0x7f9e63f32a61 in call_dissector /builds/wireshark/wireshark/build/../epan/packet.c:3263:9
#38 0x7f9e61642dd2 in dissect_eap /builds/wireshark/wireshark/build/../epan/dissectors/packet-eap.c:1938:13
#39 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#40 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#41 0x7f9e63f2a919 in dissector_try_uint_new /builds/wireshark/wireshark/build/../epan/packet.c:1413:8
#42 0x7f9e61649839 in dissect_eapol /builds/wireshark/wireshark/build/../epan/dissectors/packet-eapol.c:132:8
#43 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#44 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#45 0x7f9e63f2a919 in dissector_try_uint_new /builds/wireshark/wireshark/build/../epan/packet.c:1413:8
#46 0x7f9e63f2b3eb in dissector_try_uint /builds/wireshark/wireshark/build/../epan/packet.c:1437:9
#47 0x7f9e61d70341 in dissect_snap /builds/wireshark/wireshark/build/../epan/dissectors/packet-llc.c:552:9
#48 0x7f9e61d71134 in dissect_llc /builds/wireshark/wireshark/build/../epan/dissectors/packet-llc.c:434:3
#49 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#50 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#51 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
#52 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
#53 0x7f9e63f32a61 in call_dissector /builds/wireshark/wireshark/build/../epan/packet.c:3263:9
#54 0x7f9e61aa467a in dissect_ieee80211_common /builds/wireshark/wireshark/build/../epan/dissectors/packet-ieee80211.c:26880:11
#55 0x7f9e61a74706 in dissect_ieee80211 /builds/wireshark/wireshark/build/../epan/dissectors/packet-ieee80211.c:26932:10
#56 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#57 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#58 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
#59 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
#60 0x7f9e61a4e021 in dissect_wlan_radio /builds/wireshark/wireshark/build/../epan/dissectors/packet-ieee80211-radio.c:1513:10
#61 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#62 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#63 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
#64 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
#65 0x7f9e61a60959 in dissect_radiotap /builds/wireshark/wireshark/build/../epan/dissectors/packet-ieee80211-radiotap.c:3104:2
#66 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#67 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#68 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
#69 0x7f9e6175f8b6 in dissect_frame /builds/wireshark/wireshark/build/../epan/dissectors/packet-frame.c:783:6
#70 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#71 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#72 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
#73 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
#74 0x7f9e63f2680f in dissect_record /builds/wireshark/wireshark/build/../epan/packet.c:594:3
#75 0x7f9e63ef5f88 in epan_dissect_run_with_taps /builds/wireshark/wireshark/build/../epan/epan.c:598:2
#76 0x5604c945e357 in process_packet_second_pass /builds/wireshark/wireshark/build/../tshark.c:3250:5
#77 0x5604c945c88e in process_cap_file_second_pass /builds/wireshark/wireshark/build/../tshark.c:3389:9
#78 0x5604c94569b6 in process_cap_file /builds/wireshark/wireshark/build/../tshark.c:3650:28
#79 0x5604c94504c8 in main /builds/wireshark/wireshark/build/../tshark.c:2102:16
#80 0x7f9e5711e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#81 0x5604c937f43d in _start (/builds/wireshark/wireshark/_install/bin/tshark+0x5b43d)
0x60600088643b is located 0 bytes to the right of 59-byte region [0x606000886400,0x60600088643b)
freed by thread T0 here:
#0 0x5604c93f78fd in free (/builds/wireshark/wireshark/_install/bin/tshark+0xd38fd)
#1 0x7f9e63e00f03 in wmem_free /builds/wireshark/wireshark/build/../epan/wmem/wmem_core.c:65:9
#2 0x7f9e63e0b01b in wmem_strict_free /builds/wireshark/wireshark/build/../epan/wmem/wmem_allocator_strict.c:127:5
#3 0x7f9e63e0b0c4 in wmem_strict_free_all /builds/wireshark/wireshark/build/../epan/wmem/wmem_allocator_strict.c:182:9
#4 0x7f9e63e01279 in wmem_free_all_real /builds/wireshark/wireshark/build/../epan/wmem/wmem_core.c:104:5
#5 0x7f9e63e011d6 in wmem_free_all /builds/wireshark/wireshark/build/../epan/wmem/wmem_core.c:110:5
#6 0x7f9e63e10a1a in wmem_leave_packet_scope /builds/wireshark/wireshark/build/../epan/wmem/wmem_scopes.c:69:5
#7 0x7f9e63ef5f2d in epan_dissect_run /builds/wireshark/wireshark/build/../epan/epan.c:588:2
#8 0x5604c945db37 in process_packet_first_pass /builds/wireshark/wireshark/build/../tshark.c:3028:5
#9 0x5604c945bf2f in process_cap_file_first_pass /builds/wireshark/wireshark/build/../tshark.c:3165:9
#10 0x5604c945696c in process_cap_file /builds/wireshark/wireshark/build/../tshark.c:3631:25
#11 0x5604c94504c8 in main /builds/wireshark/wireshark/build/../tshark.c:2102:16
#12 0x7f9e5711e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
previously allocated by thread T0 here:
#0 0x5604c93f7b7d in malloc (/builds/wireshark/wireshark/_install/bin/tshark+0xd3b7d)
#1 0x7f9e5738be98 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57e98)
#2 0x7f9e63e0a8ab in wmem_strict_alloc /builds/wireshark/wireshark/build/../epan/wmem/wmem_allocator_strict.c:81:46
#3 0x7f9e63e0ac94 in wmem_strict_realloc /builds/wireshark/wireshark/build/../epan/wmem/wmem_allocator_strict.c:139:15
#4 0x7f9e63e011b0 in wmem_realloc /builds/wireshark/wireshark/build/../epan/wmem/wmem_core.c:96:12
#5 0x7f9e63e1327c in wmem_strbuf_finalize /builds/wireshark/wireshark/build/../epan/wmem/wmem_strbuf.c:296:19
#6 0x7f9e63f1d4dc in rel_oid_subid2string /builds/wireshark/wireshark/build/../epan/oids.c:898:9
#7 0x7f9e63f18a07 in oid_subid2string /builds/wireshark/wireshark/build/../epan/oids.c:875:9
#8 0x7f9e63f1f5f4 in oid_encoded2string /builds/wireshark/wireshark/build/../epan/oids.c:1164:9
#9 0x7f9e6101dd26 in dissect_ber_any_oid_str /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3285:30
#10 0x7f9e6101dec2 in dissect_ber_object_identifier_str /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3319:12
#11 0x7f9e631994df in dissect_cms_T_capability /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:210:14
#12 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
#13 0x7f9e63199477 in dissect_cms_SMIMECapability /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:236:12
#14 0x7f9e61020437 in dissect_ber_sq_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3556:9
#15 0x7f9e610206f2 in dissect_ber_sequence_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3584:12
#16 0x7f9e63199407 in dissect_cms_SMIMECapabilities /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:249:12
#17 0x7f9e63194397 in dissect_SMIMECapabilities_PDU /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:893:12
#18 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
#19 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
#20 0x7f9e63f2c136 in dissector_try_string_new /builds/wireshark/wireshark/build/../epan/packet.c:1714:9
#21 0x7f9e63f2c206 in dissector_try_string /builds/wireshark/wireshark/build/../epan/packet.c:1739:9
#22 0x7f9e6100e26d in call_ber_oid_callback /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:1101:17
#23 0x7f9e63ba9279 in dissect_x509af_T_extnValue /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:146:10
#24 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
#25 0x7f9e63ba6447 in dissect_x509af_Extension /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:163:12
#26 0x7f9e61020437 in dissect_ber_sq_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3556:9
#27 0x7f9e610206f2 in dissect_ber_sequence_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3584:12
#28 0x7f9e63ba64b7 in dissect_x509af_Extensions /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:176:12
#29 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
SUMMARY: AddressSanitizer: heap-use-after-free (/builds/wireshark/wireshark/_install/bin/tshark+0x6e068) in strlen
Shadow bytes around the buggy address:
0x0c0c80108c30: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c80108c40: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c80108c50: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c80108c60: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c80108c70: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
=>0x0c0c80108c80: fd fd fd fd[fd]fd fd fd fa fa fa fa fd fd fd fd
0x0c0c80108c90: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c80108ca0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c80108cb0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c80108cc0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c80108cd0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==87972==ABORTING
fuzz-test.sh stderr:
Running as user "root" and group "root". This could be dangerous.
no debug trace