Uninitialized values in various dissectors
Problems have been found with the following capture file:
https://www.wireshark.org/download/automated/captures/fuzz-2022-12-17-7492.pcap.gz
stderr:
Branch: release-4.0
Input file: /var/menagerie/menagerie/ultimate_wireshark_protocols_pcap_220213.pcap
CI job name: Valgrind Menagerie Fuzz, ID: 3490319342
CI job URL: https://gitlab.com/wireshark/wireshark/-/jobs/3490319342
Return value: 0
Dissector bug: 0
Valgrind error count: 1
Date and time: Sat Dec 17 20:54:29 UTC 2022
Commits in the last 48 hours:
f8f9b557f RTPS: Add offset overflow checking.
c33a9542e cli: Fix copying global profile to personal at startup
f2a4c07cc protobuf: Do not crash on zero length bytes element
8cff893ec Protobuf: Fix a google.protobuf.Timestamp displaying bug
03d5d251c NBAP: Add UEID to HS-DSCH flows added from RadioLinkReconfiguration
Build host information:
Linux 5.4.0-135-generic #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 x86_64
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy
Command and args: ./tools/valgrind-wireshark.sh -b /builds/wireshark/wireshark/_install/bin
==15172== Memcheck, a memory error detector
==15172== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==15172== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==15172== Command: /builds/wireshark/wireshark/_install/bin/tshark -nr /tmp/fuzz/fuzz-2022-12-17-7492.pcap
==15172==
Running as user "root" and group "root". This could be dangerous.
** (tshark:15172) 20:50:59.736745 [Epan WARNING] -- Dissector bug, protocol IEEE1609dot2, in packet 1898: field ieee1609dot2.minChainLength is not of type FT_CHAR, FT_UINT8, FT_UINT16, FT_UINT24, or FT_UINT32
==15172== Conditional jump or move depends on uninitialised value(s)
==15172== at 0x78B0849: unescape_and_tvbuffify_telnet_option (epan/dissectors/packet-telnet.c:1043)
==15172== by 0x78B0692: dissect_krb5_authentication_data (epan/dissectors/packet-telnet.c:1082)
==15172== by 0x78AF1F4: dissect_authentication_subopt (epan/dissectors/packet-telnet.c:1142)
==15172== by 0x78AE8FA: telnet_sub_option (epan/dissectors/packet-telnet.c:1685)
==15172== by 0x78AE45E: telnet_command (epan/dissectors/packet-telnet.c:1772)
==15172== by 0x78ADEFF: dissect_telnet (epan/dissectors/packet-telnet.c:1900)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172== by 0x8416B63: dissector_try_uint_new (epan/packet.c:1516)
==15172== by 0x787D8BA: decode_tcp_ports (epan/dissectors/packet-tcp.c:7135)
==15172== by 0x787F57D: process_tcp_payload (epan/dissectors/packet-tcp.c:7204)
==15172== by 0x787E15D: dissect_tcp_payload (epan/dissectors/packet-tcp.c:7286)
==15172==
==15172== Conditional jump or move depends on uninitialised value(s)
==15172== at 0x76917C8: dissect_rohc_ir_rtp_profile_dynamic (epan/dissectors/packet-rohc.c:1667)
==15172== by 0x768FCDE: dissect_rohc_ir_dyn_packet (epan/dissectors/packet-rohc.c:2316)
==15172== by 0x768E3E7: dissect_rohc (epan/dissectors/packet-rohc.c:2534)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172== by 0x8416B63: dissector_try_uint_new (epan/packet.c:1516)
==15172== by 0x8416E72: dissector_try_uint (epan/packet.c:1540)
==15172== by 0x6B7059F: dissect_3com_xns (epan/dissectors/packet-3com-xns.c:74)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172== by 0x8416B63: dissector_try_uint_new (epan/packet.c:1516)
==15172== by 0x8416E72: dissector_try_uint (epan/packet.c:1540)
==15172==
==15172== Conditional jump or move depends on uninitialised value(s)
==15172== at 0x76917DC: dissect_rohc_ir_rtp_profile_dynamic (epan/dissectors/packet-rohc.c:1667)
==15172== by 0x768FCDE: dissect_rohc_ir_dyn_packet (epan/dissectors/packet-rohc.c:2316)
==15172== by 0x768E3E7: dissect_rohc (epan/dissectors/packet-rohc.c:2534)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172== by 0x8416B63: dissector_try_uint_new (epan/packet.c:1516)
==15172== by 0x8416E72: dissector_try_uint (epan/packet.c:1540)
==15172== by 0x6B7059F: dissect_3com_xns (epan/dissectors/packet-3com-xns.c:74)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172== by 0x8416B63: dissector_try_uint_new (epan/packet.c:1516)
==15172== by 0x8416E72: dissector_try_uint (epan/packet.c:1540)
==15172==
==15172== Conditional jump or move depends on uninitialised value(s)
==15172== at 0x76905F2: dissect_rohc_pkt_type_1_u_o_mode (epan/dissectors/packet-rohc.c:918)
==15172== by 0x768E84A: dissect_rohc (epan/dissectors/packet-rohc.c:2613)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172== by 0x8416B63: dissector_try_uint_new (epan/packet.c:1516)
==15172== by 0x8416E72: dissector_try_uint (epan/packet.c:1540)
==15172== by 0x6B7059F: dissect_3com_xns (epan/dissectors/packet-3com-xns.c:74)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172== by 0x8416B63: dissector_try_uint_new (epan/packet.c:1516)
==15172== by 0x8416E72: dissector_try_uint (epan/packet.c:1540)
==15172== by 0x733257A: dissect_llc (epan/dissectors/packet-llc.c:449)
==15172==
==15172== Conditional jump or move depends on uninitialised value(s)
==15172== at 0x70DCBF1: dissect_gsm_rlcmac_downlink (epan/dissectors/packet-gsm_rlcmac.c:9770)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172== by 0x841A1EB: call_dissector_only (epan/packet.c:3392)
==15172== by 0x8415814: call_dissector_with_data (epan/packet.c:3405)
==15172== by 0x70D0E8E: dissect_gprs_data (epan/dissectors/packet-gsm_abis_pgsl.c:353)
==15172== by 0x70D09C8: dissect_abis_pgsl (epan/dissectors/packet-gsm_abis_pgsl.c:446)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172== by 0x8416B63: dissector_try_uint_new (epan/packet.c:1516)
==15172== by 0x8416E72: dissector_try_uint (epan/packet.c:1540)
==15172== by 0x7299252: dissect_protocol_data_parameter (epan/dissectors/packet-iua.c:420)
==15172==
==15172== Conditional jump or move depends on uninitialised value(s)
==15172== at 0x70DFAFC: dissect_egprs_dl_header_block (epan/dissectors/packet-gsm_rlcmac.c:9158)
==15172== by 0x70DCC31: dissect_gsm_rlcmac_downlink (epan/dissectors/packet-gsm_rlcmac.c:9776)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172== by 0x841A1EB: call_dissector_only (epan/packet.c:3392)
==15172== by 0x8415814: call_dissector_with_data (epan/packet.c:3405)
==15172== by 0x70D0E8E: dissect_gprs_data (epan/dissectors/packet-gsm_abis_pgsl.c:353)
==15172== by 0x70D09C8: dissect_abis_pgsl (epan/dissectors/packet-gsm_abis_pgsl.c:446)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172== by 0x8416B63: dissector_try_uint_new (epan/packet.c:1516)
==15172== by 0x8416E72: dissector_try_uint (epan/packet.c:1540)
==15172==
==15172== Conditional jump or move depends on uninitialised value(s)
==15172== at 0x7690ABE: dissect_rohc_pkt_type_2 (epan/dissectors/packet-rohc.c:1022)
==15172== by 0x768E881: dissect_rohc (epan/dissectors/packet-rohc.c:2617)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172== by 0x8416B63: dissector_try_uint_new (epan/packet.c:1516)
==15172== by 0x8416E72: dissector_try_uint (epan/packet.c:1540)
==15172== by 0x6B7059F: dissect_3com_xns (epan/dissectors/packet-3com-xns.c:74)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172== by 0x8416B63: dissector_try_uint_new (epan/packet.c:1516)
==15172== by 0x8416E72: dissector_try_uint (epan/packet.c:1540)
==15172== by 0x733257A: dissect_llc (epan/dissectors/packet-llc.c:449)
==15172==
** (tshark:15172) 20:51:10.255699 [GLib CRITICAL] -- g_ascii_strncasecmp: assertion 's1 != NULL' failed
==15172== Conditional jump or move depends on uninitialised value(s)
==15172== at 0x6C7958E: set_mime_hdr_flags (epan/dissectors/packet-beep.c:392)
==15172== by 0x6C788D5: dissect_beep_tree (epan/dissectors/packet-beep.c:493)
==15172== by 0x6C78615: dissect_beep (epan/dissectors/packet-beep.c:860)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172== by 0x8416B63: dissector_try_uint_new (epan/packet.c:1516)
==15172== by 0x787D8BA: decode_tcp_ports (epan/dissectors/packet-tcp.c:7135)
==15172== by 0x787F57D: process_tcp_payload (epan/dissectors/packet-tcp.c:7204)
==15172== by 0x787E15D: dissect_tcp_payload (epan/dissectors/packet-tcp.c:7286)
==15172== by 0x788387C: dissect_tcp (epan/dissectors/packet-tcp.c:8273)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172==
** (tshark:15172) 20:51:26.895797 [Epan WARNING] -- Dissector bug, protocol GNW, in packet 7943: epan/dissectors/packet-geonw.c:1261: failed assertion "!(tmp_val & 0xffffffff00000000)"
==15172== Conditional jump or move depends on uninitialised value(s)
==15172== at 0x6C795EB: set_mime_hdr_flags (epan/dissectors/packet-beep.c:410)
==15172== by 0x6C788D5: dissect_beep_tree (epan/dissectors/packet-beep.c:493)
==15172== by 0x6C78615: dissect_beep (epan/dissectors/packet-beep.c:860)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172== by 0x8416B63: dissector_try_uint_new (epan/packet.c:1516)
==15172== by 0x787D82A: decode_tcp_ports (epan/dissectors/packet-tcp.c:7128)
==15172== by 0x787F57D: process_tcp_payload (epan/dissectors/packet-tcp.c:7204)
==15172== by 0x787E15D: dissect_tcp_payload (epan/dissectors/packet-tcp.c:7286)
==15172== by 0x788380D: dissect_tcp (epan/dissectors/packet-tcp.c:8270)
==15172== by 0x841B49A: call_dissector_through_handle (epan/packet.c:822)
==15172== by 0x8416D65: call_dissector_work (epan/packet.c:913)
==15172==
** (tshark:15172) 20:51:52.018418 [Epan WARNING] -- Dissector bug, protocol TPM2.0, in packet 14451: epan/dissectors/packet-tpm20.c:1050: failed assertion "command_entry != ((void*)0)"
** (tshark:15172) 20:52:05.176150 [Epan WARNING] -- Dissector bug, protocol TPM2.0, in packet 18147: epan/dissectors/packet-tpm20.c:1050: failed assertion "command_entry != ((void*)0)"
** (tshark:15172) 20:52:18.156798 [Epan WARNING] -- Dissector bug, protocol TLS, in packet 21902: epan/dissectors/packet-tls.c:2257: failed assertion "frag_len != 0"
** (tshark:15172) 20:52:46.722016 [Epan WARNING] -- Dissector bug, protocol TLS, in packet 28633: epan/dissectors/packet-tls.c:2257: failed assertion "frag_len != 0"
** (tshark:15172) 20:52:52.632024 [Epan WARNING] -- Dissector bug, protocol SMUX, in packet 30129: asn1/snmp/packet-snmp-template.c:377: failed assertion "snmp_info" (No SNMP info from ASN1 context)
** (tshark:15172) 20:52:53.931909 [Epan WARNING] -- Dissector bug, protocol TLS, in packet 30487: epan/dissectors/packet-tls.c:2257: failed assertion "frag_len != 0"
** (tshark:15172) 20:52:56.131335 [GLib CRITICAL] -- g_ascii_strncasecmp: assertion 's1 != NULL' failed
** (tshark:15172) 20:52:59.637002 [Epan WARNING] -- Dissector bug, protocol TPM2.0, in packet 32148: epan/dissectors/packet-tpm20.c:1050: failed assertion "command_entry != ((void*)0)"
** (tshark:15172) 20:53:40.922330 [Epan WARNING] -- Dissector bug, protocol TLS, in packet 44800: epan/dissectors/packet-tls.c:2257: failed assertion "frag_len != 0"
==15172==
==15172== HEAP SUMMARY:
==15172== in use at exit: 313,219 bytes in 6,052 blocks
==15172== total heap usage: 5,530,354 allocs, 5,524,302 frees, 2,109,660,939 bytes allocated
==15172==
==15172== LEAK SUMMARY:
==15172== definitely lost: 36,786 bytes in 684 blocks
==15172== indirectly lost: 69,174 bytes in 1,307 blocks
==15172== possibly lost: 0 bytes in 0 blocks
==15172== still reachable: 187,692 bytes in 4,026 blocks
==15172== suppressed: 19,567 bytes in 35 blocks
==15172== Rerun with --leak-check=full to see details of leaked memory
==15172==
==15172== Use --track-origins=yes to see where uninitialised values come from
==15172== For lists of detected and suppressed errors, rerun with: -s
==15172== ERROR SUMMARY: 56 errors from 9 contexts (suppressed: 0 from 0)
Definitely + indirectly (36786 + 69174) exceeds max (102400).
fuzz-test.sh stderr:
Running as user "root" and group "root". This could be dangerous.
no debug trace