Skip to content

OSS-Fuzz bug in fuzzshark: stack overflow in tvb_parse_param and dissect_oer_sequence

Summary

Hello, I'm testing my fuzzer and find 2 stack overflow issues in fuzzshark.

Steps to reproduce

Following the oss-fuzz's build script, change the -DOSS_FUZZ=ON to -DENABLE_FUZZER=ON -DENABLE_ASAN=ON given the LIB_FUZZING_ENGINE not exists.

Run fuzzshark with FUZZSHARK_TARGET=ip /work/build/run/fuzzshark $POC

BUG log 1

oss-fuzzshark: disabling: snort
oss-fuzzshark: requested dissector: ip
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1405592693
INFO: Loaded 1 modules   (408280 inline 8-bit counters): 408280 [0x5591dc7f3ba0, 0x5591dc857678), 
INFO: Loaded 1 PC tables (408280 PCs): 408280 [0x5591dc857678,0x5591dce923f8), 
/work/build/run/fuzzshark: Running 1 inputs 1 time(s) each.
Running: /crashes/ip/id:000000,sig:06,src:105718,time:46125092,execs:306987766,op:havoc,rep:16
=================================================================
==11033==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe0c1e1420 at pc 0x5591cd478ab4 bp 0x7ffe0c1e12f0 sp 0x7ffe0c1e12e8
WRITE of size 1 at 0x7ffe0c1e1420 thread T0
    #0 0x5591cd478ab3 in tvb_parse_param /src/wireshark/epan/dissectors/packet-mgcp.c:897:39
    #1 0x5591cd478ab3 in dissect_mgcp_params /src/wireshark/epan/dissectors/packet-mgcp.c:1541:20
    #2 0x5591cd472481 in dissect_mgcp_message /src/wireshark/epan/dissectors/packet-mgcp.c:619:5
    #3 0x5591cd472481 in dissect_mgcp /src/wireshark/epan/dissectors/packet-mgcp.c:501:4
    #4 0x5591cc59bd4b in call_dissector_through_handle /src/wireshark/epan/packet.c:857:9
    #5 0x5591cc59bd4b in call_dissector_work /src/wireshark/epan/packet.c:948:9
    #6 0x5591cc59c21f in dissector_try_uint_new /src/wireshark/epan/packet.c:1581:8
    #7 0x5591cc59c21f in dissector_try_uint /src/wireshark/epan/packet.c:1605:9
    #8 0x5591cdd50cd9 in decode_udp_ports /src/wireshark/epan/dissectors/packet-udp.c:684:27
    #9 0x5591cdd56062 in dissect /src/wireshark/epan/dissectors/packet-udp.c:1281:9
    #10 0x5591cdd52efc in dissect_udp /src/wireshark/epan/dissectors/packet-udp.c:1287:5
    #11 0x5591cc59bd4b in call_dissector_through_handle /src/wireshark/epan/packet.c:857:9
    #12 0x5591cc59bd4b in call_dissector_work /src/wireshark/epan/packet.c:948:9
    #13 0x5591cc59b842 in dissector_try_uint_new /src/wireshark/epan/packet.c:1581:8
    #14 0x5591cd1bc5fc in ip_try_dissect /src/wireshark/epan/dissectors/packet-ip.c:1822:7
    #15 0x5591cd1c031e in dissect_ip_v4 /src/wireshark/epan/dissectors/packet-ip.c:2328:10
    #16 0x5591cc59bd4b in call_dissector_through_handle /src/wireshark/epan/packet.c:857:9
    #17 0x5591cc59bd4b in call_dissector_work /src/wireshark/epan/packet.c:948:9
    #18 0x5591cc5a598f in call_dissector_only /src/wireshark/epan/packet.c:3483:8
    #19 0x5591cc5a598f in call_all_postdissectors /src/wireshark/epan/packet.c:3912:3
    #20 0x5591ccedda86 in dissect_frame /src/wireshark/epan/dissectors/packet-frame.c:1435:5
    #21 0x5591cc59bd4b in call_dissector_through_handle /src/wireshark/epan/packet.c:857:9
    #22 0x5591cc59bd4b in call_dissector_work /src/wireshark/epan/packet.c:948:9
    #23 0x5591cc5985da in call_dissector_only /src/wireshark/epan/packet.c:3483:8
    #24 0x5591cc5985da in call_dissector_with_data /src/wireshark/epan/packet.c:3496:8
    #25 0x5591cc597c94 in dissect_record /src/wireshark/epan/packet.c:661:3
    #26 0x5591cc589cd4 in epan_dissect_run /src/wireshark/epan/epan.c:642:2
    #27 0x5591cc3f1160 in LLVMFuzzerTestOneInput /src/wireshark/fuzz/fuzzshark.c:382:2
    #28 0x5591cc2c2963 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #29 0x5591cc2ae0c2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #30 0x5591cc2b396c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #31 0x5591cc2dcea2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #32 0x7f6a0cab9082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: e678fe54a5d2c2092f8e47eb0b33105e380f7340)
    #33 0x5591cc2a428d in _start (/work/build/run/fuzzshark+0xcd0b28d)

Address 0x7ffe0c1e1420 is located in stack of thread T0 at offset 288 in frame
    #0 0x5591cd474aff in dissect_mgcp_params /src/wireshark/epan/dissectors/packet-mgcp.c:1521

  This frame has 2 object(s):
    [32, 288) 'ext_buf.i' (line 891) <== Memory access at offset 288 overflows this variable
    [352, 356) 'tvb_lineend' (line 1523)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /src/wireshark/epan/dissectors/packet-mgcp.c:897:39 in tvb_parse_param
Shadow bytes around the buggy address:
  0x100041834230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100041834240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100041834250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100041834260: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
  0x100041834270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100041834280: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 04 f3 f3 f3
  0x100041834290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000418342a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000418342b0: 00 00 00 00 f1 f1 f1 f1 f8 f2 f8 f2 f8 f2 f8 f2
  0x1000418342c0: f8 f8 f2 f2 f8 f8 f2 f2 f8 f2 f2 f2 f8 f8 f8 f8
  0x1000418342d0: f8 f8 f8 f8 f2 f2 f2 f2 f8 f2 04 f2 00 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11033==ABORTING

BUG log 2

oss-fuzzshark: disabling: snort
oss-fuzzshark: requested dissector: ip
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1952616693
INFO: Loaded 1 modules   (408280 inline 8-bit counters): 408280 [0x557d10cd3ba0, 0x557d10d37678), 
INFO: Loaded 1 PC tables (408280 PCs): 408280 [0x557d10d37678,0x557d113723f8), 
/work/build/run/fuzzshark: Running 1 inputs 1 time(s) each.
Running: /crashes/ip/id:000001,sig:11,src:046409,time:46771269,execs:311041983,op:havoc,rep:4
AddressSanitizer:DEADLYSIGNAL
=================================================================
==11040==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe02ae0f78 (pc 0x557d00893145 bp 0x7ffe02ae17b0 sp 0x7ffe02ae0f80 T0)
    #0 0x557d00893145 in __asan_memset /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3
    #1 0x557d02c7cec1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:575:5
    #2 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #3 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #4 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #5 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #6 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #7 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #8 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #9 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #10 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #11 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #12 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #13 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #14 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #15 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #16 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #17 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #18 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #19 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #20 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #21 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #22 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #23 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #24 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #25 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #26 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #27 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #28 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #29 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #30 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #31 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #32 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #33 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #34 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #35 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #36 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #37 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #38 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #39 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #40 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #41 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #42 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #43 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #44 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #45 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #46 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #47 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #48 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #49 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #50 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #51 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #52 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #53 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #54 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #55 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #56 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #57 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #58 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #59 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #60 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #61 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #62 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #63 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #64 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #65 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #66 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #67 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #68 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #69 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #70 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #71 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #72 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #73 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #74 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #75 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #76 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #77 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #78 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #79 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #80 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #81 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #82 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #83 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #84 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #85 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #86 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #87 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #88 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #89 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #90 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #91 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #92 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #93 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #94 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #95 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #96 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #97 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #98 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #99 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #100 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #101 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #102 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #103 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #104 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #105 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #106 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #107 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #108 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #109 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #110 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #111 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #112 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #113 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #114 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #115 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #116 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #117 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #118 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #119 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #120 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #121 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #122 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #123 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #124 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #125 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #126 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #127 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #128 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #129 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #130 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #131 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #132 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #133 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #134 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #135 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #136 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #137 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #138 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #139 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #140 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #141 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #142 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #143 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #144 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #145 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #146 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #147 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #148 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #149 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #150 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #151 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #152 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #153 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #154 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #155 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #156 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #157 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #158 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #159 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #160 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #161 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #162 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #163 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #164 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #165 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #166 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #167 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #168 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #169 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #170 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #171 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #172 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #173 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #174 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #175 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #176 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #177 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #178 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #179 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #180 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #181 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #182 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #183 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #184 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #185 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #186 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #187 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #188 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #189 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #190 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #191 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #192 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #193 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #194 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #195 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #196 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #197 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #198 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #199 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #200 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #201 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #202 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #203 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #204 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #205 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #206 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #207 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #208 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #209 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #210 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #211 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #212 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #213 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #214 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #215 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #216 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #217 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #218 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #219 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #220 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #221 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #222 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #223 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #224 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #225 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #226 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #227 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #228 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #229 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #230 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #231 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #232 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #233 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #234 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #235 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #236 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12
    #237 0x557d02c7efba in dissect_oer_choice /src/wireshark/epan/dissectors/packet-oer.c:811:22
    #238 0x557d015cba90 in dissect_ieee1609dot2_Ieee1609Dot2Content /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3010:12
    #239 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #240 0x557d015cb9fa in dissect_ieee1609dot2_Ieee1609Dot2Data /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:3027:12
    #241 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #242 0x557d015cbe05 in dissect_ieee1609dot2_SignedDataPayload /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2748:12
    #243 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #244 0x557d015cbd45 in dissect_ieee1609dot2_ToBeSignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2763:12
    #245 0x557d02c7d5b1 in dissect_oer_sequence /src/wireshark/epan/dissectors/packet-oer.c:614:26
    #246 0x557d015cbc45 in dissect_ieee1609dot2_SignedData /src/wireshark/epan/dissectors/packet-ieee1609dot2.c:2817:12

SUMMARY: AddressSanitizer: stack-overflow /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:26:3 in __asan_memset
==11040==ABORTING

Sample capture file

poc0 poc1

Build information

build via the oss-fuzz dockerfile, change the change the -DOSS_FUZZ=ON to -DENABLE_FUZZER=ON -DENABLE_ASAN=ON https://github.com/google/oss-fuzz/blob/master/projects/wireshark/

The second build stage might fail, but it's ok, checkout to /work/build and exec FUZZSHARK_TARGET=ip ./run/wireshark $POC

The wireshark version we use is the latest commit f5cc6ebb.

Edited by Han Zheng
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information