OSS-Fuzz bug in fuzzshark: stack exhausion for dissect_zbee_tlvs
Summary
Hello, I'm testing my fuzzer and found 1 stack exhaustion issues in fuzzshark.
Steps to reproduce
Following the oss-fuzz's build script, change the -DOSS_FUZZ=ON
to -DENABLE_FUZZER=ON -DENABLE_ASAN=ON
given the LIB_FUZZING_ENGINE not exists.
Run fuzzshark with FUZZSHARK_TARGET=tcp /work/build/run/fuzzshark $POC
BUG Log
oss-fuzzshark: disabling: snort
oss-fuzzshark: requested dissector: tcp
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3464275435
INFO: Loaded 1 modules (408309 inline 8-bit counters): 408309 [0x560eb1c35a60, 0x560eb1c99555),
INFO: Loaded 1 PC tables (408309 PCs): 408309 [0x560eb1c99558,0x560eb22d44a8),
./run/fuzzshark: Running 1 inputs 1 time(s) each.
Running: /crashes/id:000002,sig:11,src:020196+021982,time:88731192,execs:828577815,op:splice,rep:4
AddressSanitizer:DEADLYSIGNAL
=================================================================
==5706==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc00d49f14 (pc 0x560ea1a1f10e bp 0x7ffc00d4a040 sp 0x7ffc00d49f00 T0)
#0 0x560ea1a1f10e in proto_tree_add_subtree_format /src/wireshark/epan/proto.c:1463
#1 0x560ea1a1f0e0 in proto_tree_add_subtree /src/wireshark/epan/proto.c:1456:9
#2 0x560ea3498ce3 in dissect_zbee_tlvs /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2788:19
#3 0x560ea34995b3 in dissect_global_tlv /src/wireshark/epan/dissectors/packet-zbee-tlv.c
#4 0x560ea34995b3 in dissect_zbee_tlv /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2742:18
#5 0x560ea34995b3 in dissect_zbee_tlvs /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2789:18
#6 0x560ea34995b3 in dissect_global_tlv /src/wireshark/epan/dissectors/packet-zbee-tlv.c
#7 0x560ea34995b3 in dissect_zbee_tlv /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2742:18
#8 0x560ea34995b3 in dissect_zbee_tlvs /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2789:18
#9 0x560ea34995b3 in dissect_global_tlv /src/wireshark/epan/dissectors/packet-zbee-tlv.c
#10 0x560ea34995b3 in dissect_zbee_tlv /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2742:18
#11 0x560ea34995b3 in dissect_zbee_tlvs /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2789:18
#12 0x560ea34995b3 in dissect_global_tlv /src/wireshark/epan/dissectors/packet-zbee-tlv.c
#13 0x560ea34995b3 in dissect_zbee_tlv /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2742:18
#14 0x560ea34995b3 in dissect_zbee_tlvs /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2789:18
...
SUMMARY: AddressSanitizer: stack-overflow /src/wireshark/epan/proto.c:1463 in proto_tree_add_subtree_format
==5706==ABORTING
Sample capture file
Build information
build via the oss-fuzz dockerfile, change the change the -DOSS_FUZZ=ON
to -DENABLE_FUZZER=ON -DENABLE_ASAN=ON
https://github.com/google/oss-fuzz/blob/master/projects/wireshark/
exec FUZZSHARK_TARGET=tcp ./run/wireshark $POC
The wireshark version we use is the latest commit 653d79ef.