Fuzz job crash: fuzz-2024-03-07-7208.pcap
Problems have been found with the following capture file:
https://www.wireshark.org/download/automated/captures/fuzz-2024-03-07-7208.pcap.gz
stderr:
Branch: master
Input file: /var/menagerie/menagerie/17516-acdr.pcapng.gz
CI job name: ASan Menagerie Fuzz, ID: 6336625137
CI job URL: https://gitlab.com/wireshark/wireshark/-/jobs/6336625137
Return value: 0
Dissector bug: 0
Date and time: Thu Mar 7 12:57:29 AM UTC 2024
Commits in the last 48 hours:
6e11f8430184 RTPS: Return end offset on failure
7fbd190c84a6 Qt: Don't allow tap dialogs to apply with no capture file
c2bb7e3e6e97 Spelling: highlight found Wikipedia words
2b390596c05a prefs: Don't remove initial handles from auto port prefs
beced8221841 Make a couple of variables from ASN dissectors static
99a887066dfd DNS: Added new statistics called Query-Response.
a2a938262994 oids: Read SMI library configuration files
03df722198c3 ieee80211: Fix sizeof AID column
4eb2924388be smtp: Fix password decryption
c85a0a11f214 Tools: Install libopencore-amrnb-dev in debian-setup.sh
ba82fcdef633 ICMPv6: Remove recursion check from 0 length option path
54717a81d152 GSMTAP: check version field
674e35bd6277 http2: Return header value decoded from US-ASCII
c03998f6d2e5 LUA: Use LUIA 5.4.6 for Windows
c831e054001c CMake: Allow overriding rpath on macOS
Build host information:
Linux 6.5.0-17-generic #17~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Jan 16 14:32:32 UTC 2 x86_64
Distributor ID: Ubuntu
Description: Ubuntu 22.04.4 LTS
Release: 22.04
Codename: jammy
Command and args: /builds/wireshark/wireshark/_install/bin/tshark -2 --log-fatal-domains=UTF-8 -nVxr
Running as user "root" and group "root". This could be dangerous.
=================================================================
==38485==ERROR: AddressSanitizer: heap-use-after-free on address 0x504000a9d770 at pc 0x55fd6e9aba38 bp 0x7ffdcb66a4c0 sp 0x7ffdcb669c60
READ of size 1 at 0x504000a9d770 thread T0
#0 0x55fd6e9aba37 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/builds/wireshark/wireshark/_install/bin/tshark+0x76a37) (BuildId: cb8ae3afa62e01c6f6c91884075edcc3f5e2863e)
#1 0x55fd6e9abfc9 in memcmp (/builds/wireshark/wireshark/_install/bin/tshark+0x76fc9) (BuildId: cb8ae3afa62e01c6f6c91884075edcc3f5e2863e)
#2 0x7f0dda217d3c in tvb_memeql /builds/wireshark/wireshark/epan/tvbuff.c:2705:13
#3 0x7f0dda1ce0f9 in fragment_add_seq_work /builds/wireshark/wireshark/epan/reassemble.c:2064:8
#4 0x7f0dda1c069c in fragment_add_seq_common /builds/wireshark/wireshark/epan/reassemble.c:2267:6
#5 0x7f0dda1bfef4 in fragment_add_seq /builds/wireshark/wireshark/epan/reassemble.c:2287:9
#6 0x7f0dd9df1e9e in dissect_t38_T_field_data /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:703:24
#7 0x7f0dd82e26e8 in dissect_per_sequence /builds/wireshark/wireshark/epan/dissectors/packet-per.c:1998:12
#8 0x7f0dd9defb64 in dissect_t38_Data_Field_item /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:740:12
#9 0x7f0dd82d3fa9 in dissect_per_sequence_of_helper /builds/wireshark/wireshark/epan/dissectors/packet-per.c:586:10
#10 0x7f0dd82d3d55 in dissect_per_sequence_of /builds/wireshark/wireshark/epan/dissectors/packet-per.c:620:9
#11 0x7f0dd9def824 in dissect_t38_Data_Field /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:754:12
#12 0x7f0dd82e26e8 in dissect_per_sequence /builds/wireshark/wireshark/epan/dissectors/packet-per.c:1998:12
#13 0x7f0dd9def704 in dissect_t38_IFPPacket /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:769:12
#14 0x7f0dd82d0b2d in dissect_per_open_type_internal /builds/wireshark/wireshark/epan/dissectors/packet-per.c:246:5
#15 0x7f0dd82cf4b3 in dissect_per_open_type /builds/wireshark/wireshark/epan/dissectors/packet-per.c:265:9
#16 0x7f0dd9def376 in dissect_t38_T_primary_ifp_packet /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:795:12
#17 0x7f0dd82e26e8 in dissect_per_sequence /builds/wireshark/wireshark/epan/dissectors/packet-per.c:1998:12
#18 0x7f0dd9def1ee in dissect_t38_UDPTLPacket /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:912:12
#19 0x7f0dd9deecf0 in dissect_UDPTLPacket_PDU /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:932:12
#20 0x7f0dd9ded01a in dissect_t38_udp /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:1087:11
#21 0x7f0dda0f113a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:858:9
#22 0x7f0dda0e54a2 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:944:9
#23 0x7f0dda0ed570 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3533:8
#24 0x7f0dda098fce in try_conversation_call_dissector_helper /builds/wireshark/wireshark/epan/conversation.c:1673:11
#25 0x7f0dda098c9f in try_conversation_dissector /builds/wireshark/wireshark/epan/conversation.c:1722:17
#26 0x7f0dd8b06f01 in decode_udp_ports /builds/wireshark/wireshark/epan/dissectors/packet-udp.c:608:9
#27 0x7f0dd8b0fafb in dissect /builds/wireshark/wireshark/epan/dissectors/packet-udp.c:1281:9
#28 0x7f0dd8b09f5d in dissect_udp /builds/wireshark/wireshark/epan/dissectors/packet-udp.c:1287:5
#29 0x7f0dda0f113a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:858:9
#30 0x7f0dda0e54a2 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:944:9
#31 0x7f0dda0e4e03 in dissector_try_uint_new /builds/wireshark/wireshark/epan/packet.c:1600:8
#32 0x7f0dd7b3871e in ip_try_dissect /builds/wireshark/wireshark/epan/dissectors/packet-ip.c:1832:7
#33 0x7f0dd7b3e352 in dissect_ip_v4 /builds/wireshark/wireshark/epan/dissectors/packet-ip.c:2404:10
#34 0x7f0dda0f113a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:858:9
#35 0x7f0dda0e54a2 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:944:9
#36 0x7f0dda0e4e03 in dissector_try_uint_new /builds/wireshark/wireshark/epan/packet.c:1600:8
#37 0x7f0dda0e5862 in dissector_try_uint /builds/wireshark/wireshark/epan/packet.c:1624:9
#38 0x7f0dd76c2133 in dissect_ethertype /builds/wireshark/wireshark/epan/dissectors/packet-ethertype.c:298:21
#39 0x7f0dda0f113a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:858:9
#40 0x7f0dda0e54a2 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:944:9
#41 0x7f0dda0ed570 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3533:8
#42 0x7f0dda0e1644 in call_dissector_with_data /builds/wireshark/wireshark/epan/packet.c:3546:8
#43 0x7f0dd76bf451 in dissect_eth_common /builds/wireshark/wireshark/epan/dissectors/packet-eth.c:609:5
#44 0x7f0dd76bda1f in dissect_eth /builds/wireshark/wireshark/epan/dissectors/packet-eth.c:975:5
#45 0x7f0dda0f113a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:858:9
#46 0x7f0dda0e54a2 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:944:9
#47 0x7f0dda0ed570 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3533:8
#48 0x7f0dd7765739 in dissect_frame /builds/wireshark/wireshark/epan/dissectors/packet-frame.c:1292:6
#49 0x7f0dda0f113a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:858:9
#50 0x7f0dda0e54a2 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:944:9
#51 0x7f0dda0ed570 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3533:8
#52 0x7f0dda0e1644 in call_dissector_with_data /builds/wireshark/wireshark/epan/packet.c:3546:8
#53 0x7f0dda0e0e23 in dissect_record /builds/wireshark/wireshark/epan/packet.c:662:3
#54 0x7f0dda0adac8 in epan_dissect_run /builds/wireshark/wireshark/epan/epan.c:635:2
#55 0x55fd6ea96974 in process_packet_first_pass /builds/wireshark/wireshark/tshark.c:3321:9
#56 0x55fd6ea94537 in process_cap_file_first_pass /builds/wireshark/wireshark/tshark.c:3474:13
#57 0x55fd6ea8f039 in process_cap_file /builds/wireshark/wireshark/tshark.c:4010:29
#58 0x55fd6ea87e09 in main /builds/wireshark/wireshark/tshark.c:2460:22
#59 0x7f0dcdcc6d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
#60 0x7f0dcdcc6e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
#61 0x55fd6e9909f4 in _start (/builds/wireshark/wireshark/_install/bin/tshark+0x5b9f4) (BuildId: cb8ae3afa62e01c6f6c91884075edcc3f5e2863e)
0x504000a9d770 is located 32 bytes inside of 41-byte region [0x504000a9d750,0x504000a9d779)
freed by thread T0 here:
#0 0x55fd6ea2caf6 in free (/builds/wireshark/wireshark/_install/bin/tshark+0xf7af6) (BuildId: cb8ae3afa62e01c6f6c91884075edcc3f5e2863e)
#1 0x7f0dce47a0b3 in wmem_free /builds/wireshark/wireshark/wsutil/wmem/wmem_core.c:65:9
#2 0x7f0dce4833d1 in wmem_strict_free /builds/wireshark/wireshark/wsutil/wmem/wmem_allocator_strict.c:127:5
#3 0x7f0dce483465 in wmem_strict_free_all /builds/wireshark/wireshark/wsutil/wmem/wmem_allocator_strict.c:182:9
#4 0x7f0dce47a410 in wmem_free_all_real /builds/wireshark/wireshark/wsutil/wmem/wmem_core.c:104:5
#5 0x7f0dce47a376 in wmem_free_all /builds/wireshark/wireshark/wsutil/wmem/wmem_core.c:110:5
#6 0x7f0dda0ad970 in epan_dissect_reset /builds/wireshark/wireshark/epan/epan.c:602:2
#7 0x55fd6ea96e72 in process_packet_first_pass /builds/wireshark/wireshark/tshark.c:3367:9
#8 0x55fd6ea94537 in process_cap_file_first_pass /builds/wireshark/wireshark/tshark.c:3474:13
#9 0x55fd6ea8f039 in process_cap_file /builds/wireshark/wireshark/tshark.c:4010:29
#10 0x55fd6ea87e09 in main /builds/wireshark/wireshark/tshark.c:2460:22
#11 0x7f0dcdcc6d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
previously allocated by thread T0 here:
#0 0x55fd6ea2cd9e in malloc (/builds/wireshark/wireshark/_install/bin/tshark+0xf7d9e) (BuildId: cb8ae3afa62e01c6f6c91884075edcc3f5e2863e)
#1 0x7f0dcdf24738 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e738) (BuildId: c74e800dfd5f72649d673b44292f4a817e45150b)
#2 0x7f0dce482d0f in wmem_strict_alloc /builds/wireshark/wireshark/wsutil/wmem/wmem_allocator_strict.c:81:46
#3 0x7f0dce47a029 in wmem_alloc /builds/wireshark/wireshark/wsutil/wmem/wmem_core.c:44:12
#4 0x7f0dd9df27df in force_reassemble_seq /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:358:20
#5 0x7f0dd9df0231 in dissect_t38_T_field_type /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:573:25
#6 0x7f0dd82e26e8 in dissect_per_sequence /builds/wireshark/wireshark/epan/dissectors/packet-per.c:1998:12
#7 0x7f0dd9defb64 in dissect_t38_Data_Field_item /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:740:12
#8 0x7f0dd82d3fa9 in dissect_per_sequence_of_helper /builds/wireshark/wireshark/epan/dissectors/packet-per.c:586:10
#9 0x7f0dd82d3d55 in dissect_per_sequence_of /builds/wireshark/wireshark/epan/dissectors/packet-per.c:620:9
#10 0x7f0dd9def824 in dissect_t38_Data_Field /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:754:12
#11 0x7f0dd82e26e8 in dissect_per_sequence /builds/wireshark/wireshark/epan/dissectors/packet-per.c:1998:12
#12 0x7f0dd9def704 in dissect_t38_IFPPacket /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:769:12
#13 0x7f0dd82d0b2d in dissect_per_open_type_internal /builds/wireshark/wireshark/epan/dissectors/packet-per.c:246:5
#14 0x7f0dd82cf4b3 in dissect_per_open_type /builds/wireshark/wireshark/epan/dissectors/packet-per.c:265:9
#15 0x7f0dd9def376 in dissect_t38_T_primary_ifp_packet /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:795:12
#16 0x7f0dd82e26e8 in dissect_per_sequence /builds/wireshark/wireshark/epan/dissectors/packet-per.c:1998:12
#17 0x7f0dd9def1ee in dissect_t38_UDPTLPacket /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:912:12
#18 0x7f0dd9deecf0 in dissect_UDPTLPacket_PDU /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:932:12
#19 0x7f0dd9ded01a in dissect_t38_udp /builds/wireshark/wireshark/epan/dissectors/packet-t38.c:1087:11
#20 0x7f0dda0f113a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:858:9
#21 0x7f0dda0e54a2 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:944:9
#22 0x7f0dda0ed570 in call_dissector_only /builds/wireshark/wireshark/epan/packet.c:3533:8
#23 0x7f0dda098fce in try_conversation_call_dissector_helper /builds/wireshark/wireshark/epan/conversation.c:1673:11
#24 0x7f0dda098c9f in try_conversation_dissector /builds/wireshark/wireshark/epan/conversation.c:1722:17
#25 0x7f0dd8b06f01 in decode_udp_ports /builds/wireshark/wireshark/epan/dissectors/packet-udp.c:608:9
#26 0x7f0dd8b0fafb in dissect /builds/wireshark/wireshark/epan/dissectors/packet-udp.c:1281:9
#27 0x7f0dd8b09f5d in dissect_udp /builds/wireshark/wireshark/epan/dissectors/packet-udp.c:1287:5
#28 0x7f0dda0f113a in call_dissector_through_handle /builds/wireshark/wireshark/epan/packet.c:858:9
#29 0x7f0dda0e54a2 in call_dissector_work /builds/wireshark/wireshark/epan/packet.c:944:9
SUMMARY: AddressSanitizer: heap-use-after-free (/builds/wireshark/wireshark/_install/bin/tshark+0x76a37) (BuildId: cb8ae3afa62e01c6f6c91884075edcc3f5e2863e) in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
0x504000a9d480: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x504000a9d500: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fd
0x504000a9d580: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fd
0x504000a9d600: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x504000a9d680: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fd
=>0x504000a9d700: fa fa fd fd fd fd fd fd fa fa fd fd fd fd[fd]fd
0x504000a9d780: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fd
0x504000a9d800: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x504000a9d880: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x504000a9d900: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x504000a9d980: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==38485==ABORTING
fuzz-test.sh stderr:
Running as user "root" and group "root". This could be dangerous.
no debug trace