The "handle_chopping" function in "editcap.c:2595" has a heap overflow vulnerability.
Hi, we found one crash in Editcap (Wireshark) 4.2.3 (Git commit b0da86c196d1), which is the latest version. To assist in diagnosing and resolving these issues, we have attached the POC files along with the gdb/asan logs.
Environment: Linux 4f6b99b5cf37 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Command and args:
./editcap -C 10 -C -15:20 -S 0.000001 -T ether -c 100 -s 65535 -t -0.5 poc /tmp/file0_out.pcapng
asan log:
==34295==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62900001d728 at pc 0x7f22c803df50 bp 0x7ffd30c830f0 sp 0x7ffd30c82898
READ of size 14617 at 0x62900001d728 thread T0
#0 0x7f22c803df4f in __interceptor_memmove ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:773
#1 0x558fddce97b5 in memmove /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40
#2 0x558fddce97b5 in handle_chopping /root/programs/wireshark-4.2.3/editcap.c:2595
#3 0x558fddce97b5 in main /root/programs/wireshark-4.2.3/editcap.c:2168
#4 0x7f22c7836082 in __libc_start_main ../csu/libc-start.c:308
#5 0x558fddcec4dd in _start (/root/programs/wireshark-4.2.3/build_asan/bin/editcap+0x134dd)
0x62900001d728 is located 0 bytes to the right of 17704-byte region [0x629000019200,0x62900001d728)
allocated by thread T0 here:
#0 0x7f22c80aac3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
#1 0x7f22c7a5bf3f in g_realloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57f3f)
#2 0x4527 (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:773 in __interceptor_memmove
Edited by Abuᵈᵉᵛ