The "wtap_dump_close" function on wiretap/file_access.c:2693 has a "attempting free on address which was not malloc()" vulnerability, called by editcap.c:1982.
Hi, we found one crash in Editcap (Wireshark) 4.2.4 which is the latest version. To assist in diagnosing and resolving these issues, we have attached the POC files along with the asan logs.
Environment: Linux 4f6b99b5cf37 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Command and args:
./editcap --inject-secrets tls,./file1.log -E 0.01 -c 10 poc1 /tmp/outfile.pcap
asan log:
==91098==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x619000002150 in thread T0
#0 0x7ffff769540f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x7ffff6ff84a1 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x204a1)
#2 0x7ffff73e8a15 in wtap_dump_close /root/wireshark/wiretap/file_access.c:2693
#3 0x5555555632ce in main /root/wireshark/editcap.c:1982
#4 0x7ffff6e0a082 in __libc_start_main ../csu/libc-start.c:308
#5 0x55555556751d in _start (/root/wireshark/build_asan/bin/editcap+0x1351d)
0x619000002150 is located 336 bytes inside of 496-byte region [0x619000002000,0x6190000021f0)
allocated by thread T0 here:
#0 0x7ffff76966e5 in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:217
#1 0x7ffff7047936 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6f936)
SUMMARY: AddressSanitizer: bad-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 in __interceptor_free
==91098==ABORTING
Credit by: Dawei Wang and Geng Zhou, from Zhongguancun Laboratory.
Edited by Abuᵈᵉᵛ