The "wtap_dump_close" function on wiretap/file_access.c:2693 has a "attempting free on address which was not malloc()" vulnerability, called by editcap.c:2465.
Hi, we found one crash in Editcap (Wireshark) 4.2.4 which is the latest version. To assist in diagnosing and resolving these issues, we have attached the POC files along with the asan logs.
Environment: Linux 4f6b99b5cf37 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct 6 10:23:26 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Command and args:
./editcap --inject-secrets tls,./secrets.txt -E 0.01 -c 100 poc2 /tmp/outfile_00000.pcapng
asan log:
==91113==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x619000002410 in thread T0
#0 0x7ffff769540f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x7ffff6ff84a1 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x204a1)
#2 0x7ffff73e8a15 in wtap_dump_close /root/wireshark/wiretap/file_access.c:2693
#3 0x55555556408a in main /root/wireshark/editcap.c:2465
#4 0x7ffff6e0a082 in __libc_start_main ../csu/libc-start.c:308
#5 0x55555556751d in _start (/root/wireshark/build_asan/bin/editcap+0x1351d)
0x619000002410 is located 16 bytes inside of 496-byte region [0x619000002400,0x6190000025f0)
allocated by thread T0 here:
#0 0x7ffff76966e5 in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:217
#1 0x7ffff7047936 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x6f936)
SUMMARY: AddressSanitizer: bad-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 in __interceptor_free
Credit by: Dawei Wang and Geng Zhou, from Zhongguancun Laboratory.
Edited by Abuᵈᵉᵛ