OSS-Fuzz bug in fuzzshark: stack exhausion for dissect_zbee_tlvs (#19504) · Issues · Wireshark Foundation / Wireshark

OSS-Fuzz bug in fuzzshark: stack exhausion for dissect_zbee_tlvs

## Summary Hello, I'm testing my fuzzer and found 1 stack exhaustion issues in fuzzshark. ## Steps to reproduce Following the oss-fuzz's build script, change the `-DOSS_FUZZ=ON` to `-DENABLE_FUZZER=ON -DENABLE_ASAN=ON` given the LIB_FUZZING_ENGINE not exists. Run fuzzshark with `FUZZSHARK_TARGET=tcp /work/build/run/fuzzshark $POC` ## BUG Log ``` oss-fuzzshark: disabling: snort oss-fuzzshark: requested dissector: tcp INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 3464275435 INFO: Loaded 1 modules (408309 inline 8-bit counters): 408309 [0x560eb1c35a60, 0x560eb1c99555), INFO: Loaded 1 PC tables (408309 PCs): 408309 [0x560eb1c99558,0x560eb22d44a8), ./run/fuzzshark: Running 1 inputs 1 time(s) each. Running: /crashes/id:000002,sig:11,src:020196+021982,time:88731192,execs:828577815,op:splice,rep:4 AddressSanitizer:DEADLYSIGNAL ================================================================= ==5706==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc00d49f14 (pc 0x560ea1a1f10e bp 0x7ffc00d4a040 sp 0x7ffc00d49f00 T0) #0 0x560ea1a1f10e in proto_tree_add_subtree_format /src/wireshark/epan/proto.c:1463 #1 0x560ea1a1f0e0 in proto_tree_add_subtree /src/wireshark/epan/proto.c:1456:9 #2 0x560ea3498ce3 in dissect_zbee_tlvs /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2788:19 #3 0x560ea34995b3 in dissect_global_tlv /src/wireshark/epan/dissectors/packet-zbee-tlv.c #4 0x560ea34995b3 in dissect_zbee_tlv /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2742:18 #5 0x560ea34995b3 in dissect_zbee_tlvs /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2789:18 #6 0x560ea34995b3 in dissect_global_tlv /src/wireshark/epan/dissectors/packet-zbee-tlv.c #7 0x560ea34995b3 in dissect_zbee_tlv /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2742:18 #8 0x560ea34995b3 in dissect_zbee_tlvs /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2789:18 #9 0x560ea34995b3 in dissect_global_tlv /src/wireshark/epan/dissectors/packet-zbee-tlv.c #10 0x560ea34995b3 in dissect_zbee_tlv /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2742:18 #11 0x560ea34995b3 in dissect_zbee_tlvs /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2789:18 #12 0x560ea34995b3 in dissect_global_tlv /src/wireshark/epan/dissectors/packet-zbee-tlv.c #13 0x560ea34995b3 in dissect_zbee_tlv /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2742:18 #14 0x560ea34995b3 in dissect_zbee_tlvs /src/wireshark/epan/dissectors/packet-zbee-tlv.c:2789:18 ... SUMMARY: AddressSanitizer: stack-overflow /src/wireshark/epan/proto.c:1463 in proto_tree_add_subtree_format ==5706==ABORTING ``` ## Sample capture file [poc0](/uploads/93084335e29f3475998455b487149807/poc0) ## Build information build via the oss-fuzz dockerfile, change the change the `-DOSS_FUZZ=ON` to `-DENABLE_FUZZER=ON -DENABLE_ASAN=ON` https://github.com/google/oss-fuzz/blob/master/projects/wireshark/ exec `FUZZSHARK_TARGET=tcp ./run/wireshark $POC` The wireshark version we use is the latest commit 653d79ef0939f5cf3b77e0fdd8b9b8898d70d4a3.

issue