OSS-Fuzz found the following: ``` oss-fuzzshark: disabling: ip oss-fuzzshark: disabling: udp oss-fuzzshark: disabling: udplite oss-fuzzshark: disabling: ospf oss-fuzzshark: disabling: bgp oss-fuzzshark: disabling: dhcp oss-fuzzshark: disabling: json oss-fuzzshark: disabling: snort oss-fuzzshark: configured for dissector: dns in table: udp.port INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 3041101174 INFO: Loaded 1 modules (409365 inline 8-bit counters): 409365 [0xdeefff0, 0xdf53f05), INFO: Loaded 1 PC tables (409365 PCs): 409365 [0xdf53f08,0xe593058), /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dns: Running 1 inputs 100 time(s) each. Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-ec4d03eb39e5ac5e6a12694c39a8d9b41b642854 ================================================================= ==5359==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcb3c223b4 at pc 0x0000004dc198 bp 0x7ffcb3c221d0 sp 0x7ffcb3c21970 READ of size 16 at 0x7ffcb3c223b4 thread T0 SCARINESS: 41 (multi-byte-read-stack-buffer-overflow) #0 0x4dc197 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:810:7 #1 0x4dc729 in __interceptor_memcmp /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:842:10 #2 0x182b3e7 in header_equal wireshark/epan/dissectors/packet-ntlmssp.c:2890:8 #3 0x2f9d72c in g_hash_table_lookup #4 0x182c4d7 in decrypt_data_payload wireshark/epan/dissectors/packet-ntlmssp.c:2403:59 #5 0x182974c in dissect_ntlmssp_payload wireshark/epan/dissectors/packet-ntlmssp.c:2352:5 #6 0x74478e in call_dissector_through_handle wireshark/epan/packet.c:863:9 #7 0x74478e in call_dissector_work wireshark/epan/packet.c:951:9 #8 0x740a6a in call_dissector_only wireshark/epan/packet.c:3658:8 #9 0x740a6a in call_dissector_with_data wireshark/epan/packet.c:3671:8 #10 0x11ea0c3 in dissect_gssapi_work wireshark/epan/dissectors/packet-gssapi.c:303:21 #11 0x11e8516 in dissect_gssapi_work_wrapper wireshark/epan/dissectors/packet-gssapi.c:533:8 #12 0x11e8516 in dissect_gssapi wireshark/epan/dissectors/packet-gssapi.c:547:9 #13 0x74478e in call_dissector_through_handle wireshark/epan/packet.c:863:9 #14 0x74478e in call_dissector_work wireshark/epan/packet.c:951:9 #15 0x740a6a in call_dissector_only wireshark/epan/packet.c:3658:8 #16 0x740a6a in call_dissector_with_data wireshark/epan/packet.c:3671:8 #17 0xf20eb6 in dissect_dns_answer wireshark/epan/dissectors/packet-dns.c:0 #18 0xf160d7 in dissect_answer_records wireshark/epan/dissectors/packet-dns.c:4478:15 #19 0xf160d7 in dissect_dns_common wireshark/epan/dissectors/packet-dns.c:4838:16 #20 0xf14373 in dissect_dns_udp_sctp wireshark/epan/dissectors/packet-dns.c:4999:3 #21 0xf14373 in dissect_dns wireshark/epan/dissectors/packet-dns.c:5083:5 #22 0x74478e in call_dissector_through_handle wireshark/epan/packet.c:863:9 #23 0x74478e in call_dissector_work wireshark/epan/packet.c:951:9 #24 0x74ec70 in call_dissector_only wireshark/epan/packet.c:3658:8 #25 0x74ec70 in call_all_postdissectors wireshark/epan/packet.c:4121:3 #26 0x10b9c0b in dissect_frame wireshark/epan/dissectors/packet-frame.c:1436:5 #27 0x74478e in call_dissector_through_handle wireshark/epan/packet.c:863:9 #28 0x74478e in call_dissector_work wireshark/epan/packet.c:951:9 #29 0x740a6a in call_dissector_only wireshark/epan/packet.c:3658:8 #30 0x740a6a in call_dissector_with_data wireshark/epan/packet.c:3671:8 #31 0x740087 in dissect_record wireshark/epan/packet.c:662:3 #32 0x731ec4 in epan_dissect_run wireshark/epan/epan.c:646:2 #33 0x59b515 in LLVMFuzzerTestOneInput wireshark/fuzz/fuzzshark.c:382:2 #34 0x44dce0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13 #35 0x44e945 in fuzzer::Fuzzer::TryDetectingAMemoryLeak(unsigned char const*, unsigned long, bool) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:690:3 #36 0x4384c0 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:332:8 #37 0x43df0a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9 #38 0x46a302 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #39 0x7acdb1756082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16 #40 0x42ef4d in _start Address 0x7ffcb3c223b4 is located in stack of thread T0 at offset 148 in frame #0 0x182926f in dissect_ntlmssp_payload wireshark/epan/dissectors/packet-ntlmssp.c:2296 This frame has 7 object(s): [32, 36) 'offset' (line 2297) [48, 56) 'ntlmssp_tree' (line 2298) [80, 96) 'key' (line 2302) [112, 120) 'exc' (line 2340) [144, 148) 'except_state' (line 2340) [160, 184) 'except_sn' (line 2340) <== Memory access at offset 148 partially underflows this variable [224, 472) 'except_ch' (line 2340) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wireshark_9de6374568df96eba97b9288a3fce517c93d2636/revisions/fuzzshark_udp_port-dns+0x4dc197) Shadow bytes around the buggy address: 0x7ffcb3c22100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ffcb3c22180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ffcb3c22200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ffcb3c22280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ffcb3c22300: 00 00 00 00 f1 f1 f1 f1 04 f2 00 f2 f2 f2 00 00 =>0x7ffcb3c22380: f2 f2 00 f2 f2 f2[04]f2 00 00 00 f2 f2 f2 f2 f2 0x7ffcb3c22400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ffcb3c22480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 0x7ffcb3c22500: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 0x7ffcb3c22580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7ffcb3c22600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==5359==ABORTING ``` Reproducer fuzzshark testcase: [clusterfuzz-testcase-minimized-fuzzshark_udp_port-dns-4772791992254464](/uploads/3058c3766cff682ab2b797bf741bb0ca/clusterfuzz-testcase-minimized-fuzzshark_udp_port-dns-4772791992254464)