Fuzz job crash: fuzz-2025-04-25-7554.pcap (#20509) · Issues · Wireshark Foundation / Wireshark

Fuzz job crash: fuzz-2025-04-25-7554.pcap

Problems have been found with the following capture file: https://www.wireshark.org/download/automated/captures/fuzz-2025-04-25-7554.pcap.gz stderr: ``` Branch: release-4.4 Input file: /var/menagerie/menagerie/ultimate_wireshark_protocols_pcap_220213.pcap CI job name: Valgrind Menagerie Fuzz, ID: 9823305114 CI job URL: https://gitlab.com/wireshark/wireshark/-/jobs/9823305114 Return value: 0 Dissector bug: 0 Valgrind error count: 1 Date and time: Fri Apr 25 10:14:23 AM UTC 2025 Commits in the last 48 hours: 40c5e1574c2b nas_eps: Add space in hf names cdf69e769d99 epan: Fix ENC_TIME_ZBEE_ZCL calculation Build host information: Linux 6.8.0-57-generic #59~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Mar 19 17:07:41 UTC 2 x86_64 Distributor ID: Ubuntu Description: Ubuntu 24.04.2 LTS Release: 24.04 Codename: noble Command and args: ./tools/valgrind-wireshark.sh -b /builds/wireshark/wireshark/_install/bin ==16265== Memcheck, a memory error detector ==16265== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==16265== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info ==16265== Command: /builds/wireshark/wireshark/_install/bin/tshark -nr /tmp/fuzz/fuzz-2025-04-25-7554.pcap ==16265== Running as user "root" and group "root". This could be dangerous. ** (tshark:16265) 10:14:00.452141 [(none) WARNING] epan/dissectors/packet-bpv6.c:1859 -- evaluate_sdnv(): evaluate_sdnv decoded a value too large to fit in an int, truncating ** (tshark:16265) 10:14:04.802162 [Epan WARNING] -- Dissector bug, protocol TPM2.0, in packet 2795: epan/dissectors/packet-tpm20.c:1051: failed assertion "command_entry != ((void*)0)" ** (tshark:16265) 10:14:09.386946 [(none) WARNING] epan/dissectors/packet-bpv6.c:1859 -- evaluate_sdnv(): evaluate_sdnv decoded a value too large to fit in an int, truncating ==16265== Invalid write of size 1 ==16265== at 0x8E0D38E: col_clear (epan/column-utils.c:314) ==16265== by 0x75EEF3F: dissect_clnp (epan/dissectors/packet-clnp.c:225) ==16265== by 0x8E3A2D3: call_dissector_through_handle (epan/packet.c:861) ==16265== by 0x8E352AD: call_dissector_work (epan/packet.c:949) ==16265== by 0x8E3509C: dissector_try_uint_new (epan/packet.c:1622) ==16265== by 0x8E353F2: dissector_try_uint (epan/packet.c:1646) ==16265== by 0x7E16C01: dissect_osi (epan/dissectors/packet-osi.c:460) ==16265== by 0x8E3A2D3: call_dissector_through_handle (epan/packet.c:861) ==16265== by 0x8E352AD: call_dissector_work (epan/packet.c:949) ==16265== by 0x8E3509C: dissector_try_uint_new (epan/packet.c:1622) ==16265== by 0x8E353F2: dissector_try_uint (epan/packet.c:1646) ==16265== by 0x7E9A6EF: dissect_ppp_common (epan/dissectors/packet-ppp.c:4830) ==16265== Address 0x1329131b is 27 bytes after a block of size 4,096 in arena "client" ==16265== ==16265== Invalid write of size 1 ==16265== at 0x4852EE3: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==16265== by 0xD1D7C86: strlcpy (strlcpy.c:42) ==16265== by 0x8E0EAC5: col_set_str (epan/column-utils.c:798) ==16265== by 0x75EEF73: dissect_clnp (epan/dissectors/packet-clnp.c:229) ==16265== by 0x8E3A2D3: call_dissector_through_handle (epan/packet.c:861) ==16265== by 0x8E352AD: call_dissector_work (epan/packet.c:949) ==16265== by 0x8E3509C: dissector_try_uint_new (epan/packet.c:1622) ==16265== by 0x8E353F2: dissector_try_uint (epan/packet.c:1646) ==16265== by 0x7E16C01: dissect_osi (epan/dissectors/packet-osi.c:460) ==16265== by 0x8E3A2D3: call_dissector_through_handle (epan/packet.c:861) ==16265== by 0x8E352AD: call_dissector_work (epan/packet.c:949) ==16265== by 0x8E3509C: dissector_try_uint_new (epan/packet.c:1622) ==16265== Address 0x1329131b is 27 bytes after a block of size 4,096 in arena "client" ==16265== valgrind: m_mallocfree.c:304 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed. valgrind: Heap block lo/hi size mismatch: lo = 4160, hi = 8386654057393033280. This is probably caused by your program erroneously writing past the end of a heap block and corrupting heap metadata. If you fix any invalid writes reported by Memcheck, this assertion failure will probably go away. Please try that before reporting this as a bug. host stacktrace: ==16265== at 0x58044A9A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==16265== by 0x58044BDF: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==16265== by 0x58044D75: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==16265== by 0x5804EDB8: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==16265== by 0x5803CDCA: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==16265== by 0x5803B3E7: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==16265== by 0x5803FFD0: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==16265== by 0x5803A260: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux) ==16265== by 0x101005EFD4: ??? ==16265== by 0x1002DB9F0F: ??? sched status: running_tid=1 Thread 1: status = VgTs_Runnable (lwpid 16265) ==16265== at 0x8E0D38E: col_clear (epan/column-utils.c:314) ==16265== by 0x7E17383: dissect_ositp_internal (epan/dissectors/packet-ositp.c:2098) ==16265== by 0x7E170BD: dissect_ositp_inactive (epan/dissectors/packet-ositp.c:2196) ==16265== by 0x8E3A2D3: call_dissector_through_handle (epan/packet.c:861) ==16265== by 0x8E352AD: call_dissector_work (epan/packet.c:949) ==16265== by 0x8E38C3B: call_dissector_only (epan/packet.c:3658) ==16265== by 0x8E339C4: call_dissector_with_data (epan/packet.c:3671) ==16265== by 0x8E38C81: call_dissector (epan/packet.c:3688) ==16265== by 0x75EF006: dissect_clnp (epan/dissectors/packet-clnp.c:235) ==16265== by 0x8E3A2D3: call_dissector_through_handle (epan/packet.c:861) ==16265== by 0x8E352AD: call_dissector_work (epan/packet.c:949) ==16265== by 0x8E3509C: dissector_try_uint_new (epan/packet.c:1622) ==16265== by 0x8E353F2: dissector_try_uint (epan/packet.c:1646) ==16265== by 0x7E16C01: dissect_osi (epan/dissectors/packet-osi.c:460) ==16265== by 0x8E3A2D3: call_dissector_through_handle (epan/packet.c:861) ==16265== by 0x8E352AD: call_dissector_work (epan/packet.c:949) ==16265== by 0x8E3509C: dissector_try_uint_new (epan/packet.c:1622) ==16265== by 0x8E353F2: dissector_try_uint (epan/packet.c:1646) ==16265== by 0x7E9A6EF: dissect_ppp_common (epan/dissectors/packet-ppp.c:4830) ==16265== by 0x7E9A5D2: dissect_ppp_hdlc_common (epan/dissectors/packet-ppp.c:5863) ==16265== by 0x7E8EAE9: dissect_ppp_raw_hdlc (epan/dissectors/packet-ppp.c:6083) ==16265== by 0x8E3A2D3: call_dissector_through_handle (epan/packet.c:861) ==16265== by 0x8E352AD: call_dissector_work (epan/packet.c:949) ==16265== by 0x8E3509C: dissector_try_uint_new (epan/packet.c:1622) ==16265== by 0x78958ED: dissect_gre (epan/dissectors/packet-gre.c:501) ==16265== by 0x8E3A2D3: call_dissector_through_handle (epan/packet.c:861) ==16265== by 0x8E352AD: call_dissector_work (epan/packet.c:949) ==16265== by 0x8E3509C: dissector_try_uint_new (epan/packet.c:1622) ==16265== by 0x7A6CABB: ip_try_dissect (epan/dissectors/packet-ip.c:1861) ==16265== by 0x7A6F5AA: dissect_ip_v4 (epan/dissectors/packet-ip.c:2436) ==16265== by 0x8E3A2D3: call_dissector_through_handle (epan/packet.c:861) ==16265== by 0x8E352AD: call_dissector_work (epan/packet.c:949) ==16265== by 0x8E3509C: dissector_try_uint_new (epan/packet.c:1622) ==16265== by 0x8E353F2: dissector_try_uint (epan/packet.c:1646) ==16265== by 0x77F1CBC: dissect_ethertype (epan/dissectors/packet-ethertype.c:299) ==16265== by 0x8E3A2D3: call_dissector_through_handle (epan/packet.c:861) ==16265== by 0x8E352AD: call_dissector_work (epan/packet.c:949) ==16265== by 0x8E38C3B: call_dissector_only (epan/packet.c:3658) ==16265== by 0x8E339C4: call_dissector_with_data (epan/packet.c:3671) ==16265== by 0x77F0D9C: dissect_eth_common (epan/dissectors/packet-eth.c:640) ==16265== by 0x77F033A: dissect_eth (epan/dissectors/packet-eth.c:1006) ==16265== by 0x8E3A2D3: call_dissector_through_handle (epan/packet.c:861) ==16265== by 0x8E352AD: call_dissector_work (epan/packet.c:949) ==16265== by 0x8E38C3B: call_dissector_only (epan/packet.c:3658) ==16265== by 0x784E6C0: dissect_frame (epan/dissectors/packet-frame.c:1294) ==16265== by 0x8E3A2D3: call_dissector_through_handle (epan/packet.c:861) ==16265== by 0x8E352AD: call_dissector_work (epan/packet.c:949) ==16265== by 0x8E38C3B: call_dissector_only (epan/packet.c:3658) ==16265== by 0x8E339C4: call_dissector_with_data (epan/packet.c:3671) ==16265== by 0x8E337E3: dissect_record (epan/packet.c:662) ==16265== by 0x8E1F8C8: epan_dissect_run_with_taps (epan/epan.c:664) ==16265== by 0x1298E4: process_packet_single_pass (tshark.c:4390) ==16265== by 0x12B66C: process_cap_file_single_pass (tshark.c:3971) ==16265== by 0x1285A0: process_cap_file (tshark.c:4162) ==16265== by 0x125052: main (tshark.c:2573) client stack range: [0x1FFEFF1000 0x1FFF000FFF] client SP: 0x1FFEFFA220 valgrind stack range: [0x1002CBA000 0x1002DB9FFF] top usage: 18232 of 1048576 Note: see also the FAQ in the source distribution. It contains workarounds to several common problems. In particular, if Valgrind aborted or crashed after identifying problems in your program, there's a good chance that fixing those problems will prevent Valgrind aborting or crashing, especially if it happened in m_mallocfree.c. If that doesn't help, please report this bug to: www.valgrind.org In the bug report, send all the above text, the valgrind version, and what OS and version you are using. Thanks. fuzz-test.sh stderr: Running as user "root" and group "root". This could be dangerous. ``` *no debug trace*

issue