## Summary A single malformed JSON-RPC request causes sharkd to crash via strlen(NULL). The comment parameter in the setcomment method is schema-marked SHARKD_OPTIONAL, so json_find_attr returns NULL when the client omits it. That NULL flows directly into wtap_block_add_string_option(..., OPT_COMMENT, tok_comment, strlen(tok_comment)) at sharkd_session.c:5372 without any NULL check. ## AI assistance None ## Sample capture file [sharkd_setcomment_null.jsonl](/uploads/f7b47f2a53dab04d2a10ab6c817be991/sharkd_setcomment_null.jsonl) Any pcap could work here: [radius_vsa_leak.pcap](/uploads/f5afdb322ef58898db37c22d1f1e3d66/radius_vsa_leak.pcap) ## Steps to reproduce ASAN_OPTIONS=abort_on_error=1 /src/build-sharkd/run/sharkd - < /poc/sharkd_setcomment_null.jsonl ## What is the current bug behavior? ``` Running as user "root" and group "root". This could be dangerous. ** (sharkd:7) 20:23:28.772504 [(none) MESSAGE] -- JSON Dictionary: No config.txt or jsonmain.xml found (using generic mode) Hello in child. load: filename=/poc/radius_vsa_leak.pcap, max_packets=0, max_bytes=0 {"jsonrpc":"2.0","id":1,"result":{"status":"OK"}} AddressSanitizer:DEADLYSIGNAL ================================================================= ==7==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0xffff881f3010 bp 0xffffcd0c3b50 sp 0xffffcd0c3330 T0) ==7==The signal is caused by a READ memory access. ==7==Hint: address points to the zero page. #0 0xffff881f3010 (/lib/aarch64-linux-gnu/libc.so.6+0xa3010) (BuildId: d5ef86dde36cbd3289566cf5098226035d76f2e1) #1 0xffffa6c09b38 in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389 #2 0xaaaab879e514 in sharkd_session_process_setcomment /src/sharkd_session.c:5372 #3 0xaaaab87a1fcc in sharkd_session_process /src/sharkd_session.c:6133 #4 0xaaaab87a23b0 in sharkd_session_main /src/sharkd_session.c:6213 #5 0xaaaab8780184 in sharkd_loop /src/sharkd_daemon.c:400 #6 0xaaaab877bd08 in main /src/sharkd.c:250 #7 0xffff881784c0 (/lib/aarch64-linux-gnu/libc.so.6+0x284c0) (BuildId: d5ef86dde36cbd3289566cf5098226035d76f2e1) #8 0xffff88178594 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x28594) (BuildId: d5ef86dde36cbd3289566cf5098226035d76f2e1) #9 0xaaaab877292c in _start (/src/build-sharkd/run/sharkd+0x3292c) (BuildId: d86edd9f228ba951b11c10f69fb0ca5dbda5f389) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/aarch64-linux-gnu/libc.so.6+0xa3010) (BuildId: d5ef86dde36cbd3289566cf5098226035d76f2e1) ==7==ABORTING bash: line 2: 7 Aborted ASAN_OPTIONS=abort_on_error=1 /src/build-sharkd/run/sharkd - < /poc/sharkd_setcomment_null.jsonl ``` ## What is the expected correct behavior? (What you should see instead) ## Build information ``` Running as user "root" and group "root". This could be dangerous. Sharkd (Wireshark) 4.7.0 (Git Rev Unknown from unknown). Copyright 1998-2026 Gerald Combs <gerald@wireshark.org> and contributors. Licensed under the terms of the GNU General Public License (version 2 or later). This is free software; see the file named COPYING in the distribution. There is NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compile-time info: Bit width: 64-bit Compiler: GCC 13.3.0 GLib: 2.80.0 With: +Gcrypt 1.10.3 +PCRE2 10.42 2022-12-11 +libxml2 2.9.14 +zlib 1.3 Without: -brotli -libsmi -MaxMind -Snappy -Zstandard -GnuTLS -Lua -nghttp2 -xxhash -Kerberos -LZ4 -nghttp3 -zlib-ng Runtime info: OS: Linux 6.12.76-linuxkit CPU: Memory: 7935 MB of physical memory GLib: 2.80.0 Locale: LC_TYPE=C Plugins: supported, 0 loaded With: +c-ares 1.27.0 +PCRE2 10.42 2022-12-11 +Gcrypt 1.10.3 +zlib 1.3 ```