Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Clang build with ASAN

From: Jakub Zawadzki <darkjames-ws@xxxxxxxxxxxx>
Date: Mon, 12 Aug 2013 18:59:45 +0200
Hi,

On Mon, Aug 12, 2013 at 05:17:50PM +0200, Alexis La Goutte wrote:
> I will try the ASAN feature (
> http://clang.llvm.org/docs/AddressSanitizer.html )
> 
> I try to fuzz some capture from menagerie but i have already a issue with
> editcap (libwiretap)
> 
> ./editcap -E 0.5 ../menagerie/public/10014-packet-mount-len.pcap
> /tmp/fuz.pcap |& ./asan_symbolize.py
> =================================================================
> ==15448==ERROR: AddressSanitizer: stack-buffer-overflow on address
> 0x7fff7e959c70 at pc 0x43a0d3 bp 0x7fff7e959890 sp 0x7fff7e959050
> READ of size 112 at 0x7fff7e959c70 thread T0
>     #0 0x43a0d2 in memcpy ??:0
>     #1 0x7faee0ab0f8d in ?? ??:0
>     #2 0x7faee1667a7a in pcapng_dump_open wireshark/wiretap/pcapng.c:3631
>     #3 0x7faee160b254 in wtap_dump_open_finish
> wireshark/wiretap/file_access.c:1507
>     #4 0x45ceb1 in main wireshark/editcap.c:1205
>     #5 0x7faedfea876c in ?? ??:0
>     #6 0x45aeec in _start ??:0
> Address 0x7fff7e959c70 is located in stack of thread T0 at offset 560 in
> frame
>     #0 0x7faee166679f in pcapng_dump_open wireshark/wiretap/pcapng.c:3593
> 
> I known is may be a false positive... (and i not a expert in memory
> stuff...)


For me it's not:

Check types:

  **interface_data_t** interface_data;

  pcapng->interface_data = g_array_new(FALSE, FALSE, sizeof(**wtapng_if_descr_t**));

  ...

3596         **interface_data_t** interface_data;

3604         pcapng->interface_data = g_array_new(FALSE, FALSE, sizeof(**wtapng_if_descr_t**));

3631                 g_array_append_val(pcapng->interface_data, interface_data);

wtapng_if_descr_t (big structure from wtap.h) != interface_data_t (16B from pcapng.h)


g_array_append_val() is trying to memcpy() 112B of interface_data (where only 16B is available) -- stack buffer overflow.

Banzai for ASAN! ;]

Kuba.