Wireshark mailing list archives

Re: Clang build with ASAN

From: Jakub Zawadzki <darkjames-ws () darkjames pl>
Date: Mon, 12 Aug 2013 18:59:45 +0200

Hi,

On Mon, Aug 12, 2013 at 05:17:50PM +0200, Alexis La Goutte wrote:

I will try the ASAN feature (
http://clang.llvm.org/docs/AddressSanitizer.html )

I try to fuzz some capture from menagerie but i have already a issue with
editcap (libwiretap)

./editcap -E 0.5 ../menagerie/public/10014-packet-mount-len.pcap
/tmp/fuz.pcap |& ./asan_symbolize.py
=================================================================
==15448==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff7e959c70 at pc 0x43a0d3 bp 0x7fff7e959890 sp 0x7fff7e959050
READ of size 112 at 0x7fff7e959c70 thread T0
    #0 0x43a0d2 in memcpy ??:0
    #1 0x7faee0ab0f8d in ?? ??:0
    #2 0x7faee1667a7a in pcapng_dump_open wireshark/wiretap/pcapng.c:3631
    #3 0x7faee160b254 in wtap_dump_open_finish
wireshark/wiretap/file_access.c:1507
    #4 0x45ceb1 in main wireshark/editcap.c:1205
    #5 0x7faedfea876c in ?? ??:0
    #6 0x45aeec in _start ??:0
Address 0x7fff7e959c70 is located in stack of thread T0 at offset 560 in
frame
    #0 0x7faee166679f in pcapng_dump_open wireshark/wiretap/pcapng.c:3593

I known is may be a false positive... (and i not a expert in memory
stuff...)



For me it's not:

Check types:

  **interface_data_t** interface_data;

  pcapng->interface_data = g_array_new(FALSE, FALSE, sizeof(**wtapng_if_descr_t**));

  ...

3596         **interface_data_t** interface_data;

3604         pcapng->interface_data = g_array_new(FALSE, FALSE, sizeof(**wtapng_if_descr_t**));

3631                 g_array_append_val(pcapng->interface_data, interface_data);

wtapng_if_descr_t (big structure from wtap.h) != interface_data_t (16B from pcapng.h)


g_array_append_val() is trying to memcpy() 112B of interface_data (where only 16B is available) -- stack buffer 
overflow.

Banzai for ASAN! ;]

Kuba.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Clang build with ASAN Alexis La Goutte (Aug 12)
- Re: Clang build with ASAN Jakub Zawadzki (Aug 12)
- Re: Clang build with ASAN Bálint Réczey (Aug 13)
  - Re: Clang build with ASAN Joerg Mayer (Aug 13)
  - Re: Clang build with ASAN Evan Huus (Aug 13)
    - Re: Clang build with ASAN Alexis La Goutte (Aug 13)
    - Re: Clang build with ASAN Evan Huus (Aug 13)
    - Re: Clang build with ASAN Bálint Réczey (Aug 13)
    - Re: Clang build with ASAN Alexis La Goutte (Aug 13)
- Re: Clang build with ASAN Evan Huus (Aug 13)
  - Re: Clang build with ASAN Bálint Réczey (Aug 13)