Wireshark mailing list archives

possible memory error in the SnifferDecompress function?

From: Lewis Burns <lewisurn () gmail com>
Date: Tue, 09 Sep 2014 15:11:03 -0700

Hi,

We've recently done some unit testing on open source projects. One ofissues we've found is related to the SnifferDecompress function in thewiretap/ngsniffer.c file. We're unable to determine that the memoryissues shown by valgrind can actually appear in the program due to ourunfamiliarity with the code base. I'm sending in a small testcase to thelist and hoping that some developers can validate or invalidate thatthis is a bug in the code.


The output from running the SnifferDecompress function is as follows:

==5795== Memcheck, a memory error detector
==5795== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==5795== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==5795== Command: a.out
==5795==
==5795== Source and destination overlap in memcpy(0x521290b, 0x5212899, 185)
==5795==    at 0x4C2F71C:memcpy@@GLIBC_2.14  (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5795==    by 0x4009D0: SnifferDecompress (in /home/chaoqiang/workspace/se/klee/exp/a.out)
==5795==    by 0x400B6F: main (in /home/chaoqiang/workspace/se/klee/exp/a.out)
==5795==
==5795== Source and destination overlap in memcpy(0x521ab32, 0x521ab28, 15)
==5795==    at 0x4C2F71C:memcpy@@GLIBC_2.14  (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5795==    by 0x400A7A: SnifferDecompress (in /home/chaoqiang/workspace/se/klee/exp/a.out)
==5795==    by 0x400B6F: main (in /home/chaoqiang/workspace/se/klee/exp/a.out)
==5795==
==5795== Invalid write of size 1
==5795==    at 0x400798: SnifferDecompress (in /home/chaoqiang/workspace/se/klee/exp/a.out)
==5795==    by 0x400B6F: main (in /home/chaoqiang/workspace/se/klee/exp/a.out)
==5795==  Address 0x521d080 is 0 bytes after a block of size 65,536 alloc'd
==5795==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5795==    by 0x400AE8: main (in /home/chaoqiang/workspace/se/klee/exp/a.out)


Steps to repeat the issue:

gcc -DRANDOM ngsniffer_noklee.c

valgrind a.out

Thanks very much,
Lewis

Attachment: ngsniffer_noklee.c
Description:

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

possible memory error in the SnifferDecompress function? Lewis Burns (Sep 09)
- Re: possible memory error in the SnifferDecompress function? Guy Harris (Sep 09)
  - Re: possible memory error in the SnifferDecompress function? Guy Harris (Sep 09)
    - Re: possible memory error in the SnifferDecompress function? Lewis Burns (Sep 09)
  - Re: possible memory error in the SnifferDecompress function? Lewis Burns (Sep 09)