Source: https://code.google.com/p/google-security-research/issues/detail?id=696
The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==24710==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe68161a6c at pc 0x0000004ab766 bp 0x7ffe681503f0 sp 0x7ffe6814fba0
WRITE of size 120 at 0x7ffe68161a6c thread T0
#0 0x4ab765 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#1 0x7ff89a5f89ec in tvb_memcpy wireshark/epan/tvbuff.c:783:10
#2 0x7ff89b7ba95c in dissect_nhdr_extopt wireshark/epan/dissectors/packet-lbmc.c:10013:13
#3 0x7ff89b7a1a54 in lbmc_dissect_lbmc_packet wireshark/epan/dissectors/packet-lbmc.c:11039:41
#4 0x7ff89b82ece9 in dissect_lbttcp_pdu wireshark/epan/dissectors/packet-lbttcp.c:620:21
#5 0x7ff89c4a5254 in tcp_dissect_pdus wireshark/epan/dissectors/packet-tcp.c:2762:13
#6 0x7ff89b82c7dc in dissect_lbttcp_real wireshark/epan/dissectors/packet-lbttcp.c:642:5
#7 0x7ff89b82ad4e in test_lbttcp_packet wireshark/epan/dissectors/packet-lbttcp.c:698:5
#8 0x7ff89a4b1c57 in dissector_try_heuristic wireshark/epan/packet.c:2332:7
#9 0x7ff89c4a6de0 in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4644:13
#10 0x7ff89c4ac5e3 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4690:13
#11 0x7ff89c4a765b in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4771:9
#12 0x7ff89c4bc7f0 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5623:13
#13 0x7ff89a4b74a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
#14 0x7ff89a4a9e2a in call_dissector_work wireshark/epan/packet.c:694:9
#15 0x7ff89a4a95fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
#16 0x7ff89b5f0e0b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1976:7
#17 0x7ff89b5fba21 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2468:10
#18 0x7ff89b5f1569 in dissect_ip wireshark/epan/dissectors/packet-ip.c:2491:5
#19 0x7ff89a4b74a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
#20 0x7ff89a4a9e2a in call_dissector_work wireshark/epan/packet.c:694:9
#21 0x7ff89a4a95fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
#22 0x7ff89a4aa1a4 in dissector_try_uint wireshark/epan/packet.c:1177:9
#23 0x7ff89bdd7830 in dissect_ppp_common wireshark/epan/dissectors/packet-ppp.c:4346:10
#24 0x7ff89bdd6fec in dissect_ppp_hdlc_common wireshark/epan/dissectors/packet-ppp.c:5339:5
#25 0x7ff89bdcf2a5 in dissect_ppp_hdlc wireshark/epan/dissectors/packet-ppp.c:5380:5
#26 0x7ff89a4b74a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
#27 0x7ff89a4a9e2a in call_dissector_work wireshark/epan/packet.c:694:9
#28 0x7ff89a4a95fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
#29 0x7ff89b1e60d3 in dissect_frame wireshark/epan/dissectors/packet-frame.c:491:11
#30 0x7ff89a4b74a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
#31 0x7ff89a4a9e2a in call_dissector_work wireshark/epan/packet.c:694:9
#32 0x7ff89a4b396e in call_dissector_only wireshark/epan/packet.c:2665:8
#33 0x7ff89a4a53df in call_dissector_with_data wireshark/epan/packet.c:2678:8
#34 0x7ff89a4a4a2b in dissect_record wireshark/epan/packet.c:502:3
#35 0x7ff89a4559b9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
#36 0x52856b in process_packet wireshark/tshark.c:3728:5
#37 0x5219e0 in load_cap_file wireshark/tshark.c:3484:11
#38 0x517e2c in main wireshark/tshark.c:2197:13
Address 0x7ffe68161a6c is located in stack of thread T0 at offset 65644 in frame
#0 0x7ff89b79d1ff in lbmc_dissect_lbmc_packet wireshark/epan/dissectors/packet-lbmc.c:10597
This frame has 17 object(s):
[32, 36) 'bhdr'
[48, 52) 'msgprop_len'
[64, 80) 'frag_info'
[96, 65644) 'reassembly' <== Memory access at offset 65644 overflows this variable
[65904, 65908) 'data_is_umq_cmd_resp'
[65920, 65940) 'stream_info'
[65984, 65996) 'ctxinstd_info'
[66016, 66028) 'ctxinstr_info'
[66048, 66120) 'destination_info'
[66160, 66416) 'found_header'
[66480, 66584) 'uim_stream_info'
[66624, 66632) 'tcp_sid_info'
[66656, 66672) 'tcp_addr'
[66688, 66692) 'tcp_session_id'
[66704, 66712) 'hdtbl_entry'
[66736, 66740) 'encoding'
[66752, 66756) 'pdmlen'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
Shadow bytes around the buggy address:
0x10004d0242f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004d024300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004d024310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004d024320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004d024330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004d024340: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]f2 f2
0x10004d024350: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x10004d024360: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 04 f2
0x10004d024370: 00 00 04 f2 f2 f2 f2 f2 00 04 f2 f2 00 04 f2 f2
0x10004d024380: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00
0x10004d024390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==24710==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11984. Attached are two files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39324.zip
