Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=804
The following crash due to an asserion failure can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
ERROR:./address.h:144:alloc_address_wmem: assertion failed: (addr_data == NULL)
Program received signal SIGABRT, Aborted.
0x00007fffe13f5cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) where
#00x00007fffe13f5cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#10x00007fffe13f90d8 in __GI_abort () at abort.c:89
#20x00007fffe2e8c165 in g_assertion_message () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#30x00007fffe2e8c1fa in g_assertion_message_expr () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#40x00007fffeabea578 in alloc_address_wmem (scope=0x60700000c110, addr=0x7ffe9039af00, addr_type=22,
addr_len=0, addr_data=0x7ffe9039acb0) at ./address.h:144
#50x00007fffeabe3454 in copy_address_wmem (scope=0x60700000c110, to=0x7ffe9039af00, from=0x7ffe9039a920)
at ./address.h:254
#60x00007fffeabe2ec7 in conversation_new (setup_frame=10, addr1=0x7ffe9039a8e8, addr2=0x7ffe9039a920,
ptype=PT_NONE, port1=0, port2=0, options=2) at conversation.c:701
#70x00007fffebfe61a8 in get_peer_conversation (pinfo=0x61400000f058, tpt_conv_data=0x7ffe9039a8c0, create=1)
at packet-jxta.c:800
#80x00007fffebfda23d in dissect_jxta_stream (tvb=0x61d0001a6000, pinfo=0x61400000f058, tree=0x6190001500a0,
data=0x7fffffff5f30) at packet-jxta.c:682
#90x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91c302a0, tvb=0x61d0001a6000,
pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffff5f30) at packet.c:656
#10 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91c302a0, tvb=0x61d0001a6000,
pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7fffffff5f30) at packet.c:731
#11 0x00007fffeac5ea1f in call_dissector_only (handle=0x7ffe91c302a0, tvb=0x61d0001a6000, pinfo=0x61400000f058,
tree=0x6190001500a0, data=0x7fffffff5f30) at packet.c:2764
#12 0x00007fffeabe9336 in try_conversation_dissector (addr_a=0x61400000f118, addr_b=0x61400000f130,
ptype=PT_TCP, port_a=32925, port_b=9711, tvb=0x61d0001a6000, pinfo=0x61400000f058, tree=0x6190001500a0,
data=0x7fffffff5f30) at conversation.c:1323
#13 0x00007fffecd90b6b in decode_tcp_ports (tvb=0x61d0001a6ed0, offset=32, pinfo=0x61400000f058,
tree=0x6190001500a0, src_port=32925, dst_port=9711, tcpd=0x7ffe9039a3c0, tcpinfo=0x7fffffff5f30)
at packet-tcp.c:4981
#14 0x00007fffecd96f1b in process_tcp_payload (tvb=0x61d0001a6ed0, offset=32, pinfo=0x61400000f058,
tree=0x6190001500a0, tcp_tree=0x7ffe901993c0, src_port=32925, dst_port=9711, seq=145, nxtseq=3338,
is_tcp_segment=1, tcpd=0x7ffe9039a3c0, tcpinfo=0x7fffffff5f30) at packet-tcp.c:5085
#15 0x00007fffecd91fcc in dissect_tcp_payload (tvb=0x61d0001a6ed0, pinfo=0x61400000f058, offset=32, seq=145,
nxtseq=3338, sport=32925, dport=9711, tree=0x6190001500a0, tcp_tree=0x7ffe901993c0, tcpd=0x7ffe9039a3c0,
tcpinfo=0x7fffffff5f30) at packet-tcp.c:5166
#16 0x00007fffecda8229 in dissect_tcp (tvb=0x61d0001a6ed0, pinfo=0x61400000f058, tree=0x6190001500a0,
data=0x7ffe8ff93880) at packet-tcp.c:6071
#17 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91c61460, tvb=0x61d0001a6ed0,
pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7ffe8ff93880) at packet.c:656
#18 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91c61460, tvb=0x61d0001a6ed0,
pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7ffe8ff93880) at packet.c:731
#19 0x00007fffeac53d4e in dissector_try_uint_new (sub_dissectors=0x61d000093c40, uint_val=6, tvb=0x61d0001a6ed0,
pinfo=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7ffe8ff93880) at packet.c:1190
#20 0x00007fffebe8733c in ip_try_dissect (heur_first=0, tvb=0x61d0001a6ed0, pinfo=0x61400000f058,
tree=0x6190001500a0, iph=0x7ffe8ff93880) at packet-ip.c:1977
#21 0x00007fffebe9214a in dissect_ip_v4 (tvb=0x61d0001a6140, pinfo=0x61400000f058, parent_tree=0x6190001500a0,
data=0x0) at packet-ip.c:2476
#22 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91d022f0, tvb=0x61d0001a6140,
pinfo=0x61400000f058, tree=0x6190001500a0, data=0x0) at packet.c:656
#23 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91d022f0, tvb=0x61d0001a6140,
pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x0) at packet.c:731
#24 0x00007fffeac53d4e in dissector_try_uint_new (sub_dissectors=0x61d000052380, uint_val=2048,
tvb=0x61d0001a6140, pinfo=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x0) at packet.c:1190
#25 0x00007fffeac548f5 in dissector_try_uint (sub_dissectors=0x61d000052380, uint_val=2048, tvb=0x61d0001a6140,
pinfo=0x61400000f058, tree=0x6190001500a0) at packet.c:1216
#26 0x00007fffeb97476a in dissect_ethertype (tvb=0x61d0001a74c0, pinfo=0x61400000f058, tree=0x6190001500a0,
data=0x7fffffffa080) at packet-ethertype.c:257
#27 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0,
pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffa080) at packet.c:656
#28 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0,
pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7fffffffa080) at packet.c:731
#29 0x00007fffeac5ea1f in call_dissector_only (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0, pinfo=0x61400000f058,
tree=0x6190001500a0, data=0x7fffffffa080) at packet.c:2764
#30 0x00007fffeac4f900 in call_dissector_with_data (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0,
pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffa080) at packet.c:2777
#31 0x00007fffecb24cac in dissect_sll (tvb=0x61d0001a74c0, pinfo=0x61400000f058, tree=0x6190001500a0,
---Type <return> to continue, or q <return> to quit---
data=0x61300000df08) at packet-sll.c:291
#32 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91c5e810, tvb=0x61d0001a74c0,
pinfo=0x61400000f058, tree=0x6190001500a0, data=0x61300000df08) at packet.c:656
#33 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91c5e810, tvb=0x61d0001a74c0,
pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x61300000df08) at packet.c:731
#34 0x00007fffeac53d4e in dissector_try_uint_new (sub_dissectors=0x61d000051a40, uint_val=25,
tvb=0x61d0001a74c0, pinfo=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x61300000df08)
at packet.c:1190
#35 0x00007fffeba65106 in dissect_frame (tvb=0x61d0001a74c0, pinfo=0x61400000f058, parent_tree=0x6190001500a0,
data=0x7fffffffc560) at packet-frame.c:492
#36 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0,
pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffc560) at packet.c:656
#37 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0,
pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7fffffffc560) at packet.c:731
#38 0x00007fffeac5ea1f in call_dissector_only (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0, pinfo=0x61400000f058,
tree=0x6190001500a0, data=0x7fffffffc560) at packet.c:2764
#39 0x00007fffeac4f900 in call_dissector_with_data (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0,
pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffc560) at packet.c:2777
#40 0x00007fffeac4ecd5 in dissect_record (edt=0x61400000f040, file_type_subtype=1, phdr=0x61300000dea0,
tvb=0x61d0001a74c0, fd=0x7fffffffc8a0, cinfo=0x0) at packet.c:539
#41 0x00007fffeac01dba in epan_dissect_run_with_taps (edt=0x61400000f040, file_type_subtype=1,
phdr=0x61300000dea0, tvb=0x61d0001a74c0, fd=0x7fffffffc8a0, cinfo=0x0) at epan.c:376
#42 0x000000000052ef40 in process_packet (cf=0x14b82e0 <cfile>, edt=0x61400000f040, offset=2804,
whdr=0x61300000dea0, pd=0x6210000fb500 "\300", tap_flags=0) at tshark.c:3727
#43 0x000000000052830d in load_cap_file (cf=0x14b82e0 <cfile>, save_file=0x0, out_file_type=2,
out_file_name_res=0, max_packet_count=-9, max_byte_count=0) at tshark.c:3483
#44 0x000000000051e67d in main (argc=3, argv=0x7fffffffe268) at tshark.c:2192
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12354. Attached are two files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39749.zip