Source: https://code.google.com/p/google-security-research/issues/detail?id=661
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==7849==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f8e33764094 at pc 0x7f8e29788726 bp 0x7ffe27806640 sp 0x7ffe27806638
READ of size 4 at 0x7f8e33764094 thread T0
#0 0x7f8e29788725 in dissect_zcl_pwr_prof_pwrprofstatersp wireshark/epan/dissectors/packet-zbee-zcl-general.c:3847:21
#1 0x7f8e2977f2be in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3494:21
#2 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#3 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
#4 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
#5 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#6 0x7f8e297738ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
#7 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
#9 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
#10 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#11 0x7f8e2974de40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21
#12 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#13 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
#14 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
#15 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#16 0x7f8e29757897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
#17 0x7f8e297518aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
#18 0x7f8e29752ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
#19 0x7f8e271ab417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
#20 0x7f8e2826863b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
#21 0x7f8e2825e35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5
#22 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#23 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
#24 0x7f8e271a2dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#25 0x7f8e27eb25f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#26 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#27 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
#28 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
#29 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#30 0x7f8e2719e33b in dissect_record wireshark/epan/packet.c:501:3
#31 0x7f8e2714c3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#32 0x5264eb in process_packet wireshark/tshark.c:3728:5
#33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#34 0x515daf in main wireshark/tshark.c:2197:13
0x7f8e33764094 is located 44 bytes to the left of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13' (0x7f8e337640c0) of size 64
0x7f8e33764094 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_pwrprofiles' defined in 'packet-zbee-zcl-general.c:3328:13' (0x7f8e33764080) of size 20
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:3847:21 in dissect_zcl_pwr_prof_pwrprofstatersp
Shadow bytes around the buggy address:
0x0ff2466e47c0: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
0x0ff2466e47d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ff2466e47e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0ff2466e47f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2466e4800: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
=>0x0ff2466e4810: 00 00[04]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ff2466e4820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2466e4830: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0ff2466e4840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2466e4850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2466e4860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone:fb
Freed heap region: fd
Stack left redzone:f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return:f5
Stack use after scope: f8
Global redzone:f9
Global init order: f6
Poisoned by user:f7
Container overflow:fc
Array cookie:ac
Intra object redzone:bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone:cb
==7849==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11830. Attached are three files which trigger the crash.
Update: there is also a similar crash due to out-of-bounds access to the global "ett_zbee_zcl_pwr_prof_enphases" array, see the report below.
Attached is a file which triggers the crash.
--- cut ---
==8228==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f0d4f321100 at pc 0x7f0d45344cd5 bp 0x7fff69e4e4a0 sp 0x7fff69e4e498
READ of size 4 at 0x7f0d4f321100 thread T0
#0 0x7f0d45344cd4 in dissect_zcl_pwr_prof_enphsschednotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25
#1 0x7f0d4533bd04 in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3463:21
#2 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#3 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#4 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#5 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#6 0x7f0d453308ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
#7 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#9 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#10 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#11 0x7f0d4530b750 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1680:9
#12 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#13 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#14 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#15 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#16 0x7f0d4530aee1 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1033:13
#17 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#18 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#19 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#20 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#21 0x7f0d45314897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
#22 0x7f0d4530e8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
#23 0x7f0d4530fef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
#24 0x7f0d42d68417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
#25 0x7f0d43e2563b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
#26 0x7f0d43e1b40a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:594:5
#27 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#28 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#29 0x7f0d42d5fdbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#30 0x7f0d43a6f5f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#31 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#32 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#33 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#34 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#35 0x7f0d42d5b33b in dissect_record wireshark/epan/packet.c:501:3
#36 0x7f0d42d093c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#37 0x5264eb in process_packet wireshark/tshark.c:3728:5
#38 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#39 0x515daf in main wireshark/tshark.c:2197:13
0x7f0d4f321100 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:4460:13' (0x7f0d4f321120) of size 128
0x7f0d4f321100 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13' (0x7f0d4f3210c0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25 in dissect_zcl_pwr_prof_enphsschednotif
Shadow bytes around the buggy address:
0x0fe229e5c1d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0fe229e5c1e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0fe229e5c1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c200: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0fe229e5c210: 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x0fe229e5c220:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c230: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0fe229e5c240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone:fb
Freed heap region: fd
Stack left redzone:f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return:f5
Stack use after scope: f8
Global redzone:f9
Global init order: f6
Poisoned by user:f7
Container overflow:fc
Array cookie:ac
Intra object redzone:bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone:cb
==8228==ABORTING
--- cut ---
Furthermore, there is yet another similar condition in a somewhat related area of code, see the attached file and report below:
--- cut ---
==8856==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f148fad2900 at pc 0x7f1485afc15d bp 0x7ffd41dc3de0 sp 0x7ffd41dc3dd8
READ of size 4 at 0x7f148fad2900 thread T0
#0 0x7f1485afc15c in dissect_zcl_appl_evtalt_get_alerts_rsp wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21
#1 0x7f1485afab0f in dissect_zbee_zcl_appl_evtalt wireshark/epan/dissectors/packet-zbee-zcl-ha.c:818:21
#2 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#3 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#4 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
#5 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#6 0x7f1485ae18ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
#7 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#9 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
#10 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#11 0x7f1485abbe40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21
#12 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#13 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#14 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
#15 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#16 0x7f1485ac5897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
#17 0x7f1485abf8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
#18 0x7f1485ac0ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
#19 0x7f1483519417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
#20 0x7f14845d663b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
#21 0x7f14845cc35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5
#22 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#23 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#24 0x7f1483510dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#25 0x7f14842205f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#26 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#27 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#28 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
#29 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#30 0x7f148350c33b in dissect_record wireshark/epan/packet.c:501:3
#31 0x7f14834ba3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#32 0x5264eb in process_packet wireshark/tshark.c:3728:5
#33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#34 0x515daf in main wireshark/tshark.c:2197:13
0x7f148fad2900 is located 32 bytes to the left of global variable 'ett' defined in 'packet-zbee-zcl-ha.c:1391:18' (0x7f148fad2920) of size 136
0x7f148fad2900 is located 0 bytes to the right of global variable 'ett_zbee_zcl_appl_evtalt_alerts_struct' defined in 'packet-zbee-zcl-ha.c:698:13' (0x7f148fad28e0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21 in dissect_zcl_appl_evtalt_get_alerts_rsp
Shadow bytes around the buggy address:
0x0fe311f524d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f524e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f524f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe311f52520:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52530: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0fe311f52540: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0fe311f52550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone:fb
Freed heap region: fd
Stack left redzone:f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return:f5
Stack use after scope: f8
Global redzone:f9
Global init order: f6
Poisoned by user:f7
Container overflow:fc
Array cookie:ac
Intra object redzone:bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone:cb
==8856==ABORTING
--- cut ---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38995.zip