Out of bounds memory read in pcpp::SomeIpSdLayer::SomeIpSdLayer

[Jminis]

Description

Hello, while conducting fuzzing based on the information of pcapplusplus registered in the OSS-Fuzz Project, I've discovered a crash. I have confirmed that similar issues have occurred previously, but the crash I found is still reproducible.
Below are the issues I've referred to, and I will attach the crash log. Thank you.

• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53099
• Fix out of bounds memory read in pcpp::SomeIpSdLayer::SomeIpSdLayer #1143

Crash log

Using seed corpus: FuzzTarget_seed_corpus.zip
/out/FuzzTarget -rss_limit_mb=2560 -timeout=25 FuzzTarget_poc/pcapplusplus--FuzzTarget--crash-f8301fb8291922d10471dbdfb0b991bd-2023-07-29-08:47:27 # /tmp/FuzzTarget_corpus -close_fd_mask=3 < /dev/null
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3139246163
INFO: Loaded 1 modules   (35881 inline 8-bit counters): 35881 [0xab3928, 0xabc551),
INFO: Loaded 1 PC tables (35881 PCs): 35881 [0xabc558,0xb487e8),
/out/FuzzTarget: Running 1 inputs 1 time(s) each.
Running: FuzzTarget_poc/pcapplusplus--FuzzTarget--crash-f8301fb8291922d10471dbdfb0b991bd-2023-07-29-08:47:27
AddressSanitizer:DEADLYSIGNAL
=================================================================
==16==ERROR: AddressSanitizer: SEGV on unknown address 0x60c0000100a8 (pc 0x000000705c17 bp 0x7ffcbde12b40 sp 0x7ffcbde12b10 T0)
==16==The signal is caused by a READ memory access.
SCARINESS: 20 (wild-addr-read)
    #0 0x705c17 in countOptions /src/PcapPlusPlus/Packet++/src/SomeIpSdLayer.cpp:653:24
    #1 0x705c17 in pcpp::SomeIpSdLayer::SomeIpSdLayer(unsigned char*, unsigned long, pcpp::Layer*, pcpp::Packet*) /src/PcapPlusPlus/Packet++/src/SomeIpSdLayer.cpp:442:17
    #2 0x6fae2f in pcpp::SomeIpLayer::parseSomeIpLayer(unsigned char*, unsigned long, pcpp::Layer*, pcpp::Packet*) /src/PcapPlusPlus/Packet++/src/SomeIpLayer.cpp:84:14
    #3 0x61a6fc in pcpp::UdpLayer::parseNextLayer() /src/PcapPlusPlus/Packet++/src/UdpLayer.cpp:128:17
    #4 0x5f0a5b in pcpp::Packet::setRawPacket(pcpp::RawPacket*, bool, unsigned long, pcpp::OsiModelLayer) /src/PcapPlusPlus/Packet++/src/Packet.cpp:81:13
    #5 0x59e1a9 in LLVMFuzzerTestOneInput /src/PcapPlusPlus/Tests/Fuzzers/FuzzTarget.cpp:68:16
    #6 0x46f693 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #7 0x45adf2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #8 0x46069c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #9 0x489bd2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #10 0x7fadb66ce082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #11 0x450fbd in _start (/out/FuzzTarget+0x450fbd)

DEDUP_TOKEN: countOptions--pcpp::SomeIpSdLayer::SomeIpSdLayer(unsigned char*, unsigned long, pcpp::Layer*, pcpp::Packet*)--pcpp::SomeIpLayer::parseSomeIpLayer(unsigned char*, unsigned long, pcpp::Layer*, pcpp::Packet*)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/PcapPlusPlus/Packet++/src/SomeIpSdLayer.cpp:653:24 in countOptions
==16==ABORTING

pcapplusplus--FuzzTarget--crash-f8301fb8291922d10471dbdfb0b991bd-2023-07-29.txt

Fuzz code

The following line represents the first stack of the crash occurrence:
pcpp::Packet parsedPacket(&rawPacket);

Below is the complete fuzzing code(Targetfuzz.cpp):

#include <iostream>

#include <IPv4Layer.h>
#include <Packet.h>
#include <PcapFileDevice.h>

#include "Logger.h"

#define TMP_FILEPATH "/tmp/fuzz_sample.pcap"

// This function is created as PcapPlusPlus doesn't seem to offer a way of
// parsing Pcap files directly from memory
int dumpDataToPcapFile(const uint8_t *data, size_t size)
{
	FILE *fd;
	int written = 0;

	fd = fopen(TMP_FILEPATH, "wb");
	if (fd == NULL)
	{
		std::cerr << "Error opening pcap file for writing\n";
		return -1;
	}

	written = fwrite(data, 1, size, fd);
	if (static_cast<size_t>(written) != size)
	{
		std::cerr << "Error writing pcap file\n";
		fclose(fd);
		return -1;
	}

	fclose(fd);

	return 0;
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
	if (dumpDataToPcapFile(Data, Size) < 0)
	{
		std::cerr << "Can't Dump buffer to a PCAP file!!!!\n";
		return 0;
	}

	// Disable logs
	pcpp::Logger::getInstance().suppressLogs();

	// open a pcap file for reading
	pcpp::PcapFileReaderDevice reader(TMP_FILEPATH);
	if (!reader.open())
	{
		std::cerr << "Error opening the pcap file\n";
		return 0;
	}

	// read the first (and only) packet from the file
	pcpp::RawPacket rawPacket;
	if (!reader.getNextPacket(rawPacket))
	{
		std::cerr << "Couldn't read the first packet in the file\n";
		return 0;
	}

	do
	{
		// parse the raw packet into a parsed packet
		pcpp::Packet parsedPacket(&rawPacket);

		// verify the packet is IPv4
		if (parsedPacket.isPacketOfType(pcpp::IPv4))
		{
			// extract source and dest IPs
			pcpp::IPv4Address srcIP = parsedPacket.getLayerOfType<pcpp::IPv4Layer>()->getSrcIPv4Address();
			pcpp::IPv4Address destIP = parsedPacket.getLayerOfType<pcpp::IPv4Layer>()->getDstIPv4Address();

			// print source and dest IPs
			std::cout << "Source IP is '" << srcIP.toString() << "'; Dest IP is '" << destIP.toString() << "'"
					  << std::endl;
		}
	} while (reader.getNextPacket(rawPacket));

	// close the file
	reader.close();

	return 0;
}

[seladb]

Thanks for reporting this issue @Jminis !
We're aware of bugs reported by OSS-Fuzz and try to fix them occasionally.

If it's ok with you, I'll close this issue now so we don't have duplicates with OSS-Fuzz issues.

FYI @sashashura who fixed the previous issue with this layer

[sashashura]

@seladb I think @Jminis wanted to say that the original https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53099 is fixed (i.e. I cannot reproduce it with https://oss-fuzz.com/download?testcase_id=5124308624343040), but @Jminis found a variation of it.

The reproducer is https://github.com/seladb/PcapPlusPlus/files/12211339/pcapplusplus--FuzzTarget--crash-f8301fb8291922d10471dbdfb0b991bd-2023-07-29.txt

It can be OSS-Fuzz has already found it, but it is not visible for public for 90 days. Since the reproducer is public I think it is better to reopen and fix it. The OSS-Fuzz issue will be closed automatically. I have created a pull request to fix it #1173

[seladb]

Thanks @sashashura for providing the fix! I just merged it to dev and will later merge it to master