Wireshark · Ethereal-dev: [Ethereal-dev] Core dump in current gsm-sms-ud dissector

[Biot Olivier <Olivier.Biot@xxxxxxxxxxx>]

Hi list,

Current "gsm-sms-ud" dissector causes a crash on a reference capture I have
(funny it didn't crash yesterday when I committed a SMPP patch). I think the
gsm-sms-ud protocol registration is the cause (handle = 0x0). As I don't
have the time right now, could someone else have a look?

Regards,

Olivier

GNU gdb 2003-09-20-cvs (cygwin-special)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-cygwin"...
(gdb) r
Starting program:
/home/Administrator/Ethereal/cvs/ethereal-pcre/ethereal.exe -r
/home/be322008/Desktop/Snoops/BigCap.snoop

Program received signal SIGSEGV, Segmentation fault.
0x00a8e5af in call_dissector_work (handle=0x0, tvb=0x10defe60, 
    pinfo=0x10e05c18, tree=0x10425b48) at packet.c:403
403		if (handle->protocol != NULL &&
(gdb) bt full
#0  0x00a8e5af in call_dissector_work (handle=0x0, tvb=0x10defe60, 
    pinfo=0x10e05c18, tree=0x10425b48) at packet.c:403
	saved_proto = 0x610e2707
"\213M\b)Y\b\001\031\211û\001]ð)ß\213U\f\213B\b)Ø\205À\211B\b\017\204gÿÿÿ\21
3U\b\205ÿ\017·B\fu\234ë\212\213\032\213B\020)Ã\211\004$\215\f\037\211Mä\211L
$\004èÑ)÷ÿ\205À\017\204=ÿÿÿ\213U\b\213Mä\211B\020\001Ø\211û\211\002\211J\024
\211z\béxÿÿÿ\213U\b\213\002;B\020v\0049ßwS\213U\b\213Z\0249ßr'\211\\$\b\213M
ð\211L$\004\213B \211\004$ÿR(\205À\211Ã\017\217jÿÿÿéèþÿÿ\215t&"
	saved_can_desegment = 50824
	ret = 10357596
	save_writable = 2284280
	save_dl_src = {type = 283049568, len = 0, 
  data = 0x15934d4 "\211X\004\211ð\215eø[^]Ã\211ØëõU\211åèÈ\006"}
	save_dl_dst = {type = 269763144, len = 4096, 
  data = 0x9e0aea "[Illegal %s]"}
	save_net_src = {type = 282274976, len = 6, 
  data = 0x21 <Address 0x21 out of bounds>}
	save_net_dst = {type = 128, len = 189, data = 0x10defe60 ""}
	save_src = {type = AT_NONE, len = 1, 
  data = 0x9e08fd "Frame: %u, payload: %u-%u"}
	save_dst = {type = 272766776, len = 4349, data = 0x10defe60 ""}
	saved_proto = 0x610e2707
"\213M\b)Y\b\001\031\211û\001]ð)ß\213U\f\213B\b)Ø\205À\211B\b\017\204gÿÿÿ\21
3U\b\205ÿ\017·B\fu\234ë\212\213\032\213B\020)Ã\211\004$\215\f\037\211Mä\211L
$\004èÑ)÷ÿ\205À\017\204=ÿÿÿ\213U\b\213Mä\211B\020\001Ø\211û\211\002\211J\024
\211z\béxÿÿÿ\213U\b\213\002;B\020v\0049ßwS\213U\b\213Z\0249ßr'\211\\$\b\213M
ð\211L$\004\213B \211\004$ÿR(\205À\211Ã\017\217jÿÿÿéèþÿÿ\215t&"
	saved_can_desegment = 50824
	ret = 10357596
	save_writable = 2284280
	save_dl_src = {type = 283049568, len = 0, 
  data = 0x15934d4 "\211X\004\211ð\215eø[^]Ã\211ØëõU\211åèÈ\006"}
	save_dl_dst = {type = 269763144, len = 4096, 
  data = 0x9e0aea "[Illegal %s]"}
	save_net_src = {type = 282274976, len = 6, 
  data = 0x21 <Address 0x21 out of bounds>}
	save_net_dst = {type = 128, len = 189, data = 0x10defe60 ""}
	save_src = {type = AT_NONE, len = 1, 
  data = 0x9e08fd "Frame: %u, payload: %u-%u"}
	save_dst = {type = 272766776, len = 4349, data = 0x10defe60 ""}
#1  0x00a903bf in call_dissector (handle=0x0, tvb=0x10defe60, 
    pinfo=0x10e05c18, tree=0x10425b48) at packet.c:1596
	handle = 0x0
	tvb = (tvbuff_t *) 0x10defe60
	pinfo = (packet_info *) 0x10e05c18
	tree = (proto_tree *) 0x10425b48
	ret = 0
#2  0x0061e536 in parse_gsm_sms_ud_message (sm_tree=0x10ce51f0, 
    tvb=0x10defe2c, pinfo=0x10e05c18, top_tree=0x10425b48)
    at packet-gsm_sms_ud.c:385
	sm_tvb = (tvbuff_t *) 0x10defe60
	subtree = (proto_item *) 0x10427750
	tree = (proto_item *) 0x104279a8
	udh_len = 11 '\v'
	udh = 96 '`'
	len = 3 '\003'
	sm_len = 63
	sm_data_len = 283049568
	i = 283139096
	is_fragmented = 1
	fd_sm = (fragment_data *) 0x0
	sm_id = 0
	frags = 2
	frag = 2
	save_fragmented = 0
	try_gsm_sms_ud_reassemble = 1
	reassembled = 1
	reassembled_in = 12789
	p_src = 49154
	p_dst = 49999
	ports_available = 1
#3  0x0061ebc8 in dissect_gsm_sms_ud (tvb=0x10defe2c, pinfo=0x10e05c18, 
    tree=0x10425b48) at packet-gsm_sms_ud.c:423
	tvb = (tvbuff_t *) 0x10425b48
	pinfo = (packet_info *) 0x0
	tree = (proto_tree *) 0x10defe60
	ti = (proto_item *) 0x0
	subtree = (proto_tree *) 0x0
#4  0x00a8e571 in call_dissector_through_handle (handle=0x10088638, 
    tvb=0x10defe2c, pinfo=0x10e05c18, tree=0x10425b48) at packet.c:363
	handle = 0x10defe60
	tvb = (tvbuff_t *) 0x10defe2c
	pinfo = (packet_info *) 0x10425b48
	saved_proto = 0x61f292 "GSM SMS UD"
	ret = 0
#5  0x00a8e8f0 in call_dissector_work (handle=0x10088638, tvb=0x10defe2c, 
    pinfo=0x10e05c18, tree=0x10425b48) at packet.c:513
	saved_proto = 0x90c9a4 "SMPP"
	saved_can_desegment = 1
	ret = 283049540
	save_writable = 0
	save_dl_src = {type = 283049464, len = 283049516, 
  data = 0x22ca98 "ÈÊ\""}
	save_dl_dst = {type = AT_NONE, len = 283049516, 
  data = 0x10defe2c "\001"}
	save_net_src = {type = 2280008, len = 22623468, 
  data = 0x22ca68 "\230Ê\""}
	save_net_dst = {type = 283049464, len = 74, data = 0x22ca68
"\230Ê\""}
	save_src = {type = 283049544, len = 2280036, 
  data = 0x1 <Address 0x1 out of bounds>}
	save_dst = {type = 283049464, len = 39, 
  data = 0x4a <Address 0x4a out of bounds>}
	saved_proto = 0x90c9a4 "SMPP"
	saved_can_desegment = 1
	ret = 283049540
	save_writable = 0
	save_dl_src = {type = 283049464, len = 283049516, 
  data = 0x22ca98 "ÈÊ\""}
	save_dl_dst = {type = AT_NONE, len = 283049516, 
  data = 0x10defe2c "\001"}
	save_net_src = {type = 2280008, len = 22623468, 
  data = 0x22ca68 "\230Ê\""}
	save_net_dst = {type = 283049464, len = 74, data = 0x22ca68
"\230Ê\""}
	save_src = {type = 283049544, len = 2280036, 
  data = 0x1 <Address 0x1 out of bounds>}
	save_dst = {type = 283049464, len = 39, 
  data = 0x4a <Address 0x4a out of bounds>}
#6  0x00a903bf in call_dissector (handle=0x10088638, tvb=0x10defe2c, 
    pinfo=0x10e05c18, tree=0x10425b48) at packet.c:1596
	handle = 0x0
	tvb = (tvbuff_t *) 0x10defe2c
	pinfo = (packet_info *) 0x10e05c18
	tree = (proto_tree *) 0x10425b48
	ret = 0
#7  0x0090b987 in submit_sm (tree=0x10ce50a0, tvb=0x10defdf8, 
    pinfo=0x10e05c18, top_tree=0x10425b48) at packet-smpp.c:1404
	tvb = (tvbuff_t *) 0x10e05c18
	top_tree = (proto_tree *) 0x0
	tvb_msg = (tvbuff_t *) 0x0
	offset = 39
	flag = 0 '\0'
	udhi = 64 '@'
	length = 74 'J'
	src_str = 0x10e1f610 "32477200179"
	dst_str = 0x10e1f630 "32476471861"
	save_src = {type = AT_IPv4, len = 4, data = 0x10e1f650 "¬\020\v}"}
	save_dst = {type = AT_IPv4, len = 4, data = 0x10e1f660
"¬\021\003\006"}
#8  0x0090cccc in dissect_smpp_pdu (tvb=0x10defd90, pinfo=0x10e05c18, 
    tree=0x10425b48) at packet-smpp.c:1918
	tmp_tvb = (tvbuff_t *) 0x0
	pdu_tvb = (tvbuff_t *) 0x10defe2c
	tvb = (tvbuff_t *) 0x10defe2c
	command_length = 129
	command_id = 4
	command_status = 0
	sequence_number = 2
	command_str = (gchar *) 0x9071b2 "Submit_sm"
	command_status_str = (gchar *) 0x0
	ti = (proto_item *) 0x10ce50a0
	smpp_tree = (proto_tree *) 0x10ce50a0
#9  0x0094810a in tcp_dissect_pdus (tvb=0x10defcf4, pinfo=0x10e05c18, 
    tree=0x10425b48, proto_desegment=0, fixed_len=16, 
    get_pdu_len=0x90c830 <get_smpp_pdu_len>, 
    dissect_pdu=0x90c9d0 <dissect_smpp_pdu>) at packet-tcp.c:1989
	except_sn = {except_down = 0x22ceb0, except_type = XCEPT_CATCHER, 
  except_info = {except_catcher = 0x22cbb0, except_cleanup = 0x22cbb0}}
	except_ch = {except_id = 0x947f48, except_size = 1, except_obj = {
    except_id = {except_group = 4, except_code = 283049204}, 
    except_message = 0x10defcf4 "\001", except_dyndata = 0x0}, except_jmp =
{
    2280392, 129, 2280608, 2280608, 0, 0, 2280664, 2280336, 9732201,
3670051, 
    2293760, 129, 2280504, 11119404, 272135670, 129, 32, 2280484, 2280488,
0, 
    -1, 2280492, 539151408, 0, 0, 269553448, 269543640, 2280685, 2280552, 
    9103820, 283049204, 0, -1, 283049204, 2280672, 2280620, 2280584,
11112344, 
    283049204, 8, 4, 2280620, 2280624, 2280672, 2280664, 283049204,
269543736, 
    2, 2280632, 11116599, 283049204, 8}}
	exc = (except_t *) 0x1
	catch_spec = {{except_group = 1, except_code = 0}}
	offset = 0
	offset_before = 0
	length_remaining = 129
	plen = 129
	length = 0
	next_tvb = (tvbuff_t *) 0x10defd90
#10 0x0090c91f in dissect_smpp (tvb=0x10defcf4, pinfo=0x10e05c18, 
    tree=0x10425b48) at packet-smpp.c:1681
	tvb = (tvbuff_t *) 0x10defcf4
	offset = 269543736
#11 0x0090c81f in dissect_smpp_heur (tvb=0x10defcf4, pinfo=0x10e05c18, 
    tree=0x10425b48) at packet-smpp.c:1656
	tvb = (tvbuff_t *) 0x10defcf4
	pinfo = (packet_info *) 0x0
	tree = (proto_tree *) 0x0
	command_id = 0
	command_status = 0
	command_length = 0
#12 0x00a8fd96 in dissector_try_heuristic (sub_dissectors=0x100f1250, 
    tvb=0x10defcf4, pinfo=0x10e05c18, tree=0x10425b48) at packet.c:1449
	status = 0
	saved_proto = 0x947827 "TCP"
	entry = (GSList *) 0x1010e938
	dtbl_entry = (heur_dtbl_entry_t *) 0x10defcf4
	saved_can_desegment = 2
	status = 0
	saved_proto = 0x947827 "TCP"
#13 0x00948b50 in decode_tcp_ports (tvb=0x10defcc0, offset=20, 
    pinfo=0x10e05c18, tree=0x10425b48, src_port=55405, dst_port=8100)
    at packet-tcp.c:2308
	tvb = (tvbuff_t *) 0x0
	offset = 0
	pinfo = (packet_info *) 0x10e05c18
	dst_port = 55405
	next_tvb = (tvbuff_t *) 0x10defcf4
	low_port = 0
	high_port = 55405
#14 0x00948cde in process_tcp_payload (tvb=0x10defcc0, offset=20, 
    pinfo=0x10e05c18, tree=0x10425b48, tcp_tree=0x104259f8, src_port=55405, 
    dst_port=8100, nxtseq=0, is_tcp_segment=0) at packet-tcp.c:2333
	except_sn = {except_down = 0x22d630, except_type = XCEPT_CATCHER, 
  except_info = {except_catcher = 0x22cdc0, except_cleanup = 0x22cdc0}}
	except_ch = {except_id = 0x948c28, except_size = 1, except_obj = {
    except_id = {except_group = 1907106356, except_code = 0}, 
    except_message = 0x103f8400 "t1³", except_dyndata = 0x0}, except_jmp = {
    2280920, 2281424, 2281136, 2281136, 0, 283139096, 2281176, 2280864, 
    9735279, 3670051, 2293760, 12537496, 2281112, 1628311491, 2290256, 
    2280992, 9732433, 2281188, 269763222, 14451, 4017, 283049152, 272169624,

    283049152, 2281080, 11089326, 272169656, 0, 1, 1627983033, 2281104, 0, 
    2281096, 11158956, 272168256, 9, 2281112, 11158956, 281926832,
283140328, 
    2281144, 1627738564, 272168224, 283049152, 2281160, 11089326, 272168256,

    269763144, 1628240464, 4033, 4096, 12537496}}
	exc = (except_t *) 0x0
	catch_spec = {{except_group = 1, except_code = 0}}
#15 0x00947f12 in desegment_tcp (tvb=0x10e05c18, pinfo=0x10425b48, 
    offset=272783864, seq=55405, nxtseq=8100, sport=0, dport=0, tree=0x15a6,

    tcp_tree=0x10defcc0) at packet-tcp.c:1559
	pinfo = (packet_info *) 0x10e05c18
	tcpinfo = (struct tcpinfo *) 0x0
	ipfd_head = (fragment_data *) 0xbf4e98
	old_tsk = {src = 0x22cf38, dst = 0x0, seq = 2283056, sport = 1, 
  dport = 0, start_seq = 2280896, tot_len = 2281176, first_frame = 22525788}
	tsk = (tcp_segment_key *) 0x0
	must_desegment = 4096
	called_dissector = 4033
	deseg_offset = 1628240464
	deseg_seq = 269763144
	nbytes = 0
#16 0x00000014 in ?? ()
No symbol table info available.
#17 0x10e05c18 in ?? ()
No symbol table info available.
#18 0x10425b48 in ?? ()
No symbol table info available.
#19 0x104259f8 in ?? ()
No symbol table info available.
#20 0x0000d86d in ?? ()
No symbol table info available.
#21 0x00001fa4 in ?? ()
No symbol table info available.
(gdb) print *(pinfo->fd)
$1 = {next = 0x0, prev = 0x10ddd938, pfd = 0x0, num = 12789, pkt_len = 183, 
  cap_len = 183, cul_bytes = 5659137, rel_secs = 12263991, rel_usecs =
304677, 
  abs_secs = 1050582763, abs_usecs = 887462, del_secs = 0, del_usecs = 906, 
  file_off = 5982796, lnk_t = 1, flags = {passed_dfilter = 0, encoding = 0, 
    visited = 0, marked = 0, ref_time = 0}, color_filter = 0x0}
(gdb) q