Wireshark-bugs: [Wireshark-bugs] [Bug 10987] New: double-free and use-after-free since "Call pre
Date: Sat, 21 Feb 2015 10:13:42 +0000
Bug ID | 10987 |
---|---|
Summary | double-free and use-after-free since "Call pre_init_prefs each time our profile changes" |
Product | Wireshark |
Version | Git |
Hardware | All |
OS | All |
Status | UNCONFIRMED |
Severity | Major |
Priority | Low |
Component | TShark |
Assignee | bugzilla-admin@wireshark.org |
Reporter | peter@lekensteyn.nl |
CC | gerald@wireshark.org |
Build Information: v1.99.3rc0-238-g5012cf8 -- commit 5012cf84e6d84a448171dac64c14d9c83e3d4ae6 ("Call pre_init_prefs each time our profile changes") results in a double-free when exiting tshark and heap-use-after-free errors in wireshark-gtk/wireshark. tshark ================================================================= ==602==ERROR: AddressSanitizer: attempting double-free on 0x607000069b80 in thread T0: #0 0x7f8f0577652f in __interceptor_free (/usr/lib/libasan.so.1+0x5752f) #1 0x7f8efaa9375f in colorized_frame_free_cb epan/prefs.c:1965 #2 0x7f8efaa8a8e8 in free_pref epan/prefs.c:248 #3 0x7f8ef3ce310c in g_list_foreach (/usr/lib/libglib-2.0.so.0+0x4710c) #4 0x7f8efaa8a9b5 in free_module_prefs epan/prefs.c:259 #5 0x7f8efaa8ba34 in call_foreach_cb epan/prefs.c:605 #6 0x7f8efabcfd49 in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:643 #7 0x7f8efabcfecd in wmem_tree_foreach epan/wmem/wmem_tree.c:666 #8 0x7f8efabcfcef in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:640 #9 0x7f8efabcfecd in wmem_tree_foreach epan/wmem/wmem_tree.c:666 #10 0x7f8efabcfcef in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:640 #11 0x7f8efabcfecd in wmem_tree_foreach epan/wmem/wmem_tree.c:666 #12 0x7f8efaa8bbdf in prefs_module_list_foreach epan/prefs.c:622 #13 0x7f8efaa8bd98 in prefs_modules_foreach_submodules epan/prefs.c:671 #14 0x7f8efaa8ab0b in free_module_prefs epan/prefs.c:265 #15 0x7f8efaa8ba34 in call_foreach_cb epan/prefs.c:605 #16 0x7f8efabcfd49 in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:643 #17 0x7f8efabcfecd in wmem_tree_foreach epan/wmem/wmem_tree.c:666 #18 0x7f8efabcfcef in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:640 #19 0x7f8efabcfdfe in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:651 #20 0x7f8efabcfdfe in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:651 #21 0x7f8efabcfc2a in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:634 #22 0x7f8efabcfc2a in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:634 #23 0x7f8efabcfc2a in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:634 #24 0x7f8efabcfdfe in wmem_tree_foreach_nodes epan/wmem/wmem_tree.c:651 #25 0x7f8efabcfecd in wmem_tree_foreach epan/wmem/wmem_tree.c:666 #26 0x7f8efaa8bbdf in prefs_module_list_foreach epan/prefs.c:622 #27 0x7f8efaa8bd1a in prefs_modules_foreach epan/prefs.c:654 #28 0x7f8efaa8ab27 in prefs_cleanup epan/prefs.c:281 #29 0x7f8efaa3ce07 in epan_cleanup epan/epan.c:132 #30 0x419894 in main tshark.c:2260 #31 0x7f8ef2c507ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) #32 0x40a728 in _start (/tmp/wsbuild/run/tshark+0x40a728) 0x607000069b80 is located 0 bytes inside of 70-byte region [0x607000069b80,0x607000069bc6) freed by thread T0 here: #0 0x7f8f0577652f in __interceptor_free (/usr/lib/libasan.so.1+0x5752f) #1 0x7f8efaa9693d in pre_init_prefs epan/prefs.c:2913 #2 0x7f8efaa96603 in init_prefs epan/prefs.c:2842 #3 0x7f8efaa97d1b in read_prefs epan/prefs.c:3182 #4 0x416931 in main tshark.c:1276 #5 0x7f8ef2c507ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) previously allocated by thread T0 here: #0 0x7f8f057767a7 in malloc (/usr/lib/libasan.so.1+0x577a7) #1 0x7f8ef3ceccf1 in g_malloc (/usr/lib/libglib-2.0.so.0+0x50cf1) #2 0x7f8ef3d05d6f in g_strdup (/usr/lib/libglib-2.0.so.0+0x69d6f) #3 0x7f8efaa96903 in pre_init_prefs epan/prefs.c:2912 #4 0x7f8efaa96603 in init_prefs epan/prefs.c:2842 #5 0x7f8efaa97d1b in read_prefs epan/prefs.c:3182 #6 0x416931 in main tshark.c:1276 #7 0x7f8ef2c507ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_free ==602==ABORTING wireshark-gtk ================================================================= ==614==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700010b4b0 at pc 0x7f2ff201da90 bp 0x7fff3f094f20 sp 0x7fff3f094ef0 READ of size 2 at 0x60700010b4b0 thread T0 #0 0x7f2ff201da8f in strlen (/usr/lib/libasan.so.1+0x33a8f) #1 0x42dc1c in color_filters_add_tmp color_filters.c:100 #2 0x42f302 in color_filters_init color_filters.c:290 #3 0x48a587 in main ui/gtk/main.c:3068 #4 0x7f2fdd2e57ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) #5 0x4242f8 in _start (/tmp/wsbuild/run/wireshark-gtk+0x4242f8) 0x60700010b4b0 is located 0 bytes inside of 70-byte region [0x60700010b4b0,0x60700010b4f6) freed by thread T0 here: #0 0x7f2ff204152f in __interceptor_free (/usr/lib/libasan.so.1+0x5752f) #1 0x7f2fe56ab93d in pre_init_prefs epan/prefs.c:2913 #2 0x7f2fe56ab603 in init_prefs epan/prefs.c:2842 #3 0x7f2fe56acd1b in read_prefs epan/prefs.c:3182 #4 0x4874ce in read_configuration_files ui/gtk/main.c:1996 #5 0x488835 in main ui/gtk/main.c:2533 #6 0x7f2fdd2e57ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) previously allocated by thread T0 here: #0 0x7f2ff20417a7 in malloc (/usr/lib/libasan.so.1+0x577a7) #1 0x7f2ff05b3cf1 in g_malloc (/usr/lib/libglib-2.0.so.0+0x50cf1) #2 0x7f2ff05ccd6f in g_strdup (/usr/lib/libglib-2.0.so.0+0x69d6f) #3 0x7f2fe56ab903 in pre_init_prefs epan/prefs.c:2912 #4 0x7f2fe56ab603 in init_prefs epan/prefs.c:2842 #5 0x7f2fe56acd1b in read_prefs epan/prefs.c:3182 #6 0x4874ce in read_configuration_files ui/gtk/main.c:1996 #7 0x488835 in main ui/gtk/main.c:2533 #8 0x7f2fdd2e57ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 strlen wireshark (QT) ================================================================= ==692==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070002085c0 at pc 0x7faab4b11a90 bp 0x7fff52053930 sp 0x7fff52053900 READ of size 2 at 0x6070002085c0 thread T0 #0 0x7faab4b11a8f in strlen (/usr/lib/libasan.so.1+0x33a8f) #1 0x5229c8 in color_filters_add_tmp color_filters.c:100 #2 0x5240ae in color_filters_init color_filters.c:290 #3 0x517ebf in main wireshark-qt.cpp:1308 #4 0x7faaa03b77ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) #5 0x514c18 in _start (/tmp/wsbuild/run/wireshark+0x514c18) 0x6070002085c0 is located 0 bytes inside of 70-byte region [0x6070002085c0,0x607000208606) freed by thread T0 here: #0 0x7faab4b3552f in __interceptor_free (/usr/lib/libasan.so.1+0x5752f) #1 0x7faaa9b4793d in pre_init_prefs epan/prefs.c:2913 #2 0x7faaa9b47603 in init_prefs epan/prefs.c:2842 #3 0x7faaa9b48d1b in read_prefs epan/prefs.c:3182 #4 0x6d765e in WiresharkApplication::readConfigurationFiles(char**, char**) ui/qt/wireshark_application.cpp:691 #5 0x5164a4 in main wireshark-qt.cpp:843 #6 0x7faaa03b77ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) previously allocated by thread T0 here: #0 0x7faab4b357a7 in malloc (/usr/lib/libasan.so.1+0x577a7) #1 0x7faab4820cf1 in g_malloc (/usr/lib/libglib-2.0.so.0+0x50cf1) #2 0x7faab4839d6f in g_strdup (/usr/lib/libglib-2.0.so.0+0x69d6f) #3 0x7faaa9b47903 in pre_init_prefs epan/prefs.c:2912 #4 0x7faaa9b47603 in init_prefs epan/prefs.c:2842 #5 0x7faaa9b48d1b in read_prefs epan/prefs.c:3182 #6 0x6d765e in WiresharkApplication::readConfigurationFiles(char**, char**) ui/qt/wireshark_application.cpp:691 #7 0x5164a4 in main wireshark-qt.cpp:843 #8 0x7faaa03b77ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 strlen
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- Prev by Date: [Wireshark-bugs] [Bug 10944] Qt Wireshark - The [Cancel] option from the "You have unsaved changes" dialog causes loss of unsaved capture file
- Next by Date: [Wireshark-bugs] [Bug 10988] New: Wireshark ignores DNS Client Subnet option's data length when it's too long
- Previous by thread: [Wireshark-bugs] [Bug 10986] AMQP over SSL is not dissected
- Next by thread: [Wireshark-bugs] [Bug 10987] double-free and use-after-free since "Call pre_init_prefs each time our profile changes"
- Index(es):