Wireshark · Ethereal-dev: RE: [Ethereal-dev] Double-free tvb bug in HTTP dissector with gzi p decompression?

Ethereal-dev: RE: [Ethereal-dev] Double-free tvb bug in HTTP dissector with gzi p decompressio

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Biot Olivier <Olivier.Biot@xxxxxxxxxxx>

Date: Fri, 7 May 2004 13:22:32 +0200

|-----Original Message-----
|From: Jerry Talkington
|
|On Thu, May 06, 2004 at 11:51:36PM +0200, Olivier Biot wrote:
|>
|> Hi list,
|> 
|> If you open the attached capture with Ethereal, you can 
|freely inspect
|> it and see the dissected decompression. However, if you enter a
|> display filter like "http" which matches the packet, Ethereal will
|> crash in epan_dissect_free() at the very end of having filtered all
|> packets (I tested this with a 9 MB capture). The crash does 
|not happen
|> if you disable the HTTP dissector.
| 
|Hmm, I wasn't able to get a crash on my Mac, but I was on my Linux box.
|However, I didn't like the gtk2 interface, so I made distclean, reran
|autogen.sh, configured and ran make, and the crash doesn't happen
|anymore.
|
|I reran autogen.sh, configured with gtk2 again, and the crash still
|doesn't appear.  Try rerunning autogen.sh.  In the meantime, I'll try
|setting up a build environment on a Windows machine.

I can only say that the bug is still present, even after a thorough
distclean and a complete remake of ethereal on cygwin.

This is wat I did:

# Remake the makefiles so make distclean doesn't remake the makefiles
individually
$ ./config.status
$ make distclean
# Refresh the checked out tree [status of ~5 hours ago]
$ cvs -z9 update -Pd
$ ./autogen.sh
$ ./configure --with-extra-gcc-checks --enable-gtk2
$ make

3 hours later the compilation terminated on my laptop. I then open a debug
session with the capture file I previously sent to the list:

$ ./libtool gdb --args ./ethereal -r
/home/be322008/Desktop/Ethereal/BigCap-gzip-not-chunked-response.snoop 
*** Warning: inferring the mode of operation is deprecated.
*** Future versions of Libtool will require -mode=MODE be specified.
GNU gdb 2003-09-20-cvs (cygwin-special)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-cygwin"...
(gdb) r
Starting program:
/home/Administrator/Ethereal/cvs/ethereal/.libs/lt-ethereal.exe -r
/home/be322008/Desktop/Ethereal/BigCap-gzip-not-chunked-response.snoop

[Entered "http" as display filter (without quotes) and applied the dfilter]

Program received signal SIGSEGV, Segmentation fault.
tvb_free_chain (tvb=0x1) at tvbuff.c:221
221             for (slist = tvb->used_in; slist != NULL ; slist =
slist->next) {
(gdb) bt full
#0  tvb_free_chain (tvb=0x1) at tvbuff.c:221
        tvb = (tvbuff_t *) 0x1
        slist = (GSList *) 0x1033e118
#1  0x00e5609a in tvb_free_chain (tvb=0x103d1f58) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x103d1f58
        slist = (GSList *) 0x1033e118
#2  0x00e5609a in tvb_free_chain (tvb=0x1033e180) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x1033e180
        slist = (GSList *) 0x103d1f40
#3  0x00e5609a in tvb_free_chain (tvb=0x1033e118) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x1033e118
        slist = (GSList *) 0x10311680
#4  0x00e5609a in tvb_free_chain (tvb=0x1033e0e4) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x1033e0e4
        slist = (GSList *) 0x103d1f68
#5  0x00e5609a in tvb_free_chain (tvb=0x1033e0b0) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x1033e0b0
        slist = (GSList *) 0x103d1f60
#6  0x00e5609a in tvb_free_chain (tvb=0x1033e07c) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x1033e07c
        slist = (GSList *) 0x103d1f50
#7  0x00e5609a in tvb_free_chain (tvb=0x1033e048) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x1033e048
        slist = (GSList *) 0x103d1f38
#8  0x00e5609a in tvb_free_chain (tvb=0x1033dfe0) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x1033dfe0
        slist = (GSList *) 0x103d1f48
#9  0x00e461a1 in epan_dissect_free (edt=0x103d3a08) at epan.c:166
        edt = (epan_dissect_t *) 0x103d3a08
#10 0x0040c756 in _fu189__num_tap_filters () at file.c:896
        fdata = (frame_data *) 0x103d3a08
        pseudo_header = (union wtap_pseudo_header *) 0x1
        buf = (const guchar *) 0x1 <Address 0x1 out of bounds>
        refilter = 0
        args = {colorf = 0x1028e958, edt = 0x103d3a08}
        row = 0
        create_proto_tree = 272448008
        edt = (epan_dissect_t *) 0x103d3a08
        args = {colorf = 0x1028e958, edt = 0x103d3a08}
#11 0x0040d068 in rescan_packets (cf=0x4b3a08, action=0x4b3a98 "\b", 
    action_item=0x1 <Address 0x1 out of bounds>, refilter=2285872, 
    redissect=2285876) at file.c:1215
        fdata = (frame_data *) 0x1033eccc
        progbar = (progdlg_t *) 0x103d1f38
        stop_flag = 15032474
        count = 271747760
        err = 271835208
        err_info = (gchar *) 0x22e05c "|à\""
        selected_frame = (frame_data *) 0x10328a70
        preceding_frame = (frame_data *) 0x7facef
        following_frame = (frame_data *) 0x1033e0b0
        prev_frame = (frame_data *) 0xe5609a
        selected_row = 2285628
        prev_row = 271835260
        preceding_row = 272441168
        following_row = 3568
        selected_frame_seen = 1
        row = 1
        prog_val = 0
        start_time = {tv_sec = 271835260, tv_usec = 271746540}
        status_str =
"\030¦~\000°\2122\020H\037=\020àß3\020|à\"\000\232`å\000Hà3\020°\2122\020ç¢\
"\000\b:=\020\b:=\020\b:=\020\214à\"\000¡aä\000àß3\020Ìì3\020Ìà\"\000VÇ@\000
\b:=\020lé(\020`é(\020Ìì3\020¬:L\000ÖY\001\000\b:K"
        progbar_nextstep = 271835364
        progbar_quantum = 15032474
#12 0x004b3980 in filter_tb ()
No symbol table info available.
#13 0x1033ec88 in ?? ()
No symbol table info available.
(gdb)


I think step 10 in the backtrace is interesting: take a close look at the
values of pseudo_header and buf. Maybe we're having a HTTP tap issue here?


#10 0x0040c756 in _fu189__num_tap_filters () at file.c:896
        fdata = (frame_data *) 0x103d3a08
        pseudo_header = (union wtap_pseudo_header *) 0x1
        buf = (const guchar *) 0x1 <Address 0x1 out of bounds>
        refilter = 0
        args = {colorf = 0x1028e958, edt = 0x103d3a08}
        row = 0
        create_proto_tree = 272448008
        edt = (epan_dissect_t *) 0x103d3a08
        args = {colorf = 0x1028e958, edt = 0x103d3a08}


Anybody a clue?

Regards,

Olivier

Follow-Ups:
- Re: [Ethereal-dev] Double-free tvb bug in HTTP dissector with gzi p decompression? - or in HTTP tap?
  - From: Jerry Talkington

Prev by Date: [Ethereal-dev] base64_decode name clash (util.c vs. Heimdal w/ --with-krb5)
Next by Date: Re: [Ethereal-dev] HTTP gzip/deflate decompression patch - zlib a nd gzip on Win32
Previous by thread: Re: [Ethereal-dev] Re: [PATCH] acinclude.m4, configure.in
Next by thread: Re: [Ethereal-dev] Double-free tvb bug in HTTP dissector with gzi p decompression? - or in HTTP tap?
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$