Ethereal-dev: [Ethereal-dev] Bug report: crash in packet-dcerpc-ndr.c

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Yaniv Kaul <ykaul@xxxxxxxxxxxx>
Date: Sun, 05 Sep 2004 12:22:25 +0300
Latest Ethereal from svn, Win2K, during capture:

The crash happens in packet-dcerpc-ndr.c, where the arrow is (line 91):
{
   dcerpc_info *di;

   di=pinfo->private_data;
--->    if(di->conformant_run){
     /* just a run to handle conformant arrays, no scalars to dissect */
     return offset;
   }


Full Stack:
dissect_ndr_uint32(tvbuff * 0x026a7a34, int 0, _packet_info * 0x02f6ba58, _proto_node * 0x00000000, unsigned char * 0x0012d55c, int -1, unsigned int * 0x0012d1a4) line 91 + 3 bytes dissect_ndr_pointer_cb(tvbuff * 0x026a7a34, int 0, _packet_info * 0x02f6ba58, _proto_node * 0x00000000, unsigned char * 0x0012d55c, int (tvbuff *, int, _packet_info *, _proto_node *, unsigned char *)* 0x007d64f3 dissect_ndr_wchar_cvstring(tvbuff *, int, _packet_info *, _proto_node *, unsigned char *), int 2, char * 0x00c5fcd8, int 2457, ...) line 1677 + 29 bytes samr_dissect_connect3_4_rqst(tvbuff * 0x026a7a34, int 0, _packet_info * 0x02f6ba58, _proto_node * 0x00000000, unsigned char * 0x0012d55c) line 1122 + 53 bytes dcerpc_try_handoff(_packet_info * 0x02f6ba58, _proto_node * 0x00000000, _proto_node * 0x00000000, tvbuff * volatile 0x026a7a34, tvbuff * 0x026a7a34, unsigned char * 0x0012d55c, _dcerpc_info * 0x00d53618, _dcerpc_auth_info * 0x0012d4a0) line 2019 + 21 bytes dissect_dcerpc_cn_stub(tvbuff * 0x026a7964, int 24, _packet_info * 0x02f6ba58, _proto_node * 0x00000000, _proto_node * 0x00000000, _e_dce_cn_common_hdr_t * 0x0012d558, _dcerpc_info * 0x00d53618, _dcerpc_auth_info * 0x0012d4a0, unsigned int 44, unsigned int 2272) line 2664 + 40 bytes dissect_dcerpc_cn_rqst(tvbuff * 0x026a7964, int 24, _packet_info * 0x02f6ba58, _proto_node * 0x00000000, _proto_node * 0x00000000, _e_dce_cn_common_hdr_t * 0x0012d558, int 1) line 3021 + 51 bytes dissect_dcerpc_cn(tvbuff * 0x026a7964, int 16, _packet_info * 0x02f6ba58, _proto_node * 0x00000000, int 1, int * 0x0012d608, int 1) line 3557 + 33 bytes dissect_dcerpc_cn_bs_body(tvbuff * 0x026a7964, _packet_info * 0x02f6ba58, _proto_node * 0x00000000, int 1) line 3654 + 36 bytes dissect_dcerpc_cn_smbpipe(tvbuff * 0x026a7964, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 3697 + 19 bytes dissector_try_heuristic(_GSList * 0x022562d8, tvbuff * 0x026a7964, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 1450 + 17 bytes dissect_pipe_dcerpc(tvbuff * 0x026a7964, _packet_info * 0x02f6ba58, _proto_node * 0x00000000, _proto_node * 0x00000000, unsigned int 16386) line 3332 + 22 bytes dissect_pipe_smb(tvbuff * 0x026a79cc, tvbuff * 0x026a7998, tvbuff * 0x026a7a00, tvbuff * 0x00000000, tvbuff * 0x026a7964, const char * 0x00d590ce, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 3693 + 25 bytes dissect_transaction_request(tvbuff * 0x026a7930, _packet_info * 0x02f6ba58, _proto_node * 0x00000000, int 152, _proto_node * 0x00000000) line 11454 + 49 bytes dissect_smb_command(tvbuff * 0x026a7930, _packet_info * 0x02f6ba58, int 32, _proto_node * 0x00000000, unsigned char 37, int 1) line 13899 + 23 bytes dissect_smb(tvbuff * 0x026a7930, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 14983 + 29 bytes dissect_smb_heur(tvbuff * 0x026a7930, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 15032 + 17 bytes dissector_try_heuristic(_GSList * 0x022562c8, tvbuff * 0x026a7930, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 1450 + 17 bytes dissect_netbios_payload(tvbuff * 0x026a7930, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 1082 + 23 bytes dissect_nbss_packet(tvbuff * 0x0266e860, int 4, _packet_info * 0x02f6ba58, _proto_node * 0x00000000, int 1) line 1557 + 17 bytes dissect_nbss(tvbuff * 0x0266e860, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 1741 + 25 bytes call_dissector_through_handle(dissector_handle * 0x0225db80, tvbuff * 0x0266e860, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 365 + 18 bytes call_dissector_work(dissector_handle * 0x0225db80, tvbuff * 0x0266e860, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 515 + 21 bytes dissector_try_port(dissector_table * 0x0224d280, unsigned int 445, tvbuff * 0x0266e860, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 778 + 21 bytes decode_tcp_ports(tvbuff * 0x0266e82c, int 20, _packet_info * 0x02f6ba58, _proto_node * 0x00000000, int 1098, int 445) line 2402 + 34 bytes process_tcp_payload(tvbuff * 0x0266e82c, volatile int 20, _packet_info * 0x02f6ba58, _proto_node * 0x00000000, _proto_node * 0x00000000, int 1098, int 445, unsigned int 0, unsigned int 0, int 0) line 2450 + 35 bytes desegment_tcp(tvbuff * 0x0266e82c, _packet_info * 0x02f6ba58, int 20, unsigned int 4300, unsigned int 4456, unsigned int 1098, unsigned int 445, _proto_node * 0x00000000, _proto_node * 0x00000000) line 1644 + 39 bytes dissect_tcp_payload(tvbuff * 0x0266e82c, _packet_info * 0x02f6ba58, int 20, unsigned int 4300, unsigned int 4456, unsigned int 1098, unsigned int 445, _proto_node * 0x00000000, _proto_node * 0x00000000) line 2521 + 41 bytes dissect_tcp(tvbuff * 0x0266e82c, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 2953 + 69 bytes call_dissector_through_handle(dissector_handle * 0x0226bff0, tvbuff * 0x0266e82c, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 365 + 18 bytes call_dissector_work(dissector_handle * 0x0226bff0, tvbuff * 0x0266e82c, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 515 + 21 bytes dissector_try_port(dissector_table * 0x021e8f70, unsigned int 6, tvbuff * 0x0266e82c, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 778 + 21 bytes dissect_ip(tvbuff * 0x0266e7f8, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 1098 + 33 bytes call_dissector_through_handle(dissector_handle * 0x021e90c8, tvbuff * 0x0266e7f8, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 365 + 18 bytes call_dissector_work(dissector_handle * 0x021e90c8, tvbuff * 0x0266e7f8, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 515 + 21 bytes dissector_try_port(dissector_table * 0x021cf550, unsigned int 2048, tvbuff * 0x0266e7f8, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 778 + 21 bytes ethertype(unsigned short 2048, tvbuff * 0x0266e7c4, int 14, _packet_info * 0x02f6ba58, _proto_node * 0x00000000, _proto_node * 0x00000000, int 3621, int 3623, int -1) line 180 + 34 bytes dissect_eth_common(tvbuff * 0x0266e7c4, _packet_info * 0x02f6ba58, _proto_node * 0x00000000, int -1) line 293 + 48 bytes dissect_eth_maybefcs(tvbuff * 0x0266e7c4, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 387 + 26 bytes call_dissector_through_handle(dissector_handle * 0x02259ff8, tvbuff * 0x0266e7c4, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 365 + 18 bytes call_dissector_work(dissector_handle * 0x02259ff8, tvbuff * 0x0266e7c4, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 515 + 21 bytes dissector_try_port(dissector_table * 0x021cc6b8, unsigned int 1, tvbuff * 0x0266e7c4, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 778 + 21 bytes dissect_frame(tvbuff * 0x0266e7c4, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 185 + 34 bytes call_dissector_through_handle(dissector_handle * 0x021dcb08, tvbuff * 0x0266e7c4, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 365 + 18 bytes call_dissector_work(dissector_handle * 0x021dcb08, tvbuff * 0x0266e7c4, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 515 + 21 bytes call_dissector(dissector_handle * 0x021dcb08, tvbuff * 0x0266e7c4, _packet_info * 0x02f6ba58, _proto_node * 0x00000000) line 1616 + 21 bytes dissect_packet(_epan_dissect_t * 0x02f6ba50, wtap_pseudo_header * 0x026db7c4, const unsigned char * 0x02696128, _frame_data * 0x0308661c, _column_info * 0x004db88c) line 313 + 32 bytes epan_dissect_run(_epan_dissect_t * 0x02f6ba50, void * 0x026db7c4, const unsigned char * 0x02696128, _frame_data * 0x0308661c, _column_info * 0x004db88c) line 153 + 25 bytes add_packet_to_packet_list(_frame_data * 0x0308661c, _capture_file * 0x004cb760, wtap_pseudo_header * 0x026db7c4, const unsigned char * 0x02696128, int 1) line 810 + 30 bytes
read_packet(_capture_file * 0x004cb760, long 360667) line 956 + 23 bytes
cf_continue_tail(_capture_file * 0x004cb760, int 218, int * 0x0012f9fc) line 572 + 13 bytes
sync_pipe_input_cb(int 5, void * 0x004cb760) line 772 + 17 bytes
pipe_timer_cb(void * 0x004c3490 pipe_input) line 643 + 19 bytes
LIBGLIB-2.0-0! 00249853()
LIBGLIB-2.0-0! 00247678()
LIBGLIB-2.0-0! 002482d1()
LIBGLIB-2.0-0! 002485d2()
LIBGLIB-2.0-0! 00248c47()
LIBGTK-WIN32-2.0-0! 00f3db6d()
main(int 0, char * * 0x012f4764) line 2548
WinMain(HINSTANCE__ * 0x00400000, HINSTANCE__ * 0x00000000, char * 0x00134f66, int 1) line 2588 + 23 bytes