Wireshark · Ethereal-dev: Re: [Ethereal-dev] Bug 72 (huge fragmentation offset)

Ethereal-dev: Re: [Ethereal-dev] Bug 72 (huge fragmentation offset)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Gerald Combs <gerald@xxxxxxxxxxxx>

Date: Tue, 19 Apr 2005 09:28:19 -0500

Peter Johansson wrote:

> Please consider my already applied patch for reassemble.c which can be
> seen in http://www.ethereal.com/lists/ethereal-dev/200504/msg00300.html
> This fixes a segv problem and informs the user of the incorrectly
> decoded frame number.

Checked in.  It doesn't fix the capture that triggered bug 72 (on my
system, at least).  Gdb says:

#0  0x40e4f6bc in memcpy () from /lib/libc.so.6
#1  0x401eeb8c in fragment_add_work (fd_head=0x81ffcf0, tvb=0x18,
    offset=136311224, pinfo=0x2fd0001, frag_offset=136403704,
    frag_data_len=97024656, more_frags=8) at reassemble.c:730
#2  0x401eed76 in fragment_add_common (tvb=0x2580000, offset=39321600,
    pinfo=0x81ff1b8, id=39321600, fragment_table=0x81e9688,
    frag_offset=39321600, frag_data_len=39321600, more_frags=39321600,
    check_already_added=1) at reassemble.c:839
#3  0x401eeec8 in fragment_add (tvb=0x2580000, offset=39321600,
    pinfo=0x2580000, id=39321600, fragment_table=0x2580000,
    frag_offset=39321600, frag_data_len=39321600, more_frags=39321600)
    at reassemble.c:858
#4  0x403ad78f in dissect_fc (tvb=0x81ffcf0, pinfo=0x81ff1b8,
tree=0x81ff410)
    at packet-fc.c:1218
#5  0x401de974 in call_dissector_through_handle (handle=0x81ff1fc,
    tvb=0x81ffcf0, pinfo=0x8, tree=0x81ff410) at packet.c:384
#6  0x401deda5 in call_dissector_work (handle=0x80cc558, tvb=0x81ffcf0,
    pinfo_arg=0x2580000, tree=0x81ff410) at packet.c:559
#7  0x401e056a in call_dissector (handle=0x2580000, tvb=0x81ffcf0,
    pinfo=0x81ff1b8, tree=0x81ff410) at packet.c:1700
#8  0x4051a71c in dissect_mdshdr (tvb=0x81ffcbc, pinfo=0x81ff1b8,
    tree=0x81ff410) at packet-mdshdr.c:273

Valgrind says:

==17250== Memcheck, a memory error detector for x86-linux.
==17250== Copyright (C) 2002-2004, and GNU GPL'd, by Julian Seward et al.
==17250== Using valgrind-2.2.0, a program supervision framework for
x86-linux.
==17250== Copyright (C) 2000-2004, and GNU GPL'd, by Julian Seward et al.
==17250== For more details, rerun with: -v
==17250==
==17250== Use of uninitialised value of size 4
==17250==    at 0x1C721B3D: _itoa_word (in /lib/libc-2.3.2.so)
==17250==    by 0x1C71F169: _IO_vfprintf_internal (in /lib/libc-2.3.2.so)
==17250==    by 0x1C73FCC3: _IO_vsnprintf (in /lib/libc-2.3.2.so)
==17250==    by 0x1C7277C3: snprintf (in /lib/libc-2.3.2.so)
==17250==
==17250== Conditional jump or move depends on uninitialised value(s)
==17250==    at 0x1C721B45: _itoa_word (in /lib/libc-2.3.2.so)
==17250==    by 0x1C71F169: _IO_vfprintf_internal (in /lib/libc-2.3.2.so)
==17250==    by 0x1C73FCC3: _IO_vsnprintf (in /lib/libc-2.3.2.so)
==17250==    by 0x1C7277C3: snprintf (in /lib/libc-2.3.2.so)
==17250==
==17250== Conditional jump or move depends on uninitialised value(s)
==17250==    at 0x1C71EB43: _IO_vfprintf_internal (in /lib/libc-2.3.2.so)
==17250==    by 0x1C73FCC3: _IO_vsnprintf (in /lib/libc-2.3.2.so)
==17250==    by 0x1C7277C3: snprintf (in /lib/libc-2.3.2.so)
==17250==    by 0x1BADE168: fill_label_uint (proto.c:3264)
==17250==
==17250== Conditional jump or move depends on uninitialised value(s)
==17250==    at 0x1C71EBA1: _IO_vfprintf_internal (in /lib/libc-2.3.2.so)
==17250==    by 0x1C73FCC3: _IO_vsnprintf (in /lib/libc-2.3.2.so)
==17250==    by 0x1C7277C3: snprintf (in /lib/libc-2.3.2.so)
==17250==    by 0x1BADE168: fill_label_uint (proto.c:3264)
==17250==
==17250== Conditional jump or move depends on uninitialised value(s)
==17250==    at 0x1C71EC23: _IO_vfprintf_internal (in /lib/libc-2.3.2.so)
==17250==    by 0x1C73FCC3: _IO_vsnprintf (in /lib/libc-2.3.2.so)
==17250==    by 0x1C7277C3: snprintf (in /lib/libc-2.3.2.so)
==17250==    by 0x1BADE168: fill_label_uint (proto.c:3264)
==17250==
==17250== Invalid write of size 1
==17250==    at 0x1B9015A7: memcpy (mac_replace_strmem.c:285)
==17250==    by 0x1BAE0B8B: fragment_add_work (reassemble.c:730)
==17250==    by 0x1BAE0D75: fragment_add_common (reassemble.c:839)
==17250==    by 0x1BAE0EC7: fragment_add (reassemble.c:858)
==17250==  Address 0x1F55B9F7 is not stack'd, malloc'd or (recently) free'd
==17250==
==17250== Process terminating with default action of signal 11
(SIGSEGV): dumping core
==17250==  Access not within mapped region at address 0x1F55B9F7
==17250==    at 0x1B9015A7: memcpy (mac_replace_strmem.c:285)
==17250==    by 0x1BAE0B8B: fragment_add_work (reassemble.c:730)
==17250==    by 0x1BAE0D75: fragment_add_common (reassemble.c:839)
==17250==    by 0x1BAE0EC7: fragment_add (reassemble.c:858)
==17250==
==17250== ERROR SUMMARY: 176 errors from 6 contexts (suppressed: 141 from 1)
==17250== malloc/free: in use at exit: 1513013 bytes in 12009 blocks.
==17250== malloc/free: 29767 allocs, 17758 frees, 3403153 bytes allocated.
==17250== For a detailed leak analysis,  rerun with: --leak-check=yes
==17250== For counts of detected errors, rerun with: -v
Segmentation fault


> Index: I:/ethereal-win32-libs/epan/reassemble.c
> ===================================================================
> --- I:/ethereal-win32-libs/epan/reassemble.c (revision 14082)
> +++ I:/ethereal-win32-libs/epan/reassemble.c (working copy)
> @@ -726,12 +726,20 @@
> /* dfpos is always >= than fd_i->offset */
> /* No gaps can exist here, max_loop(above) does this */
> if( fd_i->offset+fd_i->len > dfpos )
> - memcpy(fd_head->data+dfpos, fd_i->data+(dfpos-fd_i->offset),
> - fd_i->len-(dfpos-fd_i->offset));
> - if( fd_i->flags & FD_NOT_MALLOCED )
> - fd_i->flags ^= FD_NOT_MALLOCED;
> - else
> - g_free(fd_i->data);
> + {
> + if( !(fd_i->flags & FD_NOT_MALLOCED) )
> + {
> + memcpy(fd_head->data+dfpos, fd_i->data+(dfpos-fd_i->offset),
> + fd_i->len-(dfpos-fd_i->offset));
> + g_free(fd_i->data);
> + }
> + else
> + {
> + g_warning("Reassemble error in frame %d", pinfo->fd->num);
> + fd_i->flags ^= FD_NOT_MALLOCED;
> + }
> + }
> +
> fd_i->data=NULL;
> 
>            dfpos=MAX(dfpos,(fd_i->offset+fd_i->len));
> / Peter
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev

Follow-Ups:
- Re: [Ethereal-dev] Bug 72 (huge fragmentation offset)
  - From: Peter Johansson
- Re: [Ethereal-dev] Bug 72 (huge fragmentation offset)
  - From: Peter Johansson

References:
- [Ethereal-dev] Bug 72 (huge fragmentation offset)
  - From: Gerald Combs
- Re: [Ethereal-dev] Bug 72 (huge fragmentation offset)
  - From: Peter Johansson

Prev by Date: [Ethereal-dev] Buildbot crash output
Next by Date: Re: [Ethereal-dev] Bug 72 (huge fragmentation offset)
Previous by thread: Re: [Ethereal-dev] Bug 72 (huge fragmentation offset)
Next by thread: Re: [Ethereal-dev] Bug 72 (huge fragmentation offset)
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$