Wireshark-bugs: [Wireshark-bugs] [Bug 1034] New: Segfault when dissecting iSCSI traffic
Date: Mon, 7 Aug 2006 14:11:41 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1034

           Summary: Segfault when dissecting iSCSI traffic
           Product: Wireshark
           Version: 0.99.2
          Platform: PC
               URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=381860
        OS/Version: Linux
            Status: NEW
          Severity: Blocker
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: fpeters@xxxxxxxxxx


Forwarded from Debian BTS,

  Reading a tcpdump-produced traffic dump of iSCSI traffic causes
wireshark to segfault. A debug build gives a readable backtrace, and the
three topmost trace lines are enough to identify what went wrong:

Core was generated by `wireshark iscsi-plain-ext2.dump'.
Program terminated with signal 11, Segmentation fault.
#0  0xb75cc158 in dissect_scsi_payload (tvb=0x8770480, pinfo=0x8722950,
    tree=0x8724de8, isreq=1, itlq=0xb479da90, itl=0x0) at packet-scsi.c:7832
7832        devtype = cdata->itl->cmdset&SCSI_CMDSET_MASK;
(gdb) up
#1  0xb7384521 in dissect_iscsi_pdu (tvb=0x8770618, pinfo=0x8722950,
    tree=0x8724de8, offset=52, opcode=5 '\005',
    opcode_str=0xb7995df7 "SCSI Data Out", data_segment_len=8192,
    iscsi_session=0xb479d970) at packet-iscsi.c:1564
1564            dissect_scsi_payload (data_tvb, pinfo, tree,
(gdb) up
#2  0xb7385d69 in dissect_iscsi (tvb=0x8770618, pinfo=0x8722950,
    tree=0x8724de8, check_port=0) at packet-iscsi.c:2284
2284            dissect_iscsi_pdu(tvb, pinfo, tree, offset, opcode,
opcode_str, data_segment_len, iscsi_session);


  The problem is right here:

#0  0xb75cc158 in dissect_scsi_payload (tvb=0x8770480, pinfo=0x8722950,
    tree=0x8724de8, isreq=1, itlq=0xb479da90, itl=0x0) at packet-scsi.c:7832
                                              ^^^^^^^
7832        devtype = cdata->itl->cmdset&SCSI_CMDSET_MASK;
                             ^^^

  And these are certainly the same thing:
(gdb) p *cdata
$6 = {type = 1, itlq = 0xb479da90, itl = 0x0}


  No wonder it breaks.

  I have attached the dump file in question. This should be reproducible
anywhere. It also seems the bug is unknown at upstream as well; at least
there is no report for it yet.


  System information:
% uname -a
Linux plop 2.6.16.20 #3 PREEMPT Mon Jul 3 08:22:50 EEST 2006 i686
GNU/Linux

% dpkg -s libc6 | grep ^Version
Version: 2.3.6-18


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.