Wireshark-bugs: [Wireshark-bugs] [Bug 5448] Buildbot crash output: fuzz-2010-11-28-11164.pcap
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5448
--- Comment #2 from Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx> 2010-11-28 19:19:19 MST ---
This crazy code appears to be the cause (starts on line 935 of
packet-icmpv6.c):
/* FIXME: Not use tvb_memcpy... */
memset(&prefix, 0, sizeof(prefix));
tvb_memcpy(tvb, (guint8 *)&prefix, opt_offset, opt_len - 8);
proto_tree_add_ipv6(icmp6opt_tree, hf_icmpv6_opt_prefix, tvb, opt_offset,
opt_len - 8, prefix.bytes);
It was introduced on the 21st as SVN revision 34988 for enhancement bug #5496.
The gdb output at this point is below. "prefix" is a e_in6_addr (with the only
element a "guint8 bytes[16]")
(gdb) frame
#1 0x2899ca4c in dissect_icmpv6ndopt (tvb=0x2bb64950, offset=48,
pinfo=0xbfbfe578, tree=0x2aa0cb70) at packet-icmpv6.c:937
937 tvb_memcpy(tvb, (guint8 *)&prefix, opt_offset, opt_len
- 8);
(gdb) p* tvb
$9 = {type = TVBUFF_SUBSET, initialized = 1, usage_count = 1, ds_tvb =
0x2bb648e0, used_in = 0x0, tvbuffs = {subset = {tvb = 0x2bb64918, offset = 40,
length = 112}, composite = {tvbs = 0x2bb64918, start_offsets = 0x28,
end_offsets = 0x70}}, real_data = 0x2b514436 "\206", length = 112,
reported_length = 112, raw_offset = 54, free_cb = 0}
(gdb) p prefix
No symbol "prefix" in current context.
(gdb) p opt_offset
$10 = 56
(gdb) p opt_len - 8
$12 = 48
(gdb)
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
