Wireshark-bugs: [Wireshark-bugs] [Bug 5855] SVN revision 36849 crashing in packet_range_init fun
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Tue, 26 Apr 2011 08:34:30 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5855

Bill Meier <wmeier@xxxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Buildbot crash output:      |SVN revision 36849 crashing
                   |fuzz-2011-04-25-27744.pcap  |in packet_range_init
                   |                            |function; [Was: Buildbot
                   |                            |crash ...]

--- Comment #4 from Bill Meier <wmeier@xxxxxxxxxxx> 2011-04-26 11:34:28 EDT ---
This crash appears to be the same crash as described by Pascal Quantin on the
dev mailing list: 

http://www.wireshark.org/lists/wireshark-dev/201104/msg00289.html

I've copied the contents of his EMail below.  

=====================================================================
Subject: [Wireshark-dev] SVN revision 36849 crashing in packet_range_init
function

Hi,

with revision 36849, when I call tshark to decode in verbose mode a pcap
file containing a single packet I get the following backtrace:

tshark -r temp.pcap -V

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb571c8e0 (LWP 11951)]
packet_range_init (range=0xbfd9f550) at packet-range.c:88
88          if (packet->flags.passed_dfilter) {
(gdb) bt
#0  packet_range_init (range=0xbfd9f550) at packet-range.c:88
#1  0x0806bac6 in print_packet (cf=0x80a5d40, edt=0xbfd9f5f8) at
tshark.c:3239
#2  0x0806c395 in process_packet (cf=0x80a5d40, offset=<value optimized
out>, whdr=0x9125f40, pseudo_header=0x9125f54, pd=0x912b730
"h\022\230\b��\001\203��s?E��+\230!Ll�",
    filtering_tap_listeners=0, tap_flags=<value optimized out>) at
tshark.c:2905
#3  0x0806f4ea in main (argc=4, argv=0xbfd9fc84) at tshark.c:2705

When launching tshark without the verbose flag, the crash is not seen.

When looking at the revision log, I can see that the code was changed from:

for(packet = cfile.plist_start; packet != NULL; packet = packet->next) {

to

for(framenum = 1; framenum <= cfile.count; framenum++) {
   packet = cap_file_find_fdata(&cfile, framenum);

In my use case, packet is set to NULL, leading to the segmentation fault.

When looking at tshark.c source code, I can see that process_packet() does
not call cap_file_add_fdata() while process_packet_first_pass() does. As a
consequence the cf->ptree_root pointer is not allocated and the call to
cap_file_find_fdata() will provide an uninitialized address.

The following patch solves my crash:

Index: tshark.c
===================================================================
--- tshark.c    (revision 36849)
+++ tshark.c    (working copy)
@@ -2830,9 +2830,6 @@
   epan_dissect_t edt;
   gboolean passed;

-  /* Count this packet. */
-  cf->count++;
-
   /* If we're not running a display filter and we're not printing any
      packet information, we don't need to do a dissection. This means
      that all packets can be marked as 'passed'. */
@@ -2896,6 +2893,7 @@

   if (passed) {
     frame_data_set_after_dissect(&fdata, &cum_bytes, &prev_dis_ts);
+    cap_file_add_fdata(cf, &fdata);

     /* Process this packet. */
     if (print_packet_info) {

But I'm not sure this is the right way to fix this. Can someone comment ?

Thanks,
Pascal.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.