Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 8197] PER dissector crash

Wireshark-bugs: [Wireshark-bugs] [Bug 8197] PER dissector crash

Date: Wed, 16 Jan 2013 03:37:10 +0000

What	Removed	Added
CC		jeff.morriss.ws@gmail.com

Comment # 9 on bug 8197 from Jeff Morriss

I get the crash in Fedora 17.  Valgrind complains thus:

~~~
==1239== Command: /home/morriss/Projects/wireshark/source2/.libs/lt-tshark -Vx
-nr /tmp/fuzz-8197.pcap
==1239== 
==1239== Invalid read of size 1
==1239==    at 0x4104D5: print_hex_data_buffer (print.c:997)
==1239==    by 0x411E48: print_hex_data (print.c:915)
==1239==    by 0x4197B6: print_packet (tshark.c:3589)
==1239==    by 0x41AFAD: process_packet (tshark.c:3198)
==1239==    by 0x40DE9A: main (tshark.c:2978)
==1239==  Address 0x9216800 is 0 bytes inside a block of size 1 free'd
==1239==    at 0x4A07786: free (vg_replace_malloc.c:446)
==1239==    by 0x35ACC4D50E: g_free (in /usr/lib64/libglib-2.0.so.0.3200.4)
==1239==    by 0x613ECDB: emem_free_all (emem.c:1239)
==1239==    by 0x6141828: epan_dissect_run_with_taps (epan.c:218)
==1239==    by 0x41AEAC: process_packet (tshark.c:3181)
==1239==    by 0x40DE9A: main (tshark.c:2978)
==1239== 
==1239== Invalid read of size 8
==1239==    at 0x613F44D: sl_alloc (string3.h:52)
==1239==    by 0x610EF4F: proto_tree_set_representation_value (proto.c:3610)
==1239==    by 0x615FB9D: proto_tree_add_uint_format_value (proto.c:2994)
==1239==    by 0x614243F: expert_add_info_format (expert.c:192)
==1239==    by 0x62451F1: dissect_ber_set (packet-ber.c:2883)
==1239==    by 0x662EED1: dissect_pres (pres.cnf:321)
==1239==    by 0x6149067: call_dissector_through_handle (packet.c:458)
==1239==    by 0x614990C: call_dissector_work (packet.c:549)
==1239==    by 0x614B680: call_dissector_with_data (packet.c:2076)
==1239==    by 0x66DE71A: call_pres_dissector (packet-ses.c:350)
==1239==    by 0x66DF5D2: dissect_spdu (packet-ses.c:993)
==1239==    by 0x66DFE5D: dissect_ses (packet-ses.c:1219)
==1239==  Address 0x61746d2008faccf0 is not stack'd, malloc'd or (recently)
free'd
==1239== 
==1239== 
==1239== Process terminating with default action of signal 11 (SIGSEGV)
==1239==  General Protection Fault
==1239==    at 0x613F44D: sl_alloc (string3.h:52)
==1239==    by 0x610EF4F: proto_tree_set_representation_value (proto.c:3610)
==1239==    by 0x615FB9D: proto_tree_add_uint_format_value (proto.c:2994)
==1239==    by 0x614243F: expert_add_info_format (expert.c:192)
==1239==    by 0x62451F1: dissect_ber_set (packet-ber.c:2883)
==1239==    by 0x662EED1: dissect_pres (pres.cnf:321)
==1239==    by 0x6149067: call_dissector_through_handle (packet.c:458)
==1239==    by 0x614990C: call_dissector_work (packet.c:549)
==1239==    by 0x614B680: call_dissector_with_data (packet.c:2076)
==1239==    by 0x66DE71A: call_pres_dissector (packet-ses.c:350)
==1239==    by 0x66DF5D2: dissect_spdu (packet-ses.c:993)
==1239==    by 0x66DFE5D: dissect_ses (packet-ses.c:1219)
~~~

The first ("invalid read of size 1") is because tvb_new_octet_aligned() is
returning an ep_alloc'd buffer which is then being added as a data source
(add_new_data_source()).  I still need to go back and read about why ep_
allocations started disappearing after dissection is complete but before we're
done displaying what we've dissected.  Anyway, this isn't causing the crash.


After adding debugability to the slab allocator in r47710, Valgrind now says
this is the cause of the crash; I'm now out of time to actually investigate the
problem:

~~~
==5296== Invalid read of size 8
==5296==    at 0x615EA7D: proto_item_append_text (proto.c:4097)
==5296==    by 0x6AB56BF: dissect_p1_MTAName (p1.cnf:691)
==5296==    by 0x62408FB: dissect_ber_choice (packet-ber.c:3398)
==5296==    by 0x6AB19AF: dissect_p1_ObjectName (p1.cnf:1203)
==5296==    by 0x6244ECE: dissect_ber_set (packet-ber.c:2850)
==5296==    by 0x6AB9421: dissect_MTSBindResult_PDU (p1.cnf:1290)
==5296==    by 0x69253A9: call_ros_oid_callback (packet-ros-template.c:196)
==5296==    by 0x62408FB: dissect_ber_choice (packet-ber.c:3398)
==5296==    by 0x6925BBF: dissect_ros_ROS (ros.cnf:196)
==5296==    by 0x6925CA7: dissect_ros (packet-ros-template.c:429)
==5296==    by 0x6149097: call_dissector_through_handle (packet.c:458)
==5296==    by 0x614993C: call_dissector_work (packet.c:549)
==5296==    by 0x614A46E: dissector_try_string (packet.c:1228)
==5296==    by 0x6247781: call_ber_oid_callback (packet-ber.c:991)
==5296==    by 0x62408FB: dissect_ber_choice (packet-ber.c:3398)
==5296==    by 0x68305EF: dissect_acse_T_encoding (acse.cnf:126)
==5296==    by 0x6246391: dissect_ber_sequence (packet-ber.c:2221)
==5296==    by 0x6830AEF: dissect_acse_EXTERNALt_U (acse.cnf:144)
==5296==    by 0x623FA97: dissect_ber_tagged_type (packet-ber.c:585)
==5296==    by 0x683072D: dissect_acse_EXTERNALt (acse.cnf:154)
==5296==    by 0x624372E: dissect_ber_sq_of (packet-ber.c:4186)
==5296==    by 0x6243E4D: dissect_ber_sequence_of (packet-ber.c:4445)
==5296==    by 0x6830B2F: dissect_acse_Association_data (acse.cnf:286)
==5296==    by 0x6246391: dissect_ber_sequence (packet-ber.c:2221)
==5296==    by 0x68309EF: dissect_acse_AARE_apdu_U (acse.cnf:249)
==5296==    by 0x623FADA: dissect_ber_tagged_type (packet-ber.c:560)
==5296==    by 0x6831555: dissect_acse_AARE_apdu (acse.cnf:101)
==5296==    by 0x62408FB: dissect_ber_choice (packet-ber.c:3398)
==5296==    by 0x6831B90: dissect_acse (acse.cnf:130)
==5296==    by 0x6149097: call_dissector_through_handle (packet.c:458)
==5296==    by 0x614993C: call_dissector_work (packet.c:549)
==5296==    by 0x614A46E: dissector_try_string (packet.c:1228)
==5296==    by 0x6247781: call_ber_oid_callback (packet-ber.c:991)
==5296==    by 0x662F203: dissect_pres_T_single_ASN1_type (pres.cnf:44)
==5296==    by 0x62408FB: dissect_ber_choice (packet-ber.c:3398)
==5296==    by 0x662E23F: dissect_pres_T_presentation_data_values
(pres.cnf:101)
==5296==    by 0x6246391: dissect_ber_sequence (packet-ber.c:2221)
==5296==    by 0x662DEFF: dissect_pres_PDV_list (pres.cnf:118)
==5296==    by 0x624372E: dissect_ber_sq_of (packet-ber.c:4186)
==5296==    by 0x6243E4D: dissect_ber_sequence_of (packet-ber.c:4445)
==5296==  Address 0x155a6ae0 is 80 bytes inside a block of size 96 free'd
==5296==    at 0x4A07786: free (vg_replace_malloc.c:446)
==5296==    by 0x35ACC4D50E: g_free (in /usr/lib64/libglib-2.0.so.0.3200.4)
==5296==    by 0x35ACC61E5E: g_slice_free1 (in
/usr/lib64/libglib-2.0.so.0.3200.4)
==5296==    by 0x61565E1: proto_tree_free_node (proto.c:593)
==5296==    by 0x6156581: proto_tree_children_foreach (proto.c:532)
==5296==    by 0x61565AA: proto_tree_free_node (proto.c:590)
==5296==    by 0x6156581: proto_tree_children_foreach (proto.c:532)
==5296==    by 0x61565AA: proto_tree_free_node (proto.c:590)
==5296==    by 0x6156581: proto_tree_children_foreach (proto.c:532)
==5296==    by 0x61565AA: proto_tree_free_node (proto.c:590)
==5296==    by 0x6156581: proto_tree_children_foreach (proto.c:532)
==5296==    by 0x61565AA: proto_tree_free_node (proto.c:590)
==5296==    by 0x6156581: proto_tree_children_foreach (proto.c:532)
==5296==    by 0x615661A: proto_tree_free (proto.c:605)
==5296==    by 0x61418B3: epan_dissect_cleanup (epan.c:236)
==5296==    by 0x41AF08: process_packet (tshark.c:3236)
==5296==    by 0x40DE9A: main (tshark.c:2978)
~~~

You are receiving this mail because:

You are watching all bug changes.

References:
- [Wireshark-bugs] [Bug 8197] New: PER dissector crash
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 8215] New: Some ERF types are added to the tree in the wrong place
Next by Date: [Wireshark-bugs] [Bug 8211] Version Number in EtherIP dissector
Previous by thread: [Wireshark-bugs] [Bug 8197] PER dissector crash
Next by thread: [Wireshark-bugs] [Bug 8197] PER dissector crash
Index(es):
- Date
- Thread