Wireshark-bugs: [Wireshark-bugs] [Bug 8740] Bluetooth: Improve HFP dissection
Date: Mon, 03 Jun 2013 12:30:48 +0000

changed bug 8740

What Removed Added
CC   eapache@gmail.com
Attachment #10877 is obsolete   1
Attachment #10877 Flags review_for_checkin?  
Attachment #10913 Flags   review_for_checkin?

Comment # 3 on bug 8740 from
Created attachment 10913 [details]
[PATCH 1] Bluetooth: Improve HFP dissection

Changelog: 
1. Fix/valgrind crash/issues.
2. Partially implemented TODO point 1.
Comment # 2 on bug 8740 from
(In reply to comment #0)
> By the way:
> It seems that there is WMEM bug. When I try to switch
> "Force treat packets as AG or HS role" to "Sent is AG, Rcvd is HS" there is
> crash in wmem_alloc... Could anyone see that?

I took a quick look, it's not a wmem bug (though that is where it's crashing).
Valgrind says that you're writing to memory you don't own. It looks like that
happens to be where wmem is storing some internal data, so the next time you
try and use it, it blows up.

The valgrind errors I got:
==13949== Invalid write of size 2
==13949==    at 0x4C2E8E3: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13949==    by 0x6528F74: dissect_bthfp (string3.h:51)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x6533CB2: dissect_btrfcomm (packet-btrfcomm.c:747)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x652D108: dissect_b_frame.constprop.12 (packet-btl2cap.c:1331)
==13949==  Address 0xf9991fc is 12 bytes inside a block of size 13 alloc'd
==13949==    at 0x4C2CD7B: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13949==    by 0x93D3CF0: g_malloc (gmem.c:159)
==13949==    by 0x6E66718: wmem_simple_alloc (wmem_allocator_simple.c:51)
==13949==    by 0x6528C08: dissect_bthfp (packet-bthfp.c:1253)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x6533CB2: dissect_btrfcomm (packet-btrfcomm.c:747)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949== 
==13949== Invalid write of size 1
==13949==    at 0x4C2EA43: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13949==    by 0x6528F74: dissect_bthfp (string3.h:51)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x6533CB2: dissect_btrfcomm (packet-btrfcomm.c:747)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x652D108: dissect_b_frame.constprop.12 (packet-btl2cap.c:1331)
==13949==  Address 0xf999896 is 3 bytes after a block of size 19 alloc'd
==13949==    at 0x4C2CD7B: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13949==    by 0x93D3CF0: g_malloc (gmem.c:159)
==13949==    by 0x6E66718: wmem_simple_alloc (wmem_allocator_simple.c:51)
==13949==    by 0x6528C08: dissect_bthfp (packet-bthfp.c:1253)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x6533CB2: dissect_btrfcomm (packet-btrfcomm.c:747)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949== 
==13949== Invalid read of size 1
==13949==    at 0x4C2EA40: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13949==    by 0x6528F55: dissect_bthfp (string3.h:51)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x6533CB2: dissect_btrfcomm (packet-btrfcomm.c:747)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x652D108: dissect_b_frame.constprop.12 (packet-btl2cap.c:1331)
==13949==  Address 0x12b5b56d is 0 bytes after a block of size 13 alloc'd
==13949==    at 0x4C2CD7B: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13949==    by 0x93D3CF0: g_malloc (gmem.c:159)
==13949==    by 0x6E66718: wmem_simple_alloc (wmem_allocator_simple.c:51)
==13949==    by 0x652891E: dissect_bthfp (packet-bthfp.c:1126)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x6533CB2: dissect_btrfcomm (packet-btrfcomm.c:747)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949== 
==13949== Conditional jump or move depends on uninitialised value(s)
==13949==    at 0x65277D1: dissect_at_command (packet-bthfp.c:707)
==13949==    by 0x6528F06: dissect_bthfp (packet-bthfp.c:1293)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x6533CB2: dissect_btrfcomm (packet-btrfcomm.c:747)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x652D108: dissect_b_frame.constprop.12 (packet-btl2cap.c:1331)
==13949== 
==13949== Use of uninitialised value of size 8
==13949==    at 0x65277FA: dissect_at_command (packet-bthfp.c:708)
==13949==    by 0x6528F06: dissect_bthfp (packet-bthfp.c:1293)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x6533CB2: dissect_btrfcomm (packet-btrfcomm.c:747)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x652D108: dissect_b_frame.constprop.12 (packet-btl2cap.c:1331)
==13949== 
==13949== Use of uninitialised value of size 8
==13949==    at 0x6527804: dissect_at_command (packet-bthfp.c:709)
==13949==    by 0x6528F06: dissect_bthfp (packet-bthfp.c:1293)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x6533CB2: dissect_btrfcomm (packet-btrfcomm.c:747)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x652D108: dissect_b_frame.constprop.12 (packet-btl2cap.c:1331)
==13949== 
==13949== Conditional jump or move depends on uninitialised value(s)
==13949==    at 0x652782E: dissect_at_command (packet-bthfp.c:707)
==13949==    by 0x6528F06: dissect_bthfp (packet-bthfp.c:1293)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x6533CB2: dissect_btrfcomm (packet-btrfcomm.c:747)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x652D108: dissect_b_frame.constprop.12 (packet-btl2cap.c:1331)
==13949== 
==13949== Conditional jump or move depends on uninitialised value(s)
==13949==    at 0xA041040: vfprintf (vfprintf.c:1655)
==13949==    by 0xA103BFF: __vsnprintf_chk (vsnprintf_chk.c:63)
==13949==    by 0x63CE204: col_append_fstr (column-utils.c:335)
==13949==    by 0x65278C8: dissect_at_command (packet-bthfp.c:718)
==13949==    by 0x6528F06: dissect_bthfp (packet-bthfp.c:1293)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x6533CB2: dissect_btrfcomm (packet-btrfcomm.c:747)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949== 
==13949== Conditional jump or move depends on uninitialised value(s)
==13949==    at 0x93EC581: g_strstr_len (gstrfuncs.c:2612)
==13949==    by 0x6527E9F: dissect_at_command (packet-bthfp.c:725)
==13949==    by 0x6528F06: dissect_bthfp (packet-bthfp.c:1293)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x6533CB2: dissect_btrfcomm (packet-btrfcomm.c:747)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949== 
==13949== Invalid write of size 1
==13949==    at 0x4C2EA1A: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13949==    by 0x6528F74: dissect_bthfp (string3.h:51)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x6533CB2: dissect_btrfcomm (packet-btrfcomm.c:747)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x652D108: dissect_b_frame.constprop.12 (packet-btl2cap.c:1331)
==13949==  Address 0x12b5d0f4 is not stack'd, malloc'd or (recently) free'd
==13949== 
==13949== Invalid read of size 1
==13949==    at 0x4C2E951: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13949==    by 0x6528F55: dissect_bthfp (string3.h:51)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x6533CB2: dissect_btrfcomm (packet-btrfcomm.c:747)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x652D108: dissect_b_frame.constprop.12 (packet-btl2cap.c:1331)
==13949==  Address 0x12b5b56d is 0 bytes after a block of size 13 alloc'd
==13949==    at 0x4C2CD7B: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13949==    by 0x93D3CF0: g_malloc (gmem.c:159)
==13949==    by 0x6E66718: wmem_simple_alloc (wmem_allocator_simple.c:51)
==13949==    by 0x652891E: dissect_bthfp (packet-bthfp.c:1126)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)
==13949==    by 0x63DF646: dissector_try_uint (packet.c:995)
==13949==    by 0x6533CB2: dissect_btrfcomm (packet-btrfcomm.c:747)
==13949==    by 0x63DE567: call_dissector_through_handle (packet.c:458)
==13949==    by 0x63DED9C: call_dissector_work (packet.c:552)
==13949==    by 0x63DF5EF: dissector_try_uint_new (packet.c:969)

Also, when compiling with latest GCC there are a few warnings:
packet-bthfp.c: In function 'dissect_at_command':
packet-bthfp.c:881:49: error: 'type' may be used uninitialized in this function
[-Werror=maybe-uninitialized]
packet-bthfp.c:883:57: error: 'type_item' may be used uninitialized in this
function [-Werror=maybe-uninitialized]


You are receiving this mail because:
  • You are watching all bug changes.