Wireshark-bugs: [Wireshark-bugs] [Bug 8923] New: Fuzz failure: very long loop in packet-gsm_a_rr
Date: Thu, 11 Jul 2013 13:04:54 +0000
Bug ID | 8923 |
---|---|
Summary | Fuzz failure: very long loop in packet-gsm_a_rr |
Classification | Unclassified |
Product | Wireshark |
Version | SVN |
Hardware | All |
OS | All |
Status | UNCONFIRMED |
Severity | Major |
Priority | Low |
Component | Dissection engine (libwireshark) |
Assignee | bugzilla-admin@wireshark.org |
Reporter | jeff.morriss.ws@gmail.com |
Build Information: TShark 1.11.0 (SVN Rev 50503 from /trunk) Copyright 1998-2013 Gerald Combs <gerald@wireshark.org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with GLib 2.34.2, with libpcap, with libz 1.2.7, without POSIX capabilities, without libnl, without SMI, with c-ares 1.9.1, with Lua 5.1, without Python, with GnuTLS 2.12.23, with Gcrypt 1.5.0, without Kerberos, without GeoIP. Running on Linux 3.9.2-200.fc18.x86_64, with locale C, with libpcap version 1.3.0, with libz 1.2.7. Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz Built using gcc 4.7.2 20121109 (Red Hat 4.7.2-8). -- Got another fuzz failure (again, with the "-Yframe step enabled): ~~~ tools/fuzz-test.sh: line 163: 28206 Trace/breakpoint trap (core dumped) "$RUNNER" $ARGS $TMP_DIR/$TMP_FILE > /dev/null 2>> $TMP_DIR/$ERR_FILE ERROR Processing failed. Capture info follows: Input file: ../caps/menagerie/public/2717-test_sccp_conversation.snoop Output file: /tmp/fuzz-2013-07-10-1226.pcap stderr follows: Input file: ../caps/menagerie/public/2717-test_sccp_conversation.snoop Build host information: Linux XXX 3.9.2-200.fc18.x86_64 #1 SMP Mon May 13 13:59:47 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux Return value: 133 Dissector bug: 0 Valgrind error count: 0 Subversion revision ------------------------------------------------------------------------ r50482 | cmaynard | 2013-07-10 12:18:37 -0400 (Wed, 10 Jul 2013) | 38 lines Add strnatcmp by Martin Pool for 'natural order' string comparisons, and make use of it in editcap and mergecap for listing encapsulation types. For example: Before: user0 - USER 0 user1 - USER 1 user10 - USER 10 user11 - USER 11 user12 - USER 12 user13 - USER 13 user14 - USER 14 user15 - USER 15 user2 - USER 2 user3 - USER 3 user4 - USER 4 user5 - USER 5 user6 - USER 6 user7 - USER 7 user8 - USER 8 user9 - USER 9 After: user0 - USER 0 user1 - USER 1 user2 - USER 2 user3 - USER 3 user4 - USER 4 user5 - USER 5 user6 - USER 6 user7 - USER 7 user8 - USER 8 user9 - USER 9 user10 - USER 10 user11 - USER 11 user12 - USER 12 user13 - USER 13 user14 - USER 14 user15 - USER 15 ------------------------------------------------------------------------ Command and args: ./tshark -Yframe -nr ** (process:28206): ERROR **: More than 1000000 items in the tree -- possible infinite loop ~~~ Backtrace is: ~~~ #0 0x0000003de1c4ec67 in g_logv () from /lib64/libglib-2.0.so.0 #1 0x0000003de1c4ee32 in g_log () from /lib64/libglib-2.0.so.0 #2 0x00007f27faa924ab in proto_tree_add_bits_item (tree=tree@entry=0x28b5950, hf_index=<optimized out>, tvb=tvb@entry=0x26a8f20, bit_offset=bit_offset@entry=4999582, no_of_bits=no_of_bits@entry=4, encoding=encoding@entry=0) at proto.c:6858 #3 0x00007f27fad6490c in de_rr_multirate_conf (tvb=0x26a8f20, tree=0x28b5950, pinfo=<optimized out>, offset=<optimized out>, len=1, add_string=<optimized out>, string_len=1024) at packet-gsm_a_rr.c:3864 #4 0x00007f27fad412a4 in elem_tlv (tvb=tvb@entry=0x26a8f20, tree=tree@entry=0x28b5950, pinfo=pinfo@entry=0x7fff660926d0, iei=iei@entry=40 '(', pdu_type=pdu_type@entry=3, idx=idx@entry=37, offset=offset@entry=44, len=len@entry=7, name_add=0x7f27fb852da6 "", name_add@entry=0x0) at packet-gsm_a_common.c:1278 #5 0x00007f27fad7bb7e in dissect_gsm_bsslap_u_tdoa_res (offset=1, pinfo=0x7fff660926d0, tree=0x28b5950, tvb=0x26a8f20) at packet-gsm_bsslap.c:777 #6 dissect_gsm_bsslap (tvb=0x26a8f20, pinfo=0x7fff660926d0, tree=<optimized out>) at packet-gsm_bsslap.c:840 #7 0x00007f27faa7a0f8 in call_dissector_through_handle (handle=0x15fd280, tvb=0x26a8f20, pinfo=0x7fff660926d0, tree=0x28b58f0, data="" at packet.c:433 #8 0x00007f27faa7a92d in call_dissector_work (handle=0x15fd280, tvb=0x26a8f20, pinfo_arg=0x7fff660926d0, tree=0x28b58f0, add_proto_name=1, data="" at packet.c:527 #9 0x00007f27faa7c6d1 in call_dissector_with_data (handle=<optimized out>, tvb=0x26a8f20, pinfo=pinfo@entry=0x7fff660926d0, tree=0x28b58f0, data="" at packet.c:2061 #10 0x00007f27faa7c798 in call_dissector (handle=<optimized out>, tvb=<optimized out>, pinfo=pinfo@entry=0x7fff660926d0, tree=<optimized out>) at packet.c:2079 #11 0x00007f27fad31051 in be_apdu (tvb=0x2908a80, tree=0x28b5890, pinfo=0x7fff660926d0, offset=4, len=51, add_string=<optimized out>, string_len=1024) at packet-gsm_a_bssmap.c:3117 #12 0x00007f27fad420c2 in elem_tlv_e (tvb=tvb@entry=0x2908a80, tree=tree@entry=0x28b5890, pinfo=pinfo@entry=0x7fff660926d0, iei=iei@entry=73 'I', pdu_type=pdu_type@entry=0, idx=idx@entry=73, offset=offset@entry=1, len=len@entry=55, name_add=0x7f27fb852da6 "", name_add@entry=0x0) at packet-gsm_a_common.c:1442 #13 0x00007f27fad3b60f in bssmap_conn_oriented (tvb=0x2908a80, tree=0x28b5890, pinfo=0x7fff660926d0, offset=1, len=55) at packet-gsm_a_bssmap.c:6378 #14 0x00007f27fad33b43 in dissect_bssmap (tvb=0x2908a80, pinfo=0x7fff660926d0, tree=<optimized out>) at packet-gsm_a_bssmap.c:7037 #15 0x00007f27faa7a0f8 in call_dissector_through_handle (handle=0x16923f0, tvb=0x2908a80, pinfo=0x7fff660926d0, tree=0x28b58f0, data="" at packet.c:433 #16 0x00007f27faa7a92d in call_dissector_work (handle=0x16923f0, tvb=0x2908a80, pinfo_arg=0x7fff660926d0, tree=0x28b58f0, add_proto_name=1, data="" at packet.c:527 #17 0x00007f27faa7c6d1 in call_dissector_with_data (handle=<optimized out>, tvb=tvb@entry=0x2908a80, pinfo=pinfo@entry=0x7fff660926d0, tree=tree@entry=0x28b58f0, data="" at packet.c:2061 #18 0x00007f27faa7c798 in call_dissector (handle=<optimized out>, tvb=tvb@entry=0x2908a80, pinfo=pinfo@entry=0x7fff660926d0, tree=tree@entry=0x28b58f0) at packet.c:2079 #19 0x00007f27fab94a9d in dissect_bssap_data_param (tree=0x28b58f0, bssap_tree=0x28b5ad0, pinfo=0x7fff660926d0, tvb=0x2908a80) at packet-bssap.c:416 #20 dissect_bssap_parameter (tvb=tvb@entry=0x29089e0, pinfo=pinfo@entry=0x7fff660926d0, bssap_tree=bssap_tree@entry=0x28b5ad0, tree=tree@entry=0x28b58f0, parameter_type=parameter_type@entry=2 '\002', offset=<optimized out>, parameter_length=56) at packet-bssap.c:498 #21 0x00007f27fab96ce8 in dissect_bssap_var_parameter (parameter_type=2 '\002', offset=<optimized out>, tree=0x28b58f0, bssap_tree=0x28b5ad0, pinfo=0x7fff660926d0, tvb=0x29089e0) at packet-bssap.c:523 #22 dissect_bssap_message (tree=0x28b58f0, bssap_tree=0x28b5ad0, pinfo=0x7fff660926d0, tvb=0x29089e0) at packet-bssap.c:571 #23 dissect_bssap (tvb=tvb@entry=0x29089e0, pinfo=pinfo@entry=0x7fff660926d0, tree=tree@entry=0x28b58f0) at packet-bssap.c:611 #24 0x00007f27fab96ea3 in dissect_bssap_heur (tvb=0x29089e0, pinfo=0x7fff660926d0, tree=0x28b58f0, data="" out>) at packet-bssap.c:2172 #25 0x00007f27faa7bf70 in dissector_try_heuristic (sub_dissectors=<optimized out>, tvb=tvb@entry=0x29089e0, pinfo=pinfo@entry=0x7fff660926d0, tree=tree@entry=0x28b58f0, data="" at packet.c:1782 #26 0x00007f27fb015cdd in dissect_sccp_data_param (tvb=0x29089e0, pinfo=pinfo@entry=0x7fff660926d0, tree=tree@entry=0x28b58f0) at packet-sccp.c:2291 #27 0x00007f27fb01a3b5 in dissect_sccp_message (tree=0x28b58f0, sccp_tree=0x28b5aa0, pinfo=0x7fff660926d0, tvb=0x2908b20) at packet-sccp.c:2846 #28 dissect_sccp (tvb=0x2908b20, pinfo=0x7fff660926d0, tree=0x28b58f0) at packet-sccp.c:3350 ~~~
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 8923] Fuzz failure: very long loop in packet-gsm_a_rr
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8923] Fuzz failure: very long loop in packet-gsm_a_rr
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8923] Fuzz failure: very long loop in packet-gsm_a_rr
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8923] Fuzz failure: very long loop in packet-gsm_a_rr
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8923] Fuzz failure: very long loop in packet-gsm_a_rr
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8923] Fuzz failure: very long loop in packet-gsm_a_rr
- Prev by Date: [Wireshark-bugs] [Bug 8922] patch: (packet-scsi-osd.c) dissect OSD-2 service action CREATE USER TRACKING COLLECTION
- Next by Date: [Wireshark-bugs] [Bug 8923] Fuzz failure: very long loop in packet-gsm_a_rr
- Previous by thread: [Wireshark-bugs] [Bug 8922] patch: (packet-scsi-osd.c) dissect OSD-2 service action CREATE USER TRACKING COLLECTION
- Next by thread: [Wireshark-bugs] [Bug 8923] Fuzz failure: very long loop in packet-gsm_a_rr
- Index(es):