Wireshark-bugs: [Wireshark-bugs] [Bug 13144] New: Buildbot crash output: fuzz-2016-11-16-2756.pc
Date: Wed, 16 Nov 2016 09:30:02 +0000
Bug ID 13144
Summary Buildbot crash output: fuzz-2016-11-16-2756.pcap
Product Wireshark
Version unspecified
Hardware x86-64
URL https://www.wireshark.org/download/automated/captures/fuzz-2016-11-16-2756.pcap
OS Ubuntu
Status CONFIRMED
Severity Major
Priority High
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter buildbot-do-not-reply@wireshark.org

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2016-11-16-2756.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/14032-sample_cid1_gen19.pcap

Build host information:
Linux wsbb04 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:    Ubuntu
Description:    Ubuntu 16.04.1 LTS
Release:    16.04
Codename:    xenial

Buildbot information:
BUILDBOT_REPOSITORY=ssh://wireshark-buildbot@code.wireshark.org:29418/wireshark
BUILDBOT_WORKERNAME=clang-code-analysis
BUILDBOT_BUILDNUMBER=3774
BUILDBOT_URL=http://buildbot.wireshark.org/wireshark-master/
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_GOT_REVISION=7f2a83892204821145768b76bbdd0719b57787f8

Return value:  0

Dissector bug:  0

Valgrind error count:  5



Git commit
commit 7f2a83892204821145768b76bbdd0719b57787f8
Author: Franklin "Snaipe" Mathieu <snaipe@diacritic.io>
Date:   Tue Nov 8 17:13:41 2016 +0100

    lua: Allow proto:register_heuristic to be used on multiple list names

    In the C API, one can register a heuristic for the same protocol on
different
    lists by specifying another unique short_name. This is impossible in the
    lua API, as the protocol name is used as the short name itself.

    This change fixes that by creating an unique shortname composed of the
    protocol name and the target list name.

    Change-Id: I2c30ce6e4f7a3b38879180c64cf8564f779163b4
    Signed-off-by: Franklin "Snaipe" Mathieu <snaipe@diacritic.io>
    Reviewed-on: https://code.wireshark.org/review/18711
    Petri-Dish: Michael Mann <mmann78@netscape.net>
    Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
    Reviewed-by: Peter Wu <peter@lekensteyn.nl>


==21296== Memcheck, a memory error detector
==21296== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==21296== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==21296== Command:
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.plain/bin/tshark
-nr /fuzz/buildbot/clangcodeanalysis/valgrind-fuzz/fuzz-2016-11-16-2756.pcap
==21296== 
==21296== Invalid read of size 1
==21296==    at 0x69DE58B: fragment_add_seq_single_work (reassemble.c:2235)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B350E: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x6CCE5CE: dissect_frame (packet-frame.c:507)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B26FC: call_dissector_only (packet.c:2954)
==21296==    by 0x69B26FC: call_dissector_with_data (packet.c:2967)
==21296==  Address 0x14036f45 is 37 bytes inside a block of size 56 free'd
==21296==    at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21296==    by 0x69DCE3A: fragment_delete (reassemble.c:606)
==21296==    by 0x69DE4FD: fragment_add_seq_single_work (reassemble.c:2216)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B350E: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x6CCE5CE: dissect_frame (packet-frame.c:507)
==21296==  Block was alloc'd at
==21296==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21296==    by 0xA6F7728: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0xA70E932: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0xA70EFCD: g_slice_alloc0 (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0x69DE5D5: new_head (reassemble.c:366)
==21296==    by 0x69DE5D5: fragment_add_seq_single_work (reassemble.c:2274)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296== 
==21296== Invalid read of size 4
==21296==    at 0x69DE592: fragment_add_seq_single_work (reassemble.c:2238)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B350E: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x6CCE5CE: dissect_frame (packet-frame.c:507)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B26FC: call_dissector_only (packet.c:2954)
==21296==    by 0x69B26FC: call_dissector_with_data (packet.c:2967)
==21296==  Address 0x14036f38 is 24 bytes inside a block of size 56 free'd
==21296==    at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21296==    by 0x69DCE3A: fragment_delete (reassemble.c:606)
==21296==    by 0x69DE4FD: fragment_add_seq_single_work (reassemble.c:2216)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B350E: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x6CCE5CE: dissect_frame (packet-frame.c:507)
==21296==  Block was alloc'd at
==21296==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21296==    by 0xA6F7728: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0xA70E932: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0xA70EFCD: g_slice_alloc0 (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0x69DE5D5: new_head (reassemble.c:366)
==21296==    by 0x69DE5D5: fragment_add_seq_single_work (reassemble.c:2274)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296== 
==21296== Invalid read of size 1
==21296==    at 0x69DE954: fragment_add_seq_single_work (reassemble.c:2239)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B350E: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x6CCE5CE: dissect_frame (packet-frame.c:507)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B26FC: call_dissector_only (packet.c:2954)
==21296==    by 0x69B26FC: call_dissector_with_data (packet.c:2967)
==21296==  Address 0x14036f45 is 37 bytes inside a block of size 56 free'd
==21296==    at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21296==    by 0x69DCE3A: fragment_delete (reassemble.c:606)
==21296==    by 0x69DE4FD: fragment_add_seq_single_work (reassemble.c:2216)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B350E: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x6CCE5CE: dissect_frame (packet-frame.c:507)
==21296==  Block was alloc'd at
==21296==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21296==    by 0xA6F7728: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0xA70E932: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0xA70EFCD: g_slice_alloc0 (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0x69DE5D5: new_head (reassemble.c:366)
==21296==    by 0x69DE5D5: fragment_add_seq_single_work (reassemble.c:2274)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296== 
==21296== Invalid write of size 4
==21296==    at 0x69DE959: fragment_add_seq_single_work (reassemble.c:2240)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B350E: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x6CCE5CE: dissect_frame (packet-frame.c:507)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B26FC: call_dissector_only (packet.c:2954)
==21296==    by 0x69B26FC: call_dissector_with_data (packet.c:2967)
==21296==  Address 0x14036f38 is 24 bytes inside a block of size 56 free'd
==21296==    at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21296==    by 0x69DCE3A: fragment_delete (reassemble.c:606)
==21296==    by 0x69DE4FD: fragment_add_seq_single_work (reassemble.c:2216)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B350E: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x6CCE5CE: dissect_frame (packet-frame.c:507)
==21296==  Block was alloc'd at
==21296==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21296==    by 0xA6F7728: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0xA70E932: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0xA70EFCD: g_slice_alloc0 (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0x69DE5D5: new_head (reassemble.c:366)
==21296==    by 0x69DE5D5: fragment_add_seq_single_work (reassemble.c:2274)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296== 
==21296== 
==21296== HEAP SUMMARY:
==21296==     in use at exit: 6,084,687 bytes in 9,719 blocks
==21296==   total heap usage: 309,195 allocs, 299,476 frees, 39,465,279 bytes
allocated
==21296== 
==21296== LEAK SUMMARY:
==21296==    definitely lost: 344 bytes in 86 blocks
==21296==    indirectly lost: 0 bytes in 0 blocks
==21296==      possibly lost: 0 bytes in 0 blocks
==21296==    still reachable: 6,084,343 bytes in 9,633 blocks
==21296==         suppressed: 0 bytes in 0 blocks
==21296== Rerun with --leak-check=full to see details of leaked memory
==21296== 
==21296== For counts of detected and suppressed errors, rerun with: -v
==21296== ERROR SUMMARY: 5 errors from 4 contexts (suppressed: 0 from 0)

[ no debug trace ]


You are receiving this mail because:
  • You are watching all bug changes.