Wireshark-dev: [Wireshark-dev] strange crash when a display filter is cleared on a reassembled
From: Martin Kaiser <lists@xxxxxxxxx>
Date: Tue, 30 Aug 2011 13:23:11 +0200

Dear all,

I'm struggling with a strange crash, I'd really appreciate your help.

It may be that my DVB-CI dissector, other parts of wireshark or my
system configuration is at fault...

current svn on a Fedora Core 15 linux
TShark 1.7.0 (SVN Rev Unknown from unknown)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and
contributors.  This is free software; see the source for copying
conditions. There is NO warranty; not even for MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
Compiled (32-bit) with GLib 2.28.8, with libpcap 1.1.1, with libz 1.2.5,
with POSIX capabilities (Linux), with threads support, without libpcre,
without SMI, without c-ares, without ADNS, without Lua, with Python
2.7.1, with GnuTLS 2.10.5, with Gcrypt 1.4.6, with MIT Kerberos, without
GeoIP.
Running on Linux 2.6.40-4.fc15.i686.PAE, with locale en_US.UTF-8, with
libpcap version 1.1.1, with libz 1.2.5.
Built using gcc 4.6.0 20110603 (Red Hat 4.6.0-10).


The problem can be reproduced by setting a display filter to
dvb-ci.apdu_tag
so that only APDUs are displayed

Next, load http://www.kaiser.cx/misc/crash5.pcap, select packet 53
(Profile Information) and click on Clear to clear the display filter

This causes a segfault, backtrace is

#0  ensure_contiguous_no_exception (tvb=0xcb5af808, offset=0, length=-1, 
    exception=0xbfffd4dc) at tvbuff.c:852
#1  0x0072e2c3 in ensure_contiguous (tvb=<optimized out>, 
    offset=<optimized out>, length=-1) at tvbuff.c:887
#2  0x080a01f9 in get_byte_view_data_and_length (byte_view=
    0x8cc62f8 [GtkTextView], data_len=0xbfffd53c) at


Packet 53 is reassembled on both session and transport layer
There are 3 data sources: Frame (13 Bytes), reassembled tpdu (35 bytes),
reassembled spdu (128 bytes).

Setting a breakpoint in ensure_contiguous_no_exception() before pressing
the clear button shows the following


-> the Frame (13 bytes)
(gdb) print *tvb
$12 = {type = TVBUFF_REAL_DATA, initialized = 1, usage_count = 2, ds_tvb = 0x8dd6cc8, used_in = 0x8dc5708 = {0x8dd6c20}, tvbuffs = {subset = {tvb = 0xffff, offset = 1710618, length = 437918234}, composite = {tvbs = 0xffff = {<error reading variable>}, real_data = 0x822581c "", length = 13, reported_length = 13, raw_offset = 0, free_cb = 0}
(gdb) cont 
Continuing.

-> Reassembled TPDU (35 Bytes)
Breakpoint 2, ensure_contiguous_no_exception (tvb=0x8dd6c58, offset=0,
length= -1, exception=0xbfffd4dc) at tvbuff.c:849 849     {
(gdb) print *tvb
$13 = {type = TVBUFF_REAL_DATA, initialized = 1, usage_count = 2, ds_tvb = 0x8dd6c58, used_in = 0x8dbc018 = {0x8ddde78}, tvbuffs = {subset = {tvb = 0xffff, offset = 1710618, length = 437918234}, composite = {tvbs = 0xffff = {<error reading variable>}, real_data = 0x8cd0aa8 " !\001", 'ÿ' <repeats 32 times>, length = 35, reported_length = 35, raw_offset = 0, free_cb = 0}

-> next, ensure_contiguous_no_exception() is called with an illegal
address as tvb *

Breakpoint 2, ensure_contiguous_no_exception (tvb=0xb7e82720, offset=0,
length= -1, exception=0xbfffd4dc) at tvbuff.c:849 849     {
(gdb) print *tvb
$14 = {type = 16927523, initialized = 16927530, usage_count = 16927537, ds_tvb = 0x1024b38, used_in = 0x1024b3f = {0x14244489, <error reading variable>

(on some occassions, the tvb address was not accessible at all)

continue -> segfault when the illegal pointer is dereferenced

The crash only happens when a display filter is set before the capture
file is loaded.

I was not able to reproduce the crash on Debian Lenny.

Wireshark doesn't crash if I delete the last packet (number 65) from the
pcap file. It also doesn't crash if any other file is loaded before
loading crash5.pcap.

Any idea what's going wrong or what I can do to track this down?

Thanks is advance,

   Martin