While trying to dissect IPv6 pings I got a crash with the stack trace
shown below. Since ICMPv6 dissector has not been tvbuffified, it
gives a NULL tvb to proto_tree_add_item_hidden() which gets delivered
all the way to check_offset_length_no_exception()
An easy fix was to comment out the call to
proto_tree_add_item_hidden() but since ICMPv6 dissector seems to be
the only dissector passing a NullTVB to this call, I can tvbuffify it
if nobody objects.
The problem seems to be at least in 0.8.16 and the latest CVS version.
An example of a crash producing capture is available at
http://atm.tut.fi/~hessu/ethereal/ipv6-ping.cap
(gdb) run -n -r ~/ipv6-trunk.cap
Starting program:
/home/hessu/src/ethereal-cvs/hack/ethereal/./ethereal -n -r
~/ipv6-trunk.cap
Program received signal SIGSEGV, Segmentation fault.
check_offset_length_no_exception (tvb=0x0, offset=60, length=2,
offset_ptr=0xbfffddec, length_ptr=0xbfffddf0, exception=0xbfffdda0) at
tvbuff.c:416
416 g_assert(tvb->initialized);
(gdb) where
#0 check_offset_length_no_exception (tvb=0x0, offset=60, length=2,
offset_ptr=0xbfffddec, length_ptr=0xbfffddf0, exception=0xbfffdda0) at
tvbuff.c:416
#1 0x8161edc in check_offset_length (tvb=0x0, offset=60, length=2,
offset_ptr=0xbfffddec, length_ptr=0xbfffddf0) at tvbuff.c:450
#2 0x81627a9 in ensure_contiguous (tvb=0x0, offset=60, length=2) at
tvbuff.c:781
#3 0x8162d2e in tvb_get_letohs (tvb=0x0, offset=60) at tvbuff.c:1002
#4 0x815d252 in get_uint_value (tvb=0x0, offset=60, length=2,
little_endian=1) at proto.c:376
#5 0x815d455 in proto_tree_add_item (tree=0x82ddcc0, hfindex=582,
tvb=0x0, start=60, length=2, little_endian=1) at proto.c:474
#6 0x815d714 in proto_tree_add_item_hidden (tree=0x82ddcc0,
hfindex=582, tvb=0x0, start=60, length=2, little_endian=1) at
proto.c:574
#7 0x809d57c in dissect_icmpv6 (pd=0x821fc60 "", offset=58,
fd=0x82cac80, tree=0x82ddb80) at packet-icmpv6.c:991
--
Heikki Vatiainen * hessu@xxxxxxxxx
Tampere University of Technology * Tampere, Finland