Ethereal-dev: [Ethereal-dev] Double-free tvb bug in HTTP dissector with gzip decompression?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Olivier Biot" <ethereal@xxxxxxxxxx>
Date: Thu, 6 May 2004 23:51:36 +0200
Hi list,

If you open the attached capture with Ethereal, you can freely inspect
it and see the dissected decompression. However, if you enter a
display filter like "http" which matches the packet, Ethereal will
crash in epan_dissect_free() at the very end of having filtered all
packets (I tested this with a 9 MB capture). The crash does not happen
if you disable the HTTP dissector.

Below is a transcript of a debugger session by reading the attached
capture and filtering with "http" as display filter:

Program received signal SIGSEGV, Segmentation fault.
tvb_free_chain (tvb=0x1) at tvbuff.c:221
221             for (slist = tvb->used_in; slist != NULL ; slist =
slist->next) {
(gdb) bt full
#0  tvb_free_chain (tvb=0x1) at tvbuff.c:221
        tvb = (tvbuff_t *) 0x1
        slist = (GSList *) 0x10540c20
#1  0x00e5609a in tvb_free_chain (tvb=0x10540298) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x10540298
        slist = (GSList *) 0x10540c20
#2  0x00e5609a in tvb_free_chain (tvb=0x10336e1c) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x10336e1c
        slist = (GSList *) 0x104802b0
#3  0x00e5609a in tvb_free_chain (tvb=0x10336ce4) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x10336ce4
        slist = (GSList *) 0x10540320
#4  0x00e5609a in tvb_free_chain (tvb=0x10336c7c) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x10336c7c
        slist = (GSList *) 0x10541718
#5  0x00e5609a in tvb_free_chain (tvb=0x10336cb0) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x10336cb0
        slist = (GSList *) 0x10323780
#6  0x00e461a1 in epan_dissect_free (edt=0x1053e3f0) at epan.c:166
        edt = (epan_dissect_t *) 0x1053e3f0
#7  0x0040f24d in select_packet (cf=0x4b3980, row=0) at file.c:2526
        cf = (capture_file *) 0x4b3980
        row = 4930056
        fdata = (frame_data *) 0x1053e3f0
        err = 11277970
        err_info = (gchar *) 0x0
#8  0x0042bad8 in packet_list_select_cb (w=0x10234750, row=0, col=-1,
evt=0x0)
    at packet_list.c:261
        row = 0
#9  0x00aae458 in _gtk_marshal_VOID__INT_INT_BOXED ()
No symbol table info available.
#10 0x00963410 in g_closure_invoke () from
/usr/bin/cyggobject-2.0-0.dll
No symbol table info available.
#11 0x009739b7 in signal_emit_unlocked_R () from
/usr/bin/cyggobject-2.0-0.dll
No symbol table info available.

Another back trace (only the top of it) shows tvb is not always 0x1
but sometimes 0x0:

Program received signal SIGSEGV, Segmentation fault.
tvb_free_chain (tvb=0x0) at tvbuff.c:221
221             for (slist = tvb->used_in; slist != NULL ; slist =
slist->next) {
(gdb) bt full
#0  tvb_free_chain (tvb=0x0) at tvbuff.c:221
        tvb = (tvbuff_t *) 0x0
        slist = (GSList *) 0x10313b80
#1  0x00e5609a in tvb_free_chain (tvb=0x105db5b4) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x105db5b4
        slist = (GSList *) 0x10313b80
#2  0x00e5609a in tvb_free_chain (tvb=0x105db580) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x105db580
        slist = (GSList *) 0x10313cf0

The bug does not occur on chunked-but-not-gzipped entities.

Anyone a clue (overwritten tvbuffer pointer or something similar)?

Regards,

Olivier

Attachment: BigCap-gzip-not-chunked-response.snoop
Description: Binary data