Ethereal 0.10.7 exhibits the same coredump. The platform is
FreeBSD-5.3-STABLE (freshly minted :). I tried setting some malloc
options to see if things would show up, but they didn't It looks like
stack corruption to me. Here's a bit of my debugger session:
(gdb)
(gdb)
(gdb) frame 1
#1 0x88442b95 in dissect_fullpacket (tvb=0x84fe8b4, offset=84, scallno=1,
pinfo=0x816c308, iax2_tree=0x855b8d0, main_tree=0x84ec378)
at packet-iax2.c:1204
1204 circuit_set_dissector( circuit, s );
(gdb) l
1199
1200 if( csub == IAX_COMMAND_NEW && circuit && iax_call ) {
1201 /* if this is a data call, set up a subdissector for the
circuit */
1202 dissector_handle_t s;
1203 s =
dissector_get_port_handle(iax2_dataformat_dissector_table, iax_call ->
dataformat );
1204 circuit_set_dissector( circuit, s );
1205 }
1206 break;
1207
1208 case AST_FRAME_DTMF:
(gdb) p s
$3 = 0x882c8c1a
(gdb) p *s
$4 = {name = 0xfac3815b <Address 0xfac3815b out of bounds>,
is_new = -1962905777, dissector = {old = 0xb81c75, new = 0xb81c75},
protocol = 0x83000000}
(gdb) p s->name
$5 = 0xfac3815b <Address 0xfac3815b out of bounds>
(gdb) frame 0
#0 0x882b9dbd in circuit_set_dissector (circuit=0x882c8c1a, handle=0x0)
at circuit.c:303
303 circuit->dissector_handle = handle;
Note that the s argument passed from frame #1 don't match the handle
value in frame #0. I don't know what kind of quality stack guarding is
available in OSS. I'm still available to give up the packet dump file
and even the core file if desired.