Hi,
There is a bug in packet-x11.c, see the mails below for the history. In function
listOfKeycode a "buffer" of 1024 chars is used to store a string related to keycodes (?).
Ethereal crashes because the number of keycodes makes the string longer than that.
Just changing the definition to 4096, which does not seem to be a good solution, avoids
the crash. Unfortunately, I know nothing of x11, so I don't really know which would be
the way to really correct it -i.e. should it allow for a maximum of 1024 characters and
stop reading keycodes after that, should it use dynamic allocation of the string, etc.-.
Anyway the packet detail does not show the whole string in "buffer", I don't know why.
I attach the sample capture and the trivial patch.
Regards,
Francisco
> > I have captured some network traffic using Ethereal 10.8 on a Debian
> > machine. The capturing went well. During the analysis of
> the captured file,
> > Ethereal 10.8. (both linux and win) crashes and tethereal reports a
> > segmentation fault. I managed to locate (one of) the
> problematic packet (it
> > is attached to this email). In widows version opening the
> file causes the
> > crash. With tethereal (win) I have to specify some
> filtering to cause it,
> > eg:
> > tethereal -r crashing-2005-01-07.cap -w abc.cap tcp
> > The linux version of tetheral reports a segmentation fault
> in this case. I
> > managed to get the following message in some cases with
> windows version:
> >
> >
> > tethereal 0.10.8 (SVN 20050103222645)
> > Compiled with GLib 2.4.6, with libpcap 0.8.3, with libz
> 1.1.4, with libpcre
> > 4.4, with Net-SNMP 5.1, with ADNS.
> > Running with libpcap version 0.8.3 on Linux 2.4.21.
> >
> > has no problems with it on my box:
> >
> > : tethereal -r ~/mail/crashing-2005-01-07.cap
> > 1 0.000000 193.2.72.62 -> 213.157.237.128 TCP [TCP segment
> of a reassembled
> > PDU]
> >
> > Please, Andy, could you try with tcp filter:
> > : tethereal -r ~/mail/crashing-2005-01-07.cap tcp
> >
> > (with tetheral it crashes only when applying some
> filtering, in the case of
> > ethereal already opening the file causes the problem)
> >
> > I tested the case on two more machines (Win, Ethereal 10.7
> and 10.4) and it
> > doesn't work there either.
>
> In my case tethereal crashes only when given "tcp" as filter, oddly
> enough I do not get a full backtrace. This is what I get:
> (gdb) run -r crashing-2005-01-07.cap tcp
> Starting program: /opt/local/bin/tethereal -r
> crashing-2005-01-07.cap tcp
>
> Program received signal EXC_BAD_ACCESS, Could not access memory.
> do_throw (except=0xbfffbad0) at except.c:174
> 174 const except_id_t *pi = catcher->except_id;
> (gdb) bt
> #0 do_throw (except=0xbfffbad0) at except.c:174
> #1 0x01a76960 in except_throw (group=1768322109, code=2,
> msg=0x1e42800 "XCEPT_GROUP_ETHEREAL") at except.c:256
> #2 0x01a904f4 in ensure_contiguous (tvb=0xbfffbad0, offset=2,
> length=31729664) at tvbuff.c:857
> #3 0x01dfd9a0 in listOfKeycode (tvb=0x38cf6e8, offsetp=0xbfffc030,
> t=0x1e42800, hf=-1073759536, modifiermap=0x68bc44,
> keycodes_per_modifier=230, little_endian=824174292) at
> packet-x11.c:1802
> #4 0x53686966 in ?? ()
> (gdb) frame 3
> #3 0x01dfd9a0 in listOfKeycode (tvb=0x38cf6e8, offsetp=0xbfffc030,
> t=0x1e42800, hf=-1073759536, modifiermap=0x68bc44,
> keycodes_per_modifier=230, little_endian=824174292) at
> packet-x11.c:1802
> 1802 p = tvb_get_ptr(tvb, *offsetp,
> keycodes_per_modifier);
> (gdb) p tvb
> $13 = (tvbuff_t *) 0x38cf6e8
> (gdb) p *offsetp
> $14 = 1026700568
> (gdb)
>
Attachment:
crashing-2005-01-07.cap
Description: Binary data
Attachment:
packet-x11.patch
Description: Binary data