[Paul Offord <paul.offord@xxxxxxxxxxxxxx>]

Hi Martin,

Yep - you're right.  My colleague Neil spotted the stuff on Ethereal.com re
TDS dissects causing problems - I couldn't see it for looking.  He
downloaded 0.9.8 and hey presto - no problem.

Regards...Paul

-----Original Message-----
From: Martin Regner [mailto:martin.regner@xxxxxxxxx]
Sent: 07 January 2003 15:13
To: Paul Offord
Subject: Re: [Ethereal-users] c0000005 (access violation) in
proto_reg_handoff_netlib


Hi,

Did you try with Ethereal 0.9.8 ?
Guy Harris solved a lot of problems with the TDS dissector early in
December, just before the 0.9.8 release.
I noticed that there has been one more change after the 0.9.8 release, but I
think that's just a minor change.

Much of the people are both on the ethereal-user and ethereal-dev list, so I
don't know if it's necessary to
switch to that list.
It might not be good to send the capture to the list if it contains
sensitive data. One way of limiting the risks is
to send the packet that causes the crash (or as few packets as needed in
creating the fault) and maybe 
use text2pcap or similar to edit sensitive data.
If you still don't want to send it to the list then you can chose to send
the capture just to some well-known person 
on the list (e.g. Guy Harris that have made several of the other bugfixes
for TDS).

Regards,
 Martin


-----Original Message-----
From: Paul Offord <paul.offord@xxxxxxxxxxxxxx>
To: 'ethereal-users@xxxxxxxxxxxx' <ethereal-users@xxxxxxxxxxxx>
Date: Tuesday, January 07, 2003 3:50 PM
Subject: RE: [Ethereal-users] c0000005 (access violation) in
proto_reg_handoff_netlib


>I've found the packet that causes the problem by slicing the trace untill I
>was left with one packet - only 17 iterations which is not bad as the
>capture was 37 MB.  Now I can load this single packet capture and it
crashes
>Ethereal every time.
>
>I converted the single packet capture to Netmon format with editcap and
>interestingly Netmon 4 misinterprets it as an MSRPC packet - I've seen
>Netmon make this mistake before - and it definitely isn't MSRPC.  My
>colleague then loaded it into Netmon 5 and sure enough it interprets the
>data as TDS.  The record appears to be a response from a SQL Server 7 box
>giving a list of column names and attributes.  My colleague said that he
>believes it's SQL Server 7 as the column names are in ASCII not UNICODE -
>but I should stress that this is just our loose theory.
>
>I suppose I should now slip this over to the ethereal-dev list, right?
>
>Regards...Paul
>
>-----Original Message-----
>From: Paul Offord 
>Sent: 07 January 2003 13:19
>To: ethereal-users@xxxxxxxxxxxx
>Subject: RE: [Ethereal-users] c0000005 (access violation) in
>proto_reg_handoff_netlib
>
>
>Good call Martin.
>
>What I didn't say in my earlier posting was that I also get the problem
when
>loading capture files created with WinDump.  I did a quick test loading a
>capture I created yesterday with WinDump and Ethereal crashed.  I switched
>TDS off and the capture file loads OK.
>
>I'll try to find the packet that causes the problem.
>
>Best regards...Paul
>
>-----Original Message-----
>From: Martin Regner [mailto:martin.regner@xxxxxxxxx]
>Sent: 07 January 2003 12:43
>To: Paul Offord; ethereal-users@xxxxxxxxxxxx
>Subject: Re: [Ethereal-users] c0000005 (access violation) in
>proto_reg_handoff_netlib
>
>
>Paul Offord wrote:
>
>>Hi,
>>
>>I use Ethereal 0.9.7 with WinPcap 2.3 on Windows 2000 (Build 2195).  I
>>downloaded binary versions of both Ethereal and WinPcap.
>>
>>I have no problems capturing short traces.  However, if a capture a
>>reasonable size trace, the following happens:
>>
>>*  I hit Stop in the Capture window
>>*  A small message box appears showing the Loading status (the small bar
>>starts to move to show progress)
>>*  I get an error stating that Ethereal application has terminated.
>>
>>The Dr Watson log shows an Access Violation in proto_reg_handoff_netlib.
>>I've included the Stack Back Trace below (the parameters passed in the
>final
>>call to proto_reg_handoff_netlib don't look right).
>
>I guess that there is some memory overwrite in some protocol dissector. 
>The back trace you sent doesn't look reasonable.
>I guess that at least part of the back trace is corrupt due to that the
>memory has been overwritten.
>It may not be that the problem is in the TDS/Netlib dissector
>(packet-tds.c), but there has
>been some crash problem with that dissector.
>
>>
>>*  Is this a known problem?
>>
>>*  Is there a fix?
>
>The TDS/Netlib dissector has been changed after Ethereal 0.9.7. There were
>some crash
>problem with that dissector. 
>
>You can maybe start to disable TDS and Netlib protocol in Ethereal 0.9.7
>(Edit/Protocol .../Decoding/..) 
>and see if you still get problems. If you don't get the crash problem then
>you will know that it is probably
>the TDS/Netlib dissector that caused the crash.
>(If you still get problems with TDS/Netlib dissector disabled you can
>disable some more protocols).
>
>Then you can try to install Ethereal 0.9.8 and see if you still get
>problems. If so it would be good to get a capture of
>the packets that causes Ethereal to crash. You could e.g. disable all or
>almost all protocol dissectors in order to
>do the capturing without getting a crash (hopefully) and save the capture
to
>a file, and then enable protocols again
>and see if you get any crash.
>Be sure to not include any confidential data in the capture.
>
>>
>>*  What is the correct procedure for reporting Ethereal bugs?
>>
>
>
>I think you did the right things sending a mail with as much information as
>possible to the list.
>You've included info about Ethereal version, WinPcap version, OS and
>backtrace and other
>details and that is a very good start.
>_______________________________________________
>Ethereal-users mailing list
>Ethereal-users@xxxxxxxxxxxx
>http://www.ethereal.com/mailman/listinfo/ethereal-users