Ethereal-users: Re: [Ethereal-users] Segmentation Fault

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Andrew Hood <ajhood@xxxxxxxxx>
Date: Tue, 09 Nov 2004 08:17:45 +1100
Sebastian Felis wrote:
-- snip --


tethereal \
-r 2004-09-23.dump \
-l -n -R wlan \
-z proto,colinfo,wlan_mgt.tag.number,wlan_mgt.tag.number \
-z proto,colinfo,wlan_mgt.tag.interpretation,wlan_mgt.tag.interpretation
\
-z proto,colinfo,wlan.fc.subtype,wlan.fc.subtype \
-z proto,colinfo,wlan.sa,wlan.sa \
-z proto,colinfo,frame.number,frame.number


I tried to detect the SEGV by ddd/gdb, but couldn't locate it well. The
SEGV occurs in the 5-th packet while dissecting the tcp conversation by
allocating a new chunk (conversation.c:444).


I got a different crash. ethereal from SVN 20041016192915

Program received signal SIGSEGV, Segmentation fault.
0x40c9754b in free () from /lib/libc.so.6
(gdb) bt
#0  0x40c9754b in free () from /lib/libc.so.6
#1  0x40c973d3 in free () from /lib/libc.so.6
#2  0x40b8cd1d in g_free (mem=0x82110a8) at gmem.c:186
#3  0x401c1595 in string_fvalue_free (fv=0x8210414) at ftype-string.c:49
#4 0x401a12fb in proto_tree_free_node (node=0x820ed90, data=0x0) at proto.c:444 #5 0x401a237d in proto_tree_traverse_in_order (tree=0x820ed90, func=0x401a1280 <proto_tree_free_node>, data=0x0) 
    at proto.c:373
#6 0x401a235c in proto_tree_traverse_in_order (tree=0x820eeb0, func=0x401a1280 <proto_tree_free_node>, data=0x0) 
    at proto.c:368
#7 0x401a2327 in proto_tree_traverse_in_order (tree=0x820eec8, func=0x401a1280 <proto_tree_free_node>, data=0x0) 
    at proto.c:353
#8  0x4019ecc4 in proto_tree_free (tree=0x820f330) at proto.c:368
#9  0x4019154c in epan_dissect_free (edt=0x820e908) at epan.c:169
#10 0x0805f709 in process_packet (cf=0x8097be0, pdh=0x0, offset=40, whdr=0x81e98e0, pseudo_header=0x81e98f4, 
    pd=0x81f8a08 "D", err=0xbfffee28) at tethereal.c:2636
#11 0x0805f25a in load_cap_file (cf=0x8097be0, out_file_type=2) at tethereal.c:2375 
#12 0x0805e2a4 in main (argc=17, argv=0xbffff034) at tethereal.c:1580
#13 0x40c4017d in __libc_start_main () from /lib/libc.so.6
valgrind gave the following before the segv, which makes a few allocations and initialisations suspect. 

==19388== pthread_mutex_destroy: mutex is still in use
==19388==    at 0x40E32E24: pthread_error (vg_libpthread.c:288)
==19388==    by 0x40E33D70: __pthread_mutex_destroy (vg_libpthread.c:1015)
==19388==    by 0x40EEF62F: closedir (in /lib/libc-2.2.5.so)
==19388==    by 0x40D99590: g_dir_close (gdir.c:150)
==19388==    by 0x403B19D1: plugins_scan_dir (plugins.c:306)
==19388==    by 0x403B1A5F: init_plugins (plugins.c:387)
==19388== Reading syms from /lib/libnss_db-2.2.so
==19388==    object doesn't have a symbol table
==19388==    object doesn't have any debug info
==19388== Reading syms from /lib/libnss_files-2.2.5.so
==19388==    object doesn't have a symbol table
==19388==    object doesn't have any debug info
==19388==
==19388== Invalid write of size 1
==19388==    at 0x40021FA2: strcat (mac_replace_strmem.c:126)
==19388==    by 0x805FAFC: print_columns (tethereal.c:2813)
==19388==    by 0x805FDCD: print_packet (tethereal.c:3006)
==19388==    by 0x805F6AA: process_packet (tethereal.c:2603)
==19388==    by 0x805F259: load_cap_file (tethereal.c:2375)
==19388==    by 0x805E2A3: main (tethereal.c:1580)
==19388==    Address 0x43DD3E45 is 0 bytes after a block of size 513 alloc'd
==19388==    at 0x4002A1EE: realloc (vg_replace_malloc.c:310)
==19388==    by 0x40DA9CAA: g_realloc (gmem.c:169)
==19388==    by 0x805FAD6: print_columns (tethereal.c:2811)
==19388==    by 0x805FDCD: print_packet (tethereal.c:3006)
==19388==    by 0x805F6AA: process_packet (tethereal.c:2603)
==19388==    by 0x805F259: load_cap_file (tethereal.c:2375)
==19388==
==19388== Invalid write of size 1
==19388==    at 0x40021FAB: strcat (mac_replace_strmem.c:127)
==19388==    by 0x805FAFC: print_columns (tethereal.c:2813)
==19388==    by 0x805FDCD: print_packet (tethereal.c:3006)
==19388==    by 0x805F6AA: process_packet (tethereal.c:2603)
==19388==    by 0x805F259: load_cap_file (tethereal.c:2375)
==19388==    by 0x805E2A3: main (tethereal.c:1580)
==19388==    Address 0x43DD3E7B is not stack'd, malloc'd or free'd
==19388==
==19388== Conditional jump or move depends on uninitialised value(s)
==19388==    at 0x40EB2B33: _IO_fputs (in /lib/libc-2.2.5.so)
==19388==    by 0x8052BC9: print_line_text (print.c:858)
==19388==    by 0x8052730: print_line (print.c:797)
==19388==    by 0x805FCAF: print_columns (tethereal.c:2959)
==19388==    by 0x805FDCD: print_packet (tethereal.c:3006)
==19388==    by 0x805F6AA: process_packet (tethereal.c:2603)
==19388==
==19388== Conditional jump or move depends on uninitialised value(s)
==19388==    at 0x40EB2B3A: _IO_fputs (in /lib/libc-2.2.5.so)
==19388==    by 0x8052BC9: print_line_text (print.c:858)
==19388==    by 0x8052730: print_line (print.c:797)
==19388==    by 0x805FCAF: print_columns (tethereal.c:2959)
==19388==    by 0x805FDCD: print_packet (tethereal.c:3006)
==19388==    by 0x805F6AA: process_packet (tethereal.c:2603)
==19388==
==19388== Conditional jump or move depends on uninitialised value(s)
==19388==    at 0x40EB2B44: _IO_fputs (in /lib/libc-2.2.5.so)
==19388==    by 0x8052BC9: print_line_text (print.c:858)
==19388==    by 0x8052730: print_line (print.c:797)
==19388==    by 0x805FCAF: print_columns (tethereal.c:2959)
==19388==    by 0x805FDCD: print_packet (tethereal.c:3006)
==19388==    by 0x805F6AA: process_packet (tethereal.c:2603)
==19388==
==19388== Invalid read of size 4
==19388==    at 0x40EB2B2B: _IO_fputs (in /lib/libc-2.2.5.so)
==19388==    by 0x8052BC9: print_line_text (print.c:858)
==19388==    by 0x8052730: print_line (print.c:797)
==19388==    by 0x805FCAF: print_columns (tethereal.c:2959)
==19388==    by 0x805FDCD: print_packet (tethereal.c:3006)
==19388==    by 0x805F6AA: process_packet (tethereal.c:2603)
==19388==    Address 0x43DD3E48 is 3 bytes after a block of size 513 alloc'd
==19388==    at 0x4002A1EE: realloc (vg_replace_malloc.c:310)
==19388==    by 0x40DA9CAA: g_realloc (gmem.c:169)
==19388==    by 0x805FAD6: print_columns (tethereal.c:2811)
==19388==    by 0x805FDCD: print_packet (tethereal.c:3006)
==19388==    by 0x805F6AA: process_packet (tethereal.c:2603)
==19388==    by 0x805F259: load_cap_file (tethereal.c:2375)
==19388==
==19388== Invalid read of size 1
==19388==    at 0x40EBCC79: _IO_default_xsputn (in /lib/libc-2.2.5.so)
==19388==    by 0x40EBC09B: _IO_file_xsputn (in /lib/libc-2.2.5.so)
==19388==    by 0x40EB2BEE: _IO_fputs (in /lib/libc-2.2.5.so)
==19388==    by 0x8052BC9: print_line_text (print.c:858)
==19388==    by 0x8052730: print_line (print.c:797)
==19388==    by 0x805FCAF: print_columns (tethereal.c:2959)
==19388==    Address 0x43DD3E45 is 0 bytes after a block of size 513 alloc'd
==19388==    at 0x4002A1EE: realloc (vg_replace_malloc.c:310)
==19388==    by 0x40DA9CAA: g_realloc (gmem.c:169)
==19388==    by 0x805FAD6: print_columns (tethereal.c:2811)
==19388==    by 0x805FDCD: print_packet (tethereal.c:3006)
==19388==    by 0x805F6AA: process_packet (tethereal.c:2603)
==19388==    by 0x805F259: load_cap_file (tethereal.c:2375)


--
There's no point in being grown up if you can't be childish sometimes.
                -- Dr. Who