Wireshark-bugs: [Wireshark-bugs] [Bug 1416] crash (stack smashing) on single DHCP packet
Date: Fri, 25 May 2007 21:19:42 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1416 ------- Comment #7 from thomas.anders@xxxxxxxxxxxxx 2007-05-25 21:19 GMT ------- My glibc version is 2.5 (glibc-2.5-25 from openSUSE 10.2). Interestingly enough, I can *not* reproduce the crash with "tshark -o frame.force_docsis_encap:TRUE-n -x -V -r file.pcap", but only with "wireshark -o frame.force_docsis_encap:TRUE -r file.pcap". FWIW, the crash also happens if I completely remove my ~/.wireshark dir before starting it, i.e. it also happens with default preferences. Here's the reqeuested gdb session: - --- snip --- (gdb) r -o frame.force_docsis_encap:TRUE -r fuzz_bug_20070305a_1416_dhcp.pcap Starting program: /bc/bin/wireshark -o frame.force_docsis_encap:TRUE -r fuzz_bug_20070305a_1416_dhcp.pcap Failed to read a valid object file image from memory. Error in re-setting breakpoint 2: No source file named packet-bootp.c. Error in re-setting breakpoint 2: No source file named packet-bootp.c. Breakpoint 2 at 0xb6e54e72: file packet-bootp.c, line 1467. [Thread debugging using libthread_db enabled] [New Thread -1245616448 (LWP 12240)] [Switching to Thread -1245616448 (LWP 12240)] Breakpoint 2, bootp_option (tvb=0x88e9918, bp_tree=0x0, voff=240, eoff=485, first_pass=1, at_end=0xbf8f9864, dhcp_type_p=0xbf8f9860, vendor_class_id_p=0xbf8f985c) at packet-bootp.c:1470 1470 } (gdb) print consumed $1 = 3 (gdb) c Continuing. Breakpoint 2, bootp_option (tvb=0x88e9918, bp_tree=0x0, voff=243, eoff=485, first_pass=1, at_end=0xbf8f9864, dhcp_type_p=0xbf8f9860, vendor_class_id_p=0xbf8f985c) at packet-bootp.c:1470 1470 } (gdb) print consumed $2 = 11 (gdb) c Continuing. Breakpoint 2, bootp_option (tvb=0x88e9918, bp_tree=0x0, voff=254, eoff=485, first_pass=1, at_end=0xbf8f9864, dhcp_type_p=0xbf8f9860, vendor_class_id_p=0xbf8f985c) at packet-bootp.c:1470 1470 } (gdb) print consumed $3 = 122 (gdb) c Continuing. Breakpoint 2, bootp_option (tvb=0x88e9918, bp_tree=0x0, voff=376, eoff=485, first_pass=1, at_end=0xbf8f9864, dhcp_type_p=0xbf8f9860, vendor_class_id_p=0xbf8f985c) at packet-bootp.c:1470 1470 } (gdb) print consumed $4 = 95 (gdb) c Continuing. Breakpoint 2, bootp_option (tvb=0x88e9918, bp_tree=0x0, voff=471, eoff=485, first_pass=1, at_end=0xbf8f9864, dhcp_type_p=0xbf8f9860, vendor_class_id_p=0xbf8f985c) at packet-bootp.c:1470 1470 } (gdb) print consumed $5 = 9 (gdb) c Continuing. Breakpoint 2, bootp_option (tvb=0x88e9918, bp_tree=0x0, voff=480, eoff=485, first_pass=1, at_end=0xbf8f9864, dhcp_type_p=0xbf8f9860, vendor_class_id_p=0xbf8f985c) at packet-bootp.c:1470 1470 } (gdb) print consumed $6 = 4 (gdb) c Continuing. Breakpoint 2, bootp_option (tvb=0x88e9918, bp_tree=0x0, voff=484, eoff=485, first_pass=1, at_end=0xbf8f9864, dhcp_type_p=0xbf8f9860, vendor_class_id_p=0xbf8f985c) at packet-bootp.c:1470 1470 } (gdb) print consumed $7 = 1 (gdb) c Continuing. Breakpoint 2, bootp_option (tvb=0x88e9918, bp_tree=0x8a6e890, voff=240, eoff=485, first_pass=0, at_end=0xbf8f9864, dhcp_type_p=0xbf8f9860, vendor_class_id_p=0xbf8f985c) at packet-bootp.c:1470 1470 } (gdb) print consumed $8 = 3 (gdb) c Continuing. Breakpoint 2, bootp_option (tvb=0x88e9918, bp_tree=0x8a6e890, voff=243, eoff=485, first_pass=0, at_end=0xbf8f9864, dhcp_type_p=0xbf8f9860, vendor_class_id_p=0xbf8f985c) at packet-bootp.c:1470 1470 } (gdb) print consumed $9 = 11 (gdb) c Continuing. Breakpoint 2, bootp_option (tvb=0x88e9918, bp_tree=0x8a6e890, voff=254, eoff=485, first_pass=0, at_end=0xbf8f9864, dhcp_type_p=0xbf8f9860, vendor_class_id_p=0xbf8f985c) at packet-bootp.c:1470 1470 } (gdb) print consumed $10 = 122 (gdb) c Continuing. *** stack smashing detected ***: /bc/bin/wireshark terminated Program received signal SIGABRT, Aborted. 0xb7f3c410 in ?? () (gdb) print consumed No symbol "consumed" in current context. (gdb) bt #0 0xb7f3c410 in ?? () #1 0xbf8f8f44 in ?? () #2 0x00000006 in ?? () #3 0x00002fd0 in ?? () #4 0xb5d43060 in raise () from /lib/libc.so.6 #5 0xb5d44801 in abort () from /lib/libc.so.6 #6 0xb5d78abb in __libc_message () from /lib/libc.so.6 #7 0xb5decd11 in __stack_chk_fail () from /lib/libc.so.6 #8 0xb758f3c4 in __stack_chk_fail_local () from /bc/wireshark-svn/lib/libwireshark.so.0 #9 0xb6e56745 in bootp_option (tvb=0x88e9918, bp_tree=0x8a6e890, voff=254, eoff=485, first_pass=0, at_end=0xbf8f9864, dhcp_type_p=0xbf8f9860, vendor_class_id_p=0xbf8f985c) at packet-bootp.c:1470 #10 0xb6e59b91 in dissect_bootp (tvb=0x88e9918, pinfo=0x8a6df30, tree=0x8a6e980) at packet-bootp.c:3243 #11 0xb6d5d106 in call_dissector_through_handle (handle=0x8696af0, tvb=0x88e9918, pinfo=0x8a6df30, tree=0x8a6e980) at packet.c:393 #12 0xb6d5d465 in call_dissector_work (handle=0x8696af0, tvb=0x88e9918, pinfo_arg=<value optimized out>, tree=0x8a6e980) at packet.c:571 #13 0xb6d5df4a in dissector_try_port (sub_dissectors=0x862b000, port=67, tvb=0x88e9918, pinfo=0x8a6df30, tree=0x8a6e980) at packet.c:847 #14 0xb723f79a in decode_udp_ports (tvb=0x88e9838, offset=8, pinfo=0x8a6df30, tree=0x8a6e980, uh_sport=68, uh_dport=67, uh_ulen=493) at packet-udp.c:152 #15 0xb723fdd8 in dissect (tvb=0x88e9838, pinfo=0x8a6df30, tree=0x8a6e980, ip_proto=1114112) at packet-udp.c:415 #16 0xb6d5d106 in call_dissector_through_handle (handle=0x8729558, tvb=0x88e9838, pinfo=0x8a6df30, tree=0x8a6e980) at packet.c:393 #17 0xb6d5d465 in call_dissector_work (handle=0x8729558, tvb=0x88e9838, pinfo_arg=<value optimized out>, tree=0x8a6e980) at packet.c:571 #18 0xb6d5df4a in dissector_try_port (sub_dissectors=0x83f5be8, port=17, tvb=0x88e9838, pinfo=0x8a6df30, tree=0x8a6e980) at packet.c:847 #19 0xb6ffe207 in dissect_ip (tvb=0x88e9870, pinfo=0x8a6df30, parent_tree=0x8a6e980) at packet-ip.c:1463 #20 0xb6d5d106 in call_dissector_through_handle (handle=0x83f91e8, tvb=0x88e9870, pinfo=0x8a6df30, tree=0x8a6e980) at packet.c:393 #21 0xb6d5d465 in call_dissector_work (handle=0x83f91e8, tvb=0x88e9870, pinfo_arg=<value optimized out>, tree=0x8a6e980) at packet.c:571 #22 0xb6d5df4a in dissector_try_port (sub_dissectors=0x8394100, port=2048, tvb=0x88e9870, pinfo=0x8a6df30, tree=0x8a6e980) at packet.c:847 #23 0xb6f45759 in ethertype (etype=2048, tvb=0x88e98a8, offset_after_etype=14, pinfo=0x8a6df30, tree=0x8a6e980, fh_tree=0x8a6e920, etype_id=11411, trailer_id=11413, fcs_len=0) at packet-ethertype.c:201 #24 0xb6f420f8 in dissect_eth_common (tvb=0x88e98a8, pinfo=0x8a6df30, parent_tree=0x8a6e980, fcs_len=0) at packet-eth.c:344 #25 0xb6d5d106 in call_dissector_through_handle (handle=0x83915e8, tvb=0x88e98a8, pinfo=0x8a6df30, tree=0x8a6e980) at packet.c:393 #26 0xb6d5d465 in call_dissector_work (handle=0x83915e8, tvb=0x88e98a8, ---Type <return> to continue, or q <return> to quit--- pinfo_arg=<value optimized out>, tree=0x8a6e980) at packet.c:571 #27 0xb6d5dab6 in call_dissector (handle=0x0, tvb=0x88e98a8, pinfo=0x8a6df30, tree=0x8a6e980) at packet.c:1716 #28 0xb57197e1 in dissect_docsis (tvb=0x88e98e0, pinfo=0x8a6df30, tree=0x8a6e980) at packet-docsis.c:505 #29 0xb6d5d106 in call_dissector_through_handle (handle=0x8678310, tvb=0x88e98e0, pinfo=0x8a6df30, tree=0x8a6e980) at packet.c:393 #30 0xb6d5d465 in call_dissector_work (handle=0x8678310, tvb=0x88e98e0, pinfo_arg=<value optimized out>, tree=0x8a6e980) at packet.c:571 #31 0xb6d5dab6 in call_dissector (handle=0x0, tvb=0x88e98e0, pinfo=0x8a6df30, tree=0x8a6e980) at packet.c:1716 #32 0xb6f762db in dissect_frame (tvb=0x88e98e0, pinfo=0x8a6df30, parent_tree=0x8a6e980) at packet-frame.c:298 #33 0xb6d5d106 in call_dissector_through_handle (handle=0x83a6670, tvb=0x88e98e0, pinfo=0x8a6df30, tree=0x8a6e980) at packet.c:393 #34 0xb6d5d465 in call_dissector_work (handle=0x83a6670, tvb=0x88e98e0, pinfo_arg=<value optimized out>, tree=0x8a6e980) at packet.c:571 #35 0xb6d5dab6 in call_dissector (handle=0x0, tvb=0x88e98e0, pinfo=0x8a6df30, tree=0x8a6e980) at packet.c:1716 #36 0xb6d5fb30 in dissect_packet (edt=0x8a6df28, pseudo_header=0x8a171f4, pd=0x8a4f650 "\001\004\002\027\023", fd=0x81da418, cinfo=0x81b7bfc) at packet.c:329 #37 0xb6d56643 in epan_dissect_run (edt=0x8a6df28, pseudo_header=0x8a171f4, data=0x8a4f650 "\001\004\002\027\023", fd=0x81da418, cinfo=0x81b7bfc) at epan.c:200 #38 0x0807147d in add_packet_to_packet_list (fdata=0x81da418, cf=0x81a7ae0, dfcode=0x0, pseudo_header=0x8a171f4, buf=0x8a4f650 "\001\004\002\027\023", refilter=1) at file.c:956 #39 0x08072a15 in read_packet (cf=0x81a7ae0, dfcode=0x0, offset=577) at file.c:1089 #40 0x08073409 in cf_read (cf=0x81a7ae0) at file.c:494 #41 0x08088d74 in main (argc=0, argv=0xbf8fbac8) at main.c:2971 (gdb) - --- snap --- -- Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
- Prev by Date: [Wireshark-bugs] [Bug 1416] crash (stack smashing) on single DHCP packet
- Next by Date: [Wireshark-bugs] [Bug 1416] crash (stack smashing) on single DHCP packet
- Previous by thread: [Wireshark-bugs] [Bug 1416] crash (stack smashing) on single DHCP packet
- Next by thread: [Wireshark-bugs] [Bug 1416] crash (stack smashing) on single DHCP packet
- Index(es):