Wireshark-bugs: [Wireshark-bugs] [Bug 2012] New: crash in emem.c 915, fuzz-2007-11-21-16867.pcap

Date: Fri, 23 Nov 2007 07:32:50 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2012

           Summary: crash in emem.c 915, fuzz-2007-11-21-16867.pcap
           Product: Wireshark
           Version: 0.99.7
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: florent.drouin@xxxxxxxxxx


Build Information:
 ./wireshark -v
wireshark 0.99.7pre1

Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.4.13, with GLib 2.4.7, with libpcap 0.9.8, with libz
1.2.1.2, without libpcre, without SMI, without ADNS, without Lua, with GnuTLS
1.0.20, with Gcrypt 1.2.0, without Kerberos, without PortAudio, without
AirPcap.
NOTE: this build doesn't support the "matches" operator for Wireshark filter
syntax.

Running on Linux 2.6.9-22.ELsmp, with libpcap version 0.9.8.

Built using gcc 3.4.4 20050721 (Red Hat 3.4.4-2).

--
 gdb ./testshark 
GNU gdb Red Hat Linux (6.3.0.0-1.63rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...Using host libthread_db
library "/lib64/tls/libthread_db.so.1".

(gdb) run
Starting program: /hp/src/wireshark-0.99.7pre1/testshark 
[Thread debugging using libthread_db enabled]
[New Thread 182936258176 (LWP 2369)]
08:27:17          Warn radius: Could not find the radius directory

(testshark:2369): Gtk-WARNING **: Could not find the icon 'gnome-fs-home'. The
'hicolor' theme
was not found either, perhaps you need to install it.
You can get a copy from:
        http://freedesktop.org/Software/icon-theme/releases
08:27:33          Warn Dissector bug, protocol USB, in packet 48: More than
1000000 items in the tree -- possible infinite loop
08:27:39          Warn Dissector bug, protocol USB, in packet 48: More than
1000000 items in the tree -- possible infinite loop

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 182936258176 (LWP 2369)]
0x0000002a9615cf7b in emem_tree_lookup32_le (se_tree=0x2a9bc27d28, key=58) at
emem.c:915
915             if(!node){
(gdb) print node
$1 = (emem_tree_node_t *) 0x3700000001
(gdb) where
#0  0x0000002a9615cf7b in emem_tree_lookup32_le (se_tree=0x2a9bc27d28, key=58)
at emem.c:915
#1  0x0000002a96532770 in dissect_usb_ms_bulk (tvb=0xe95a90, pinfo=0xebc7d0,
parent_tree=0xee88e0)
    at packet-usb-masstorage.c:357
#2  0x0000002a9616405c in call_dissector_through_handle (handle=0xc69440,
tvb=0xe95a90, pinfo=0xebc7d0, 
    tree=0xee88e0) at packet.c:396
#3  0x0000002a961646a1 in call_dissector_work (handle=0xc69440, tvb=0xe95a90,
pinfo_arg=0xebc7d0, tree=0xee88e0)
    at packet.c:485
#4  0x0000002a96164b29 in dissector_try_port (sub_dissectors=Variable
"sub_dissectors" is not available.
) at packet.c:870
#5  0x0000002a96531fba in dissect_linux_usb (tvb=0xe959e0, pinfo=0xebc7d0,
parent=0xee88e0) at packet-usb.c:1199
#6  0x0000002a9616405c in call_dissector_through_handle (handle=0xc693f0,
tvb=0xe959e0, pinfo=0xebc7d0, 
    tree=0xee88e0) at packet.c:396
#7  0x0000002a961646a1 in call_dissector_work (handle=0xc693f0, tvb=0xe959e0,
pinfo_arg=0xebc7d0, tree=0xee88e0)
    at packet.c:485
#8  0x0000002a96164b29 in dissector_try_port (sub_dissectors=Variable
"sub_dissectors" is not available.
) at packet.c:870
#9  0x0000002a96305ab8 in dissect_frame (tvb=0xe959e0, pinfo=0xebc7d0,
parent_tree=0xee88e0) at packet-frame.c:300
#10 0x0000002a9616405c in call_dissector_through_handle (handle=0x8dda70,
tvb=0xe959e0, pinfo=0xebc7d0, 
    tree=0xee88e0) at packet.c:396
#11 0x0000002a961646a1 in call_dissector_work (handle=0x8dda70, tvb=0xe959e0,
pinfo_arg=0xebc7d0, tree=0xee88e0)
    at packet.c:485
#12 0x0000002a9616601e in call_dissector (handle=0x8dda70, tvb=0xe959e0,
pinfo=0xebc7d0, tree=0xee88e0)
    at packet.c:1774
#13 0x0000002a961665ca in dissect_packet (edt=0xebc7c0, pseudo_header=Variable
"pseudo_header" is not available.
) at packet.c:332
#14 0x000000000042fe96 in add_packet_to_packet_list (fdata=0x2a9c616cc0,
cf=0x68bbe0, dfcode=0x0, 
    pseudo_header=0xeb03c8, buf=0xe74a50 "", refilter=1) at file.c:962
#15 0x000000000043014f in read_packet (cf=0x68bbe0, dfcode=0x0, offset=3882) at
file.c:1095
#16 0x00000000004309ef in cf_read (cf=0x68bbe0) at file.c:496
#17 0x000000000043434c in cf_reload (cf=0x68bbe0) at file.c:3792
#18 0x000000348ce0bfaa in g_closure_invoke () from
/usr/lib64/libgobject-2.0.so.0
#19 0x000000348ce2158a in g_signal_has_handler_pending () from
/usr/lib64/libgobject-2.0.so.0
#20 0x000000348ce22d36 in g_signal_emit_valist () from
/usr/lib64/libgobject-2.0.so.0
#21 0x000000348ce22efe in g_signal_emit_by_name () from
/usr/lib64/libgobject-2.0.so.0
#22 0x000000348ce0bfaa in g_closure_invoke () from
/usr/lib64/libgobject-2.0.so.0
#23 0x000000348ce2158a in g_signal_has_handler_pending () from
/usr/lib64/libgobject-2.0.so.0
#24 0x000000348ce22d36 in g_signal_emit_valist () from
/usr/lib64/libgobject-2.0.so.0
#25 0x000000348ce23083 in g_signal_emit () from /usr/lib64/libgobject-2.0.so.0
#26 0x000000381db6fe28 in gtk_button_get_alignment () from
/usr/lib64/libgtk-x11-2.0.so.0
#27 0x000000348ce0bfaa in g_closure_invoke () from
/usr/lib64/libgobject-2.0.so.0
#28 0x000000348ce20b90 in g_signal_has_handler_pending () from
/usr/lib64/libgobject-2.0.so.0
#29 0x000000348ce22d36 in g_signal_emit_valist () from
/usr/lib64/libgobject-2.0.so.0
#30 0x000000348ce23083 in g_signal_emit () from /usr/lib64/libgobject-2.0.so.0
#31 0x000000381db6f2e9 in gtk_button_set_relief () from
/usr/lib64/libgtk-x11-2.0.so.0
#32 0x000000381dc1aca6 in gtk_marshal_VOID__UINT_STRING () from
/usr/lib64/libgtk-x11-2.0.so.0
#33 0x000000348ce0bfaa in g_closure_invoke () from
/usr/lib64/libgobject-2.0.so.0
#34 0x000000348ce20f1c in g_signal_has_handler_pending () from
/usr/lib64/libgobject-2.0.so.0
#35 0x000000348ce2299d in g_signal_emit_valist () from
/usr/lib64/libgobject-2.0.so.0
#36 0x000000348ce23083 in g_signal_emit () from /usr/lib64/libgobject-2.0.so.0
#37 0x000000381dd05680 in gtk_widget_activate () from
/usr/lib64/libgtk-x11-2.0.so.0
#38 0x000000381dc18c8e in gtk_propagate_event () from
/usr/lib64/libgtk-x11-2.0.so.0
#39 0x000000381dc19015 in gtk_main_do_event () from
/usr/lib64/libgtk-x11-2.0.so.0
#40 0x000000381d944b20 in gdk_event_get_graphics_expose () from
/usr/lib64/libgdk-x11-2.0.so.0
#41 0x000000348c4266bd in g_main_context_dispatch () from
/usr/lib64/libglib-2.0.so.0
#42 0x000000348c428397 in g_main_context_acquire () from
/usr/lib64/libglib-2.0.so.0
#43 0x000000348c428735 in g_main_loop_run () from /usr/lib64/libglib-2.0.so.0
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb)


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.