Wireshark-bugs: [Wireshark-bugs] [Bug 2014] New: crash at packet-sctp.c:2288 fuzz-2007-11-23-310

Date: Fri, 23 Nov 2007 08:09:45 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2014

           Summary: crash at packet-sctp.c:2288 fuzz-2007-11-23-31074.pcap
           Product: Wireshark
           Version: SVN
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: florent.drouin@xxxxxxxxxx


Build Information:
~/wireshark_TRUNK23543$ ./wireshark -v
wireshark 0.99.8

Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.6.4, with GLib 2.6.4, with libpcap 0.9-PRE-CVS, with libz
1.2.2, with libpcre 4.5, without SMI, with ADNS, without Lua, with GnuTLS
1.0.16, with Gcrypt 1.2.0, with Heimdal Kerberos, without PortAudio, without
AirPcap.

Running on Linux 2.6.15.7, with libpcap version 0.9-PRE-CVS.

Built using gcc 3.3.5 (Debian 1:3.3.5-13).

--
:~/wireshark_TRUNK23543$ gdb ./testshark 
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...Using host libthread_db library
"/lib/tls/libthread_db.so.1".

(gdb) run
Starting program: /home/endace/wireshark_TRUNK23543/testshark 
[Thread debugging using libthread_db enabled]
[New Thread -1249147840 (LWP 29103)]
09:04:29          Warn radius: Could not find the radius directory

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1249147840 (LWP 29103)]
0xb6dbbe34 in add_fragment (tvb=0x8710054, pinfo=0x880c830, tree=0x0, tsn=1789,
stream_id=1789, stream_seq_num=62352, 
    b_bit=0 '\0', e_bit=1 '\001') at packet-sctp.c:2288
2288          if (msg->begins->fragment->tsn > beginend->fragment->tsn) {
(gdb) where
#0  0xb6dbbe34 in add_fragment (tvb=0x8710054, pinfo=0x880c830, tree=0x0,
tsn=1789, stream_id=1789, 
    stream_seq_num=62352, b_bit=0 '\0', e_bit=1 '\001') at packet-sctp.c:2288
#1  0xb6dbcb86 in dissect_fragmented_payload (payload_tvb=0x8710054,
pinfo=0x880c830, tree=0x8718880, 
    chunk_tree=0x87188c8, tsn=0, ppi=3, stream_id=1, stream_seq_num=864,
b_bit=0 '\0', e_bit=1 '\001')
    at packet-sctp.c:2637
#2  0xb6dbd214 in dissect_data_chunk (chunk_tvb=0x870fd48, chunk_length=44,
pinfo=0x880c830, tree=0x8718880, 
    chunk_tree=0x87188c8, chunk_item=0x87188c8, flags_item=0x0, ha=0x0) at
packet-sctp.c:2793
#3  0xb6dbec9f in dissect_sctp_chunk (chunk_tvb=0x870fd48, pinfo=0x880c830,
tree=0x8718880, sctp_tree=0x0, ha=0x0, 
    useinfo=1) at packet-sctp.c:3402
#4  0xb6dbf1d1 in dissect_sctp_chunks (tvb=0x8710088, pinfo=0x880c830,
tree=0x8718880, sctp_item=0x87190d8, 
    sctp_tree=0x87190d8, ha=0x0, encapsulated=0) at packet-sctp.c:3517
#5  0xb6dbf5bf in dissect_sctp_packet (tvb=0x8710088, pinfo=0x880c830,
tree=0x8718880, encapsulated=0)
    at packet-sctp.c:3665
#6  0xb6dbfb3d in dissect_sctp (tvb=0x8710088, pinfo=0x880c830, tree=0x0) at
packet-sctp.c:3712
#7  0xb6843b64 in call_dissector_through_handle (handle=0x84d97b0,
tvb=0x8710088, pinfo=0x880c830, tree=0x8718880)
    at packet.c:396
#8  0xb6843c72 in call_dissector_work (handle=0x84d97b0, tvb=0x8710088,
pinfo_arg=0x880c830, tree=0x8718880)
    at packet.c:485
#9  0xb6844587 in dissector_try_port (sub_dissectors=0x0, port=132, tvb=0x0,
pinfo=0x880c830, tree=0x0) at packet.c:870
#10 0xb6ae9ff2 in dissect_ip (tvb=0x870fd14, pinfo=0x880c830,
parent_tree=0x8718880) at packet-ip.c:1564
#11 0xb6843b64 in call_dissector_through_handle (handle=0x83f1480,
tvb=0x870fd14, pinfo=0x880c830, tree=0x8718880)
    at packet.c:396
#12 0xb6843c72 in call_dissector_work (handle=0x83f1480, tvb=0x870fd14,
pinfo_arg=0x880c830, tree=0x8718880)
    at packet.c:485
#13 0xb6844587 in dissector_try_port (sub_dissectors=0x0, port=2048, tvb=0x0,
pinfo=0x880c830, tree=0x0) at packet.c:870
#14 0xb6a37d27 in ethertype (etype=2048, tvb=0x870fce0, offset_after_etype=14,
pinfo=0x880c830, tree=0x8718880, 
    fh_tree=0x8718940, etype_id=0, trailer_id=12399, fcs_len=-1) at
packet-ethertype.c:214
#15 0xb6a34921 in dissect_eth_common (tvb=0x870fce0, pinfo=0x880c830,
parent_tree=0x8718880, fcs_len=-1)
    at packet-eth.c:333
#16 0xb6a350a8 in dissect_eth_maybefcs (tvb=0x0, pinfo=0x87bc870, tree=0x0) at
packet-eth.c:455
#17 0xb6843b64 in call_dissector_through_handle (handle=0x85364e0,
tvb=0x870fce0, pinfo=0x880c830, tree=0x8718880)
    at packet.c:396
#18 0xb6843c72 in call_dissector_work (handle=0x85364e0, tvb=0x870fce0,
pinfo_arg=0x880c830, tree=0x8718880)
    at packet.c:485
#19 0xb6844587 in dissector_try_port (sub_dissectors=0x0, port=1, tvb=0x0,
pinfo=0x880c830, tree=0x0) at packet.c:870
#20 0xb6a67c9a in dissect_frame (tvb=0x870fce0, pinfo=0x880c830,
parent_tree=0x8718880) at packet-frame.c:300
#21 0xb6843b64 in call_dissector_through_handle (handle=0x83a9cb8,
tvb=0x870fce0, pinfo=0x880c830, tree=0x8718880)
    at packet.c:396
#22 0xb6843c72 in call_dissector_work (handle=0x83a9cb8, tvb=0x870fce0,
pinfo_arg=0x880c830, tree=0x8718880)
    at packet.c:485
#23 0xb6845952 in call_dissector (handle=0x0, tvb=0x870fce0, pinfo=0x880c830,
tree=0x8718880) at packet.c:1774
#24 0xb6843ae7 in dissect_packet (edt=0x880c828, pseudo_header=0x0,
pd=0x82b0b38 "", fd=0x8839460, cinfo=0x0)
---Type <return> to continue, or q <return> to quit---q
 at packet.c:Quit
(gdb)


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.