Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 2392] New: Segmentation Fault in BSSAPP

Wireshark-bugs: [Wireshark-bugs] [Bug 2392] New: Segmentation Fault in BSSAPP

Date: Thu, 27 Mar 2008 22:02:31 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2392

           Summary: Segmentation Fault in BSSAPP
           Product: Wireshark
           Version: 0.99.8
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Critical
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: rbywater@xxxxxxxxxx
                CC: rbywater@xxxxxxxxxx


Build Information:
Version 0.99.8

Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.12.0, with GLib 2.14.1, with libpcap 0.9.7, with libz
1.2.3.3, without libpcre, without SMI, without ADNS, without Lua, without
GnuTLS, without Gcrypt, without Kerberos, without PortAudio, without AirPcap.
NOTE: this build doesn't support the "matches" operator for Wireshark filter
syntax.

Running on Linux 2.6.22-14-generic, with libpcap version 0.9.7.

Built using gcc 4.1.3 20070929 (prerelease) (Ubuntu 4.1.2-16ubuntu2).

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
When I load the attached capture file, then do a "decode as" to NSIP on any of
the packets with UDP ports 2200x or 2300x wireshark segmentation faults.  I ran
gdb on wireshark and determined that the crash occurrs in packet-bssap.c and it
appears that pinfo->sccp_info->data.co.assoc is bad.

Here is all the gdb output from what little I did:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1247455568 (LWP 32359)]
dissect_bssap (tvb=0x89714f8, pinfo=0x9a602f0, tree=0x8a080d0) at
packet-bssap.c:585
585                     pinfo->sccp_info->data.co.assoc->payload =
SCCP_PLOAD_BSSAP;
(gdb) bt
#0  dissect_bssap (tvb=0x89714f8, pinfo=0x9a602f0, tree=0x8a080d0) at
packet-bssap.c:585
#1  0xb6968c64 in dissect_bssap_heur (tvb=0x89714f8, pinfo=0x9a602f0,
tree=0x8a080d0) at packet-bssap.c:2160
#2  0xb6871b26 in dissector_try_heuristic (sub_dissectors=0x86c8998,
tvb=0x89714f8, pinfo=0x9a602f0, tree=0x8a080d0)
    at packet.c:1595
#3  0xb6d6e71c in dissect_sua (message_tvb=0x8c15418, pinfo=0x9a602f0,
tree=0x8a080d0) at packet-sua.c:1880
#4  0xb6871a18 in call_dissector_through_handle (handle=0x8724218,
tvb=0x8c15418, pinfo=0x9a602f0, tree=0x8a080d0)
    at packet.c:396
#5  0xb6872213 in call_dissector_work (handle=0x8724218, tvb=0x8c15418,
pinfo_arg=0x9a602f0, tree=0x8a080d0) at packet.c:485
#6  0xb6872683 in dissector_try_port (sub_dissectors=0x86606d8, port=4,
tvb=0x8c15418, pinfo=0x9a602f0, tree=0x8a080d0)
    at packet.c:870
#7  0xb6e1acf5 in dissect_payload (payload_tvb=0x8c15418, pinfo=0x9a602f0,
tree=0x8a080d0, ppi=4) at packet-sctp.c:1987
#8  0xb6e1b707 in dissect_data_chunk (chunk_tvb=0x8a564e0, chunk_length=140,
pinfo=0x9a602f0, tree=0x8a080d0, 
    chunk_tree=0x8a081d8, chunk_item=0x8a081d8, flags_item=0x8a081d8, ha=0x0)
at packet-sctp.c:2750
#9  0xb6e1f26d in dissect_sctp_chunk (chunk_tvb=0x8a564e0, pinfo=0x9a602f0,
tree=0x8a080d0, sctp_tree=0x89b8200, ha=0x0, 
    useinfo=1) at packet-sctp.c:3405
#10 0xb6e20027 in dissect_sctp_packet (tvb=0x8a57248, pinfo=0x9a602f0,
tree=0x8a080d0, encapsulated=0) at packet-sctp.c:3520
#11 0xb6e20905 in dissect_sctp (tvb=0x8a57248, pinfo=0x9a602f0, tree=0x8a080d0)
at packet-sctp.c:3715
#12 0xb6871a18 in call_dissector_through_handle (handle=0x8661960,
tvb=0x8a57248, pinfo=0x9a602f0, tree=0x8a080d0)
    at packet.c:396
#13 0xb6872213 in call_dissector_work (handle=0x8661960, tvb=0x8a57248,
pinfo_arg=0x9a602f0, tree=0x8a080d0) at packet.c:485
#14 0xb6872683 in dissector_try_port (sub_dissectors=0x85451b8, port=132,
tvb=0x8a57248, pinfo=0x9a602f0, tree=0x8a080d0)
    at packet.c:870
#15 0xb6b40218 in dissect_ip (tvb=0x8c14f50, pinfo=0x9a602f0,
parent_tree=0x8a080d0) at packet-ip.c:1563
#16 0xb6871a18 in call_dissector_through_handle (handle=0x8545bf0,
tvb=0x8c14f50, pinfo=0x9a602f0, tree=0x8a080d0)
    at packet.c:396
#17 0xb6872213 in call_dissector_work (handle=0x8545bf0, tvb=0x8c14f50,
pinfo_arg=0x9a602f0, tree=0x8a080d0) at packet.c:485
#18 0xb6872683 in dissector_try_port (sub_dissectors=0x84a10a0, port=2048,
tvb=0x8c14f50, pinfo=0x9a602f0, tree=0x8a080d0)
    at packet.c:870
#19 0xb6a6b0d5 in ethertype (etype=2048, tvb=0x8c15568, offset_after_etype=14,
pinfo=0x9a602f0, tree=0x8a080d0, 
    fh_tree=0x8a08370, etype_id=13055, trailer_id=13057, fcs_len=-1) at
packet-ethertype.c:214
#20 0xb6a67fba in dissect_eth_common (tvb=0x8c15568, pinfo=0x9a602f0,
parent_tree=0x8a080d0, fcs_len=-1) at packet-eth.c:338
#21 0xb6871a18 in call_dissector_through_handle (handle=0x86d8038,
tvb=0x8c15568, pinfo=0x9a602f0, tree=0x8a080d0)
    at packet.c:396
#22 0xb6872213 in call_dissector_work (handle=0x86d8038, tvb=0x8c15568,
pinfo_arg=0x9a602f0, tree=0x8a080d0) at packet.c:485
#23 0xb6872683 in dissector_try_port (sub_dissectors=0x84bb880, port=1,
tvb=0x8c15568, pinfo=0x9a602f0, tree=0x8a080d0)
    at packet.c:870
#24 0xb6ab3f34 in dissect_frame (tvb=0x8c15568, pinfo=0x9a602f0,
parent_tree=0x8a080d0) at packet-frame.c:305
#25 0xb6871a18 in call_dissector_through_handle (handle=0x84cfd00,
tvb=0x8c15568, pinfo=0x9a602f0, tree=0x8a080d0)
    at packet.c:396
#26 0xb6872213 in call_dissector_work (handle=0x84cfd00, tvb=0x8c15568,
pinfo_arg=0x9a602f0, tree=0x8a080d0) at packet.c:485
#27 0xb687233a in call_dissector (handle=0x84cfd00, tvb=0x8c15568,
pinfo=0x9a602f0, tree=0x8a080d0) at packet.c:1787
#28 0xb6873e87 in dissect_packet (edt=0x9a602e8, pseudo_header=0x81a07f8,
pd=0x81a0888 "", fd=0xa76a458, cinfo=0x81b089c)
    at packet.c:332
#29 0xb686ab5e in epan_dissect_run (edt=0x9a602e8, pseudo_header=0x81a07f8,
data=0x81a0888 "", fd=0xa76a458, cinfo=0x81b089c)
    at epan.c:161
#30 0x08073b48 in add_packet_to_packet_list (fdata=0xa76a458, cf=0x81a0780,
dfcode=0x0, pseudo_header=0x81a07f8, 
    buf=0x81a0888 "", refilter=1) at file.c:964
#31 0x08073f12 in rescan_packets (cf=0x81a0780, action=0x812fdfa
"Reprocessing", action_item=0x8142fbe "all packets", 
---Type <return> to continue, or q <return> to quit---q
refilterQuit
) at file.c:1615
#32 0x08074317 in cf_redissect_packets (cf=0x81a0780) at file.c:1426
#33 0xb5da4c09 in g_cclosure_marshal_VOID__VOID () from
/usr/lib/libgobject-2.0.so.0
#34 0xb5d97772 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#35 0xb5da8323 in ?? () from /usr/lib/libgobject-2.0.so.0
#36 0x0dd02d00 in ?? ()
#37 0x00000000 in ?? ()
(gdb) l
580         {
581             col_set_str(pinfo->cinfo, COL_PROTOCOL, ((bssap_or_bsap_global
== BSSAP) ? "BSSAP" : "BSAP"));
582         }
583
584         if ( pinfo->sccp_info && pinfo->sccp_info->data.co.assoc  ) 
585                     pinfo->sccp_info->data.co.assoc->payload =
SCCP_PLOAD_BSSAP;
586
587         /*
588          * create the bssap protocol tree
589          */
(gdb) p pinfo
$1 = (packet_info *) 0x9a602f0
(gdb) p pinfo->sccp_info
$2 = (struct _sccp_msg_info_t *) 0xb1b78b60
(gdb) p pinfo->sccp_info->data
data                    dataDigestSize          data_handle            
data_rate               data_state_vals
data1                   data_control_vals       data_handles.11233     
data_reassembled_table  data_type_vals
data2                   data_flag               data_len               
data_sequencing_vals    datafile_dir.8566
data3                   data_frag_items         data_link_info_t       
data_source             datasizes.10941
data4                   data_fragment_table     data_msg               
data_src                
dataDigestIsCRC32       data_halted_vals        data_out_file          
data_start              
(gdb) p pinfo->sccp_info->data.co.assoc
$3 = (struct _sccp_assoc_info_t *) 0x39f82856
(gdb) p pinfo->sccp_info->data.co.assoc->payload
Cannot access memory at address 0x39f82876
(gdb) p pinfo->sccp_info->data.co.assoc
$4 = (struct _sccp_assoc_info_t *) 0x39f82856


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Follow-Ups:
- [Wireshark-bugs] [Bug 2392] Segmentation Fault in BSSAPP
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 2392] Segmentation Fault in BSSAPP
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 2392] Segmentation Fault in BSSAPP
  - From: bugzilla-daemon
Prev by Date: [Wireshark-bugs] [Bug 1605] Wireshark doesn't dynamically update the packet list
Next by Date: [Wireshark-bugs] [Bug 2392] Segmentation Fault in BSSAPP
Previous by thread: [Wireshark-bugs] [Bug 1605] Wireshark doesn't dynamically update the packet list
Next by thread: [Wireshark-bugs] [Bug 2392] Segmentation Fault in BSSAPP
Index(es):
- Date
- Thread