https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2870
--- Comment #2 from Jaap Keuter <jaap.keuter@xxxxxxxxx> 2008-09-14 05:40:14 PDT ---
Tracing the data even further down the ISUP dissector you end up at the cross
dissector call from ISUP to Q.931 (dissect_q931_cause_ie). This would be ok,
until dissect_q931_cause_ie() has to decide to store the cause value in the
packet info. That is governed by the have_valid_q931_pi semaphore, which is set
when the appropriate storage is allocated and cleared when the storage is
passed to the tap.
This is perfectly oke, until an exception occurs. Then the ephemeral allocated
storage is released but the semaphore remains. When ISUP comes along
dissect_q931_cause_ie() stores the cause value through a dangling pointer,
hence corrupting the per packet storage.
trunk/epan/dissectors/packet-q931.c line 1252
trunk-1.0/epan/dissectors/packet-q931.c line 1234
Next question is, do exceptions occur? Indeed, packet 112, 113, 266, 267, 420
and 421 do have exceptions in their Q.931 dissection, setting the stage for
this crash.
The work around (disable ISUP) works. The short term solution would be to 1)
make a save version of dissect_q931_cause_ie() and/or 2) solve the Q.931
exceptions.
The long term solution is to be found in a deeper design change, where the use
of dissector scoped module variables is eliminated in support of multi
threading.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.