Wireshark-bugs: [Wireshark-bugs] [Bug 3409] Wireshark Crashes in dissect_bssapp With Invalid scc

Date: Tue, 14 Apr 2009 14:26:35 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3409





--- Comment #5 from Rick Bywater <rbywater@xxxxxxxxxx>  2009-04-14 14:26:32 PDT ---
I do not know if this will be as useful as dumpfiles that induce the failure,
but here are the gdb details:

rbywater@rbubu:~$ gdb wireshark
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(gdb) r
Starting program: /usr/local/bin/wireshark 
[Thread debugging using libthread_db enabled]
[New Thread 0x7f82a19d5790 (LWP 19382)]
[New Thread 0x41e61950 (LWP 19385)]
[New Thread 0x42662950 (LWP 19386)]
[New Thread 0x40c98950 (LWP 19387)]
[Thread 0x40c98950 (LWP 19387) exited]
[Thread 0x41e61950 (LWP 19385) exited]
[New Thread 0x41e61950 (LWP 19388)]
[Thread 0x41e61950 (LWP 19388) exited]
[New Thread 0x41e61950 (LWP 19397)]
[Thread 0x41e61950 (LWP 19397) exited]
[New Thread 0x41e61950 (LWP 19398)]
[Thread 0x41e61950 (LWP 19398) exited]
[New Thread 0x41e61950 (LWP 19399)]
[New Thread 0x40c98950 (LWP 19401)]
[Thread 0x41e61950 (LWP 19399) exited]
[Thread 0x40c98950 (LWP 19401) exited]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f82a19d5790 (LWP 19382)]
dissect_bssap (tvb=0x3a95460, pinfo=0x44e2010, tree=0x3b39f90) at
packet-bssap.c:585
585                     pinfo->sccp_info->data.co.assoc->payload =
SCCP_PLOAD_BSSAP;
(gdb) bt
#0  dissect_bssap (tvb=0x3a95460, pinfo=0x44e2010, tree=0x3b39f90) at
packet-bssap.c:585
#1  0x00007f829fa660d4 in dissect_bssap_heur (tvb=0x3a95460, pinfo=0x44e2010,
tree=0x3b39f90) at packet-bssap.c:2160
#2  0x00007f829f99601c in dissector_try_heuristic (sub_dissectors=<value
optimized out>, tvb=0x3a95460, pinfo=0x44e2010, tree=0x3b39f90)
    at packet.c:1595
#3  0x00007f829fd9d3a6 in dissect_sua (message_tvb=0x373ec00, pinfo=0x44e2010,
tree=0x3b39f90) at packet-sua.c:1880
#4  0x00007f829f995ef1 in call_dissector_through_handle (handle=0x328a510,
tvb=0x373ec00, pinfo=0x44e2010, tree=0x3b39f90) at packet.c:396
#5  0x00007f829f996633 in call_dissector_work (handle=0x328a510, tvb=0x373ec00,
pinfo_arg=0x44e2010, tree=0x3b39f90) at packet.c:485
#6  0x00007f829f9975c7 in dissector_try_port (sub_dissectors=<value optimized
out>, port=4, tvb=0x373ec00, pinfo=0x44e2010, tree=0x3b39f90)
    at packet.c:870
#7  0x00007f829fe2ad3f in dissect_payload (payload_tvb=0x373ec00,
pinfo=0x44e2010, tree=0x3b39f90, ppi=4) at packet-sctp.c:1987
#8  0x00007f829fe2b3d8 in dissect_data_chunk (chunk_tvb=0x3b44180,
chunk_length=<value optimized out>, pinfo=0x44e2010, tree=0x3b39f90, 
    chunk_tree=0x3b398a0, chunk_item=<value optimized out>,
flags_item=0x3b398a0, ha=0x0) at packet-sctp.c:2750
#9  0x00007f829fe2e7eb in dissect_sctp_chunk (chunk_tvb=0x3b44180,
pinfo=0x44e2010, tree=0x3b39f90, sctp_tree=0x3b39810, ha=0x0, useinfo=1)
    at packet-sctp.c:3405
#10 0x00007f829fe2efbd in dissect_sctp_packet (tvb=0x3b44240, pinfo=0x44e2010,
tree=0x3b39f90, encapsulated=0) at packet-sctp.c:3520
#11 0x00007f829fe2f79c in dissect_sctp (tvb=0x3b44240, pinfo=0x44e2010,
tree=0x3b39f90) at packet-sctp.c:3715
#12 0x00007f829f995ef1 in call_dissector_through_handle (handle=0x2e745f0,
tvb=0x3b44240, pinfo=0x44e2010, tree=0x3b39f90) at packet.c:396
#13 0x00007f829f996633 in call_dissector_work (handle=0x2e745f0, tvb=0x3b44240,
pinfo_arg=0x44e2010, tree=0x3b39f90) at packet.c:485
#14 0x00007f829f9975c7 in dissector_try_port (sub_dissectors=<value optimized
out>, port=132, tvb=0x3b44240, pinfo=0x44e2010, tree=0x3b39f90)
    at packet.c:870
#15 0x00007f829fbde42c in dissect_ip (tvb=0x3b3cf60, pinfo=0x44e2010,
parent_tree=0x3b39f90) at packet-ip.c:1574
#16 0x00007f829f995ef1 in call_dissector_through_handle (handle=0x2ae17b0,
tvb=0x3b3cf60, pinfo=0x44e2010, tree=0x3b39f90) at packet.c:396
#17 0x00007f829f996633 in call_dissector_work (handle=0x2ae17b0, tvb=0x3b3cf60,
pinfo_arg=0x44e2010, tree=0x3b39f90) at packet.c:485
#18 0x00007f829f9975c7 in dissector_try_port (sub_dissectors=<value optimized
out>, port=2048, tvb=0x3b3cf60, pinfo=0x44e2010, tree=0x3b39f90)
    at packet.c:870
#19 0x00007f829fb2f967 in ethertype (etype=2048, tvb=0x3b408c0,
offset_after_etype=14, pinfo=0x44e2010, tree=0x3b39f90, fh_tree=0x3b39d80, 
    etype_id=13894, trailer_id=13896, fcs_len=-1) at packet-ethertype.c:215
#20 0x00007f829fb2d186 in dissect_eth_common (tvb=0x3b408c0, pinfo=0x44e2010,
parent_tree=0x3b39f90, fcs_len=-1) at packet-eth.c:338
#21 0x00007f829f995ef1 in call_dissector_through_handle (handle=0x31f57e0,
tvb=0x3b408c0, pinfo=0x44e2010, tree=0x3b39f90) at packet.c:396
#22 0x00007f829f996633 in call_dissector_work (handle=0x31f57e0, tvb=0x3b408c0,
pinfo_arg=0x44e2010, tree=0x3b39f90) at packet.c:485
#23 0x00007f829f9975c7 in dissector_try_port (sub_dissectors=<value optimized
out>, port=1, tvb=0x3b408c0, pinfo=0x44e2010, tree=0x3b39f90)
    at packet.c:870
#24 0x00007f829fb65ae8 in dissect_frame (tvb=0x3b408c0, pinfo=0x44e2010,
parent_tree=0x3b39f90) at packet-frame.c:305
#25 0x00007f829f995ef1 in call_dissector_through_handle (handle=0x29fbe40,
tvb=0x3b408c0, pinfo=0x44e2010, tree=0x3b39f90) at packet.c:396
#26 0x00007f829f996633 in call_dissector_work (handle=0x29fbe40, tvb=0x3b408c0,
pinfo_arg=0x44e2010, tree=0x3b39f90) at packet.c:485
#27 0x00007f829f996781 in call_dissector (handle=0x1, tvb=0x30,
pinfo=0x33126c0, tree=0x7f82a00dde71) at packet.c:1787
#28 0x00007f829f9980e2 in dissect_packet (edt=0x44e2000, pseudo_header=<value
optimized out>, pd=0x4739db0 "", fd=0x4798630, 
    cinfo=<value optimized out>) at packet.c:332
#29 0x0000000000434c8b in add_packet_to_packet_list (fdata=0x4798630,
cf=0x782460, dfcode=0x0, pseudo_header=0x4739a48, buf=0x4739db0 "", 
    refilter=<value optimized out>) at file.c:972
#30 0x0000000000436701 in cf_read (cf=0x782460) at file.c:503
#31 0x0000000000475b71 in file_open_cmd (w=0x343d610) at capture_file_dlg.c:726
#32 0x00007f829c85425d in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#33 0x00007f829c869f5d in ?? () from /usr/lib/libgobject-2.0.so.0
---Type <return> to continue, or q <return> to quit--- 
#34 0x00007f829c86b608 in g_signal_emit_valist () from
/usr/lib/libgobject-2.0.so.0
#35 0x00007f829c86b987 in g_signal_emit_by_name () from
/usr/lib/libgobject-2.0.so.0
#36 0x00007f829c85425d in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#37 0x00007f829c869f5d in ?? () from /usr/lib/libgobject-2.0.so.0
#38 0x00007f829c86b608 in g_signal_emit_valist () from
/usr/lib/libgobject-2.0.so.0
#39 0x00007f829c86bb33 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#40 0x00007f829e4a818d in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#41 0x00007f829c85425d in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#42 0x00007f829c869878 in ?? () from /usr/lib/libgobject-2.0.so.0
#43 0x00007f829c86b608 in g_signal_emit_valist () from
/usr/lib/libgobject-2.0.so.0
#44 0x00007f829c86bb33 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#45 0x00007f829e4a73dd in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#46 0x00007f829e54c908 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#47 0x00007f829c85425d in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#48 0x00007f829c869c3b in ?? () from /usr/lib/libgobject-2.0.so.0
#49 0x00007f829c86b48a in g_signal_emit_valist () from
/usr/lib/libgobject-2.0.so.0
#50 0x00007f829c86bb33 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#51 0x00007f829e64f74e in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#52 0x00007f829e545273 in gtk_propagate_event () from
/usr/lib/libgtk-x11-2.0.so.0
#53 0x00007f829e546393 in gtk_main_do_event () from
/usr/lib/libgtk-x11-2.0.so.0
#54 0x00007f829e1c906c in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#55 0x00007f829bfa9d5b in g_main_context_dispatch () from
/usr/lib/libglib-2.0.so.0
#56 0x00007f829bfad52d in ?? () from /usr/lib/libglib-2.0.so.0
#57 0x00007f829bfada5d in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#58 0x00007f829e5467a7 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#59 0x00000000004498bb in main (argc=0, argv=0x7fffa9a0a310) at main.c:3201
(gdb) 
(gdb) fr 0
#0  dissect_bssap (tvb=0x3a95460, pinfo=0x44e2010, tree=0x3b39f90) at
packet-bssap.c:585
585                     pinfo->sccp_info->data.co.assoc->payload =
SCCP_PLOAD_BSSAP;
(gdb) l
580         {
581             col_set_str(pinfo->cinfo, COL_PROTOCOL, ((bssap_or_bsap_global
== BSSAP) ? "BSSAP" : "BSAP"));
582         }
583     
584         if ( pinfo->sccp_info && pinfo->sccp_info->data.co.assoc  ) 
585                     pinfo->sccp_info->data.co.assoc->payload =
SCCP_PLOAD_BSSAP;
586     
587         /*
588          * create the bssap protocol tree
589          */
(gdb) p pinfo
$1 = (packet_info *) 0x44e2010
(gdb) p pinfo->sccp_info
$2 = (struct _sccp_msg_info_t *) 0x7f828e2df130
(gdb) p pinfo->sccp_info->data.co.assoc
$3 = (struct _sccp_assoc_info_t *) 0xcec33c006e6f6974
(gdb) p pinfo->sccp_info->data
$4 = {co = {label = 0x3320726579614c20 <Address 0x3320726579614c20 out of
bounds>, 
    comment = 0x616d726f666e4920 <Address 0x616d726f666e4920 out of bounds>,
assoc = 0xcec33c006e6f6974, next = 0x8a52f4401807298c}, ud = {
    calling_gt = 0x3320726579614c20 <Address 0x3320726579614c20 out of bounds>,
calling_ssn = 1718503712, 
    called_gt = 0xcec33c006e6f6974 <Address 0xcec33c006e6f6974 out of bounds>,
called_ssn = 403122572}}
(


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.