Wireshark-bugs: [Wireshark-bugs] [Bug 5130] New: crash in add_byte_views from decrypted zigbee d

Date: Mon, 23 Aug 2010 23:27:36 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5130

           Summary: crash in add_byte_views from decrypted zigbee data
           Product: Wireshark
           Version: 1.4.0
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: hamish@xxxxxxxxxxxx


Created an attachment (id=5079)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=5079)
example capture

Build Information:
1.4.0rc2, or trunk
--
I'm seeing a crash in add_byte_views() in main_proto_draw.c. Looking around the
structures it appears that one of the data source structures is corrupt.

To reproduce, open the attached capture file and set your Zigbee NWK key
preferences to AES-128, 32-bit protection and key
8695eeb31ca36261f28e4c15b5484769

Then go to packet 21, filter on something (packet time is sufficient), then
clear the filter. It'll crash redrawing after the clear.

valgrind shows a bunch of invalid reads when this occurs.

Here is the back trace:

#0  0x02738f63 in IA__gtk_label_new (str=0x457c2638 <Address 0x457c2638 out of
bounds>) at /build/buildd/gtk+2.0-2.20.1/gtk/gtklabel.c:1397
#1  0x080a2326 in add_byte_tab (byte_nb=0x8b70818, name=0x457c2638 <Address
0x457c2638 out of bounds>, tvb=0xf40fedda, tree=0x8c443c0, tree_view=0x8b672b8)
    at main_proto_draw.c:669
#2  0x080a2755 in add_byte_views (edt=0x8bcf868, tree_view=0x8b672b8,
byte_nb_ptr=0x8b70818) at main_proto_draw.c:742
#3  0x080a26b6 in add_main_byte_views (edt=0x8bcf868) at main_proto_draw.c:720
#4  0x08097a96 in main_cf_cb_packet_selected (data=0x8231cc0) at main.c:1703
#5  0x08097c3d in main_cf_callback (event=4, data=0x8231cc0, user_data=0x0) at
main.c:1762
#6  0x0807b07e in cf_callback_invoke (event=4, data=0x8231cc0) at file.c:162
#7  0x08080822 in cf_select_packet (cf=0x8231cc0, row=21) at file.c:4193
#8  0x080ad946 in new_packet_list_select_cb (tree_view=0x8b670d8, data=0x0) at
new_packet_list.c:1041
#9  0x02af0dcc in IA__g_cclosure_marshal_VOID__VOID (closure=0x8b60c68,
return_value=0x0, n_param_values=1, param_values=0x8d17718, 
    invocation_hint=0xbfffe120, marshal_data=0x80ad87f) at
/build/buildd/glib2.0-2.24.1/gobject/gmarshal.c:77
#10 0x02ae3252 in IA__g_closure_invoke (closure=0x8b60c68, return_value=0x0,
n_param_values=1, param_values=0x8d17718, invocation_hint=0xbfffe120)
    at /build/buildd/glib2.0-2.24.1/gobject/gclosure.c:767
#11 0x02af799d in signal_emit_unlocked_R (node=<value optimised out>,
detail=<value optimised out>, instance=0x8b670d8, emission_return=0x0, 
    instance_and_params=0x8d17718) at
/build/buildd/glib2.0-2.24.1/gobject/gsignal.c:3248
#12 0x02af8db4 in IA__g_signal_emit_valist (instance=0x8b670d8, signal_id=125,
detail=0, var_args=0xbfffe2dc "")
    at /build/buildd/glib2.0-2.24.1/gobject/gsignal.c:2981
#13 0x02af9256 in IA__g_signal_emit (instance=0x8b670d8, signal_id=125,
detail=0) at /build/buildd/glib2.0-2.24.1/gobject/gsignal.c:3038
#14 0x0285ac75 in gtk_tree_view_real_set_cursor (tree_view=0x8b670d8,
path=0x8d33c60, clear_and_select=1, clamp_node=1)
    at /build/buildd/gtk+2.0-2.20.1/gtk/gtktreeview.c:12590
#15 0x02865361 in IA__gtk_tree_view_set_cursor_on_cell (tree_view=0x8b670d8,
path=0x8d33c60, focus_column=0x0, focus_cell=0x0, start_editing=0)
    at /build/buildd/gtk+2.0-2.20.1/gtk/gtktreeview.c:12706
#16 0x0286541e in IA__gtk_tree_view_set_cursor (tree_view=0x8b670d8,
path=0x8d33c60, focus_column=0x0, start_editing=0)
    at /build/buildd/gtk+2.0-2.20.1/gtk/gtktreeview.c:12652
#17 0x080ad303 in scroll_to_and_select_iter (model=0x8b66008,
selection=0x8b61cc0, iter=0xbfffe400) at new_packet_list.c:849
#18 0x080ad6a1 in new_packet_list_find_row_from_data (data=0x8c40ac0,
select_flag=1) at new_packet_list.c:963
#19 0x0807e0aa in rescan_packets (cf=0x8231cc0, action=0x81906c2 "Resetting",
action_item=0x81906bb "Filter", refilter=1, redissect=0) at file.c:2082
#20 0x0807d742 in cf_filter_packets (cf=0x8231cc0, dftext=0x0, force=0) at
file.c:1695
#21 0x0809b6f6 in main_filter_packets (cf=0x8231cc0, dftext=0x0, force=0) at
main_filter_toolbar.c:343
#22 0x0809aa1b in filter_reset_cb (w=0x8b4df50, data=0x0) at
main_filter_toolbar.c:75
#23 0x02af0dcc in IA__g_cclosure_marshal_VOID__VOID (closure=0x8b5f080,
return_value=0x0, n_param_values=1, param_values=0x8d2da08, 
    invocation_hint=0xbfffe760, marshal_data=0x809a9a2) at
/build/buildd/glib2.0-2.24.1/gobject/gmarshal.c:77
#24 0x02ae3252 in IA__g_closure_invoke (closure=0x8b5f080, return_value=0x0,
n_param_values=1, param_values=0x8d2da08, invocation_hint=0xbfffe760)
    at /build/buildd/glib2.0-2.24.1/gobject/gclosure.c:767
#25 0x02af799d in signal_emit_unlocked_R (node=<value optimised out>,
detail=<value optimised out>, instance=0x8b4df50, emission_return=0x0, 
    instance_and_params=0x8d2da08) at
/build/buildd/glib2.0-2.24.1/gobject/gsignal.c:3248
#26 0x02af8db4 in IA__g_signal_emit_valist (instance=0x8b4df50, signal_id=171,
detail=0, 
    var_args=0xbfffe988
"\250\351\377\277\374d\260\002\364_\261\002\360\202\202\002\330\351\377\277\314\r\257\002")
    at /build/buildd/glib2.0-2.24.1/gobject/gsignal.c:2981
#27 0x02af9085 in IA__g_signal_emit_by_name (instance=0x8b4df50,
detailed_signal=0x2917938 "clicked") at
/build/buildd/glib2.0-2.24.1/gobject/gsignal.c:3075
#28 0x02828330 in button_clicked (widget=0x8b51600, button=0x8b4df50) at
/build/buildd/gtk+2.0-2.20.1/gtk/gtktoolbutton.c:770
#29 0x02af0dcc in IA__g_cclosure_marshal_VOID__VOID (closure=0x8b5d760,
return_value=0x0, n_param_values=1, param_values=0x82ad248, 
    invocation_hint=0xbfffeaf0, marshal_data=0x28282f0) at
/build/buildd/glib2.0-2.24.1/gobject/gmarshal.c:77
#30 0x02ae3252 in IA__g_closure_invoke (closure=0x8b5d760, return_value=0x0,
n_param_values=1, param_values=0x82ad248, invocation_hint=0xbfffeaf0)
    at /build/buildd/glib2.0-2.24.1/gobject/gclosure.c:767
#31 0x02af799d in signal_emit_unlocked_R (node=<value optimised out>,
detail=<value optimised out>, instance=0x8b51600, emission_return=0x0, 
    instance_and_params=0x82ad248) at
/build/buildd/glib2.0-2.24.1/gobject/gsignal.c:3248
#32 0x02af8db4 in IA__g_signal_emit_valist (instance=0x8b51600, signal_id=103,
detail=0, var_args=0xbfffecac "\364_\261\002\364_\261\002")
    at /build/buildd/glib2.0-2.24.1/gobject/gsignal.c:2981
#33 0x02af9256 in IA__g_signal_emit (instance=0x8b51600, signal_id=103,
detail=0) at /build/buildd/glib2.0-2.24.1/gobject/gsignal.c:3038
#34 0x0268fc7a in IA__gtk_button_clicked (button=0x8b51600) at
/build/buildd/gtk+2.0-2.20.1/gtk/gtkbutton.c:1128
#35 0x02691238 in gtk_real_button_released (button=0x8b51600) at
/build/buildd/gtk+2.0-2.20.1/gtk/gtkbutton.c:1725
#36 0x02af0dcc in IA__g_cclosure_marshal_VOID__VOID (closure=0x827a8b8,
return_value=0x0, n_param_values=1, param_values=0x8d175c0, 
---Type <return> to continue, or q <return> to quit---
    invocation_hint=0xbfffee60, marshal_data=0x26911f0) at
/build/buildd/glib2.0-2.24.1/gobject/gmarshal.c:77
#37 0x02ae18b9 in g_type_class_meta_marshal (closure=0x827a8b8,
return_value=0x0, n_param_values=1, param_values=0x8d175c0,
invocation_hint=0xbfffee60, 
    marshal_data=0x1a4) at /build/buildd/glib2.0-2.24.1/gobject/gclosure.c:878
#38 0x02ae3252 in IA__g_closure_invoke (closure=0x827a8b8, return_value=0x0,
n_param_values=1, param_values=0x8d175c0, invocation_hint=0xbfffee60)
    at /build/buildd/glib2.0-2.24.1/gobject/gclosure.c:767
#39 0x02af723a in signal_emit_unlocked_R (node=<value optimised out>,
detail=<value optimised out>, instance=0x8b51600, emission_return=0x0, 
    instance_and_params=0x8d175c0) at
/build/buildd/glib2.0-2.24.1/gobject/gsignal.c:3178
#40 0x02af8db4 in IA__g_signal_emit_valist (instance=0x8b51600, signal_id=102,
detail=0, 
    var_args=0xbffff01c
"\364_\261\002\364\017\236\002\344\361\377\277H\360\377\277c\375h\002") at
/build/buildd/glib2.0-2.24.1/gobject/gsignal.c:2981
#41 0x02af9256 in IA__g_signal_emit (instance=0x8b51600, signal_id=102,
detail=0) at /build/buildd/glib2.0-2.24.1/gobject/gsignal.c:3038
#42 0x0268fd1a in gtk_button_released (button=0x8b51600) at
/build/buildd/gtk+2.0-2.20.1/gtk/gtkbutton.c:1120
#43 0x0268fd63 in gtk_button_button_release (widget=0x8b51600, event=0x8d43250)
at /build/buildd/gtk+2.0-2.20.1/gtk/gtkbutton.c:1617
#44 0x0274d424 in _gtk_marshal_BOOLEAN__BOXED (closure=0x8275480,
return_value=0xbffff1e4, n_param_values=2, param_values=0x8d448c8, 
    invocation_hint=0xbffff1d0, marshal_data=0x268fd30) at
/build/buildd/gtk+2.0-2.20.1/gtk/gtkmarshalers.c:84
#45 0x02ae18b9 in g_type_class_meta_marshal (closure=0x8275480,
return_value=0xbffff1e4, n_param_values=2, param_values=0x8d448c8,
invocation_hint=0xbffff1d0, 
    marshal_data=0xb4) at /build/buildd/glib2.0-2.24.1/gobject/gclosure.c:878
#46 0x02ae3252 in IA__g_closure_invoke (closure=0x8275480,
return_value=0xbffff1e4, n_param_values=2, param_values=0x8d448c8,
invocation_hint=0xbffff1d0)
    at /build/buildd/glib2.0-2.24.1/gobject/gclosure.c:767
#47 0x02af75e6 in signal_emit_unlocked_R (node=<value optimised out>,
detail=<value optimised out>, instance=0x8b51600, emission_return=0xbffff32c, 
    instance_and_params=0x8d448c8) at
/build/buildd/glib2.0-2.24.1/gobject/gsignal.c:3286
#48 0x02af8c33 in IA__g_signal_emit_valist (instance=0x8b51600, signal_id=34,
detail=0, 
    var_args=0xbffff390
"\274\363\377\277H\302'\b\270\363\377\277ڣ\207\002\364\017\236\002") at
/build/buildd/glib2.0-2.24.1/gobject/gsignal.c:2991
#49 0x02af9256 in IA__g_signal_emit (instance=0x8b51600, signal_id=34,
detail=0) at /build/buildd/glib2.0-2.24.1/gobject/gsignal.c:3038
#50 0x0287a636 in gtk_widget_event_internal (widget=<value optimised out>,
event=0x8d43250) at /build/buildd/gtk+2.0-2.20.1/gtk/gtkwidget.c:4951
#51 0x02745a5d in IA__gtk_propagate_event (widget=0x8b51600, event=0x8d43250)
at /build/buildd/gtk+2.0-2.20.1/gtk/gtkmain.c:2447
#52 0x02746e07 in IA__gtk_main_do_event (event=0x8d43250) at
/build/buildd/gtk+2.0-2.20.1/gtk/gtkmain.c:1647
#53 0x02a3b39a in gdk_event_dispatch (source=0x8273c70, callback=0,
user_data=0x0) at /build/buildd/gtk+2.0-2.20.1/gdk/x11/gdkevents-x11.c:2372
#54 0x02b525e5 in g_main_dispatch (context=0x8273cb8) at
/build/buildd/glib2.0-2.24.1/glib/gmain.c:1960
#55 IA__g_main_context_dispatch (context=0x8273cb8) at
/build/buildd/glib2.0-2.24.1/glib/gmain.c:2513
#56 0x02b562d8 in g_main_context_iterate (context=0x8273cb8, block=<value
optimised out>, dispatch=1, self=0x8253ba0)
    at /build/buildd/glib2.0-2.24.1/glib/gmain.c:2591
#57 0x02b56817 in IA__g_main_loop_run (loop=0x8bbac58) at
/build/buildd/glib2.0-2.24.1/glib/gmain.c:2799
#58 0x027473c9 in IA__gtk_main () at
/build/buildd/gtk+2.0-2.20.1/gtk/gtkmain.c:1219
#59 0x0809974c in main (argc=0, argv=0xbffff7c4) at main.c:3048

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.