Wireshark-bugs: [Wireshark-bugs] [Bug 6139] Buildbot crash output: fuzz-2011-07-19-1747.pcap
Date: Tue, 9 Aug 2011 08:44:28 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6139 Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |jeff.morriss.ws@xxxxxxxxx Resolution| |FIXED --- Comment #4 from Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> 2011-08-09 08:44:27 PDT --- Still crashes for me on Linux. Backtrace is: #0 0x00000031a0a80e50 in strlen () from /lib64/libc.so.6 #1 0x00000031a0a4961e in vfprintf () from /lib64/libc.so.6 #2 0x00000031a0afc928 in __vsnprintf_chk () from /lib64/libc.so.6 #3 0x00007ff1d23b54bf in proto_tree_set_representation (pi=<value optimized out>, format=0x7ff1d2e33fa0 "ERROR %s %s (%s)", ap=0x7fff72c886d0) at ../../epan/proto.c:3668 #4 0x00007ff1d23b6be8 in proto_tree_add_text (tree=0x7ff1d11b20e0, tvb=<value optimized out>, start=<value optimized out>, length=<value optimized out>, format=0x7ff1d2e33fa0 "ERROR %s %s (%s)") at ../../epan/proto.c:1051 #5 0x00007ff1d25098a6 in ProcessError (tree=0x5, tvb=0x7ff1d2e33fab, bit_offset=16843008, sz=<value optimized out>, err=-5, pDescr=<value optimized out>) at ../../../epan/dissectors/packet-csn1.c:105 #6 0x00007ff1d2509b1a in csnStreamDissector (tree=0x7ff1d11b2020, ar=0x7fff72c88a90, pDescr=0x7fff72c88a68, tvb=0x2f2c5e0, data=0x7ff1d0494660, ett_csn1=7852) at ../../../epan/dissectors/packet-csn1.c:1476 #7 0x00007ff1d250a437 in csnStreamDissector (tree=0x7ff1d11b1fc0, ar=0x7fff72c88c10, pDescr=0x7ff1d38d2720, tvb=0x2f2c5e0, data=0x7ff1d0494660, ett_csn1=7852) at ../../../epan/dissectors/packet-csn1.c:548 #8 0x00007ff1d250ab9e in csnStreamDissector (tree=0x7ff1d11b1ba0, ar=0x7fff72c88d90, pDescr=0x7ff1d38ce300, tvb=0x2f2c5e0, data=0x7ff1d049465c, ett_csn1=7852) at ../../../epan/dissectors/packet-csn1.c:1376 #9 0x00007ff1d250a27e in csnStreamDissector (tree=0x7ff1d11b1210, ar=0x7fff72c88de0, pDescr=0x7ff1d38c8d00, tvb=0x2f2c5e0, data=0x7ff1d0494648, ett_csn1=7852) at ../../../epan/dissectors/packet-csn1.c:496 #10 0x00007ff1d2648def in dissect_gsm_rlcmac_uplink (tvb=0x2f2c5e0, pinfo=0x7fff72c89a80, tree=0x7ff1d11b1000) at ../../../epan/dissectors/packet-gsm_rlcmac.c:5475 #11 0x00007ff1d23a6cd1 in call_dissector_through_handle (handle=0x1ed6cf0, tvb=0x2f2c5e0, pinfo=0x7fff72c89a80, tree=0x7ff1d11b1000) at ../../epan/packet.c:384 Unfortunately all the variables in frame 5 are optimized out and weirdly if I turn off optimization the crash doesn't happen. But, digging further, I think the problem is in frame 7 with this code: ~~~ 525 if (value == pChoice->value) 526 { 527 CSN_DESCR descr[2]; 528 gint16 Status; 529 csnStream_t arT = *ar; 530 proto_item *ti; 531 proto_tree *test_tree; 532 533 descr[0] = pChoice->descr; 534 descr[1].type = CSN_END; <<< why are we initializing the 2nd entry in the array? [...] 548 Status = csnStreamDissector(test_tree, &arT, descr, tvb, data, ett_csn1); ~~~ The (recursive) csnStreamDissector() call immediately does a switch on the pDescr->type, so I'm pretty sure the initialization of 'type' is supposed to be done on entry 0 instead of 1. Changing it eliminates the uninitialized variable read and fixes the crash. (BTW, CSN_END is 0; this may explain why turning optimization off prevented the crash: uninitialized memory is frequently--but certainly not always--0.) Fixed in rev 38430. -- Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
- Prev by Date: [Wireshark-bugs] [Bug 6225] New: New dissector: XMPP protocol
- Next by Date: [Wireshark-bugs] [Bug 6225] New dissector: XMPP protocol
- Previous by thread: [Wireshark-bugs] [Bug 6225] New dissector: XMPP protocol
- Next by thread: [Wireshark-bugs] [Bug 6139] Buildbot crash output: fuzz-2011-07-19-1747.pcap
- Index(es):