Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 7391] Wireshark crashes on bootp filter

Wireshark-bugs: [Wireshark-bugs] [Bug 7391] Wireshark crashes on bootp filter

Date: Fri, 22 Jun 2012 03:55:30 -0700 (PDT)

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7391

--- Comment #3 from Jakub Zawadzki <darkjames-ws@xxxxxxxxxxxx> 2012-06-22 03:55:29 PDT ---
(In reply to comment #2)
> This filter is not crashing with 1.6.8, so are we sure it is a duplicate of bug
> 2402? My guess is no.

In r37958 there was added lot of fields with name 'bootp.option.value'

+  { &hf_bootp_option_value_8, { "Value",  "bootp.option.value", FT_UINT8,
BASE_DEC, NULL, 0x0, "8-bit Bootp/Dhcp option value", HFILL }},
+  { &hf_bootp_option_value_16, { "Value", "bootp.option.value", FT_UINT16,
BASE_DEC, NULL, 0x0, "16-bit Bootp/Dhcp option value", HFILL }},
+  { &hf_bootp_option_value_u32, { "Value",        "bootp.option.value",
FT_UINT32, BASE_HEX, NULL, 0x0, "32-bit Bootp/Dhcp option value", HFILL }},
+  { &hf_bootp_option_value_i32, { "Value",        "bootp.option.value",
FT_INT32, BASE_DEC, NULL, 0x0, "32-bit Bootp/Dhcp option value", HFILL }},
+  { &hf_bootp_option_value_stringz, { "Value", "bootp.option.value",
FT_STRINGZ, BASE_NONE, NULL, 0x0, "Z-String Bootp/Dhcp option value", HFILL }},
+  { &hf_bootp_option_value_ip_address, { "Value", "bootp.option.value",
FT_IPv4, BASE_NONE, NULL, 0x00, "IP address Bootp/Dhcp option value", HFILL }},
+  { &hf_bootp_option_value_boolean, { "Value", "bootp.option.value",
FT_BOOLEAN, 8, TFS(&tfs_true_false), 0x00, "Boolean Bootp/Dhcp option value",
HFILL }},

And we have old 'bootp.option.value' of type FT_BYTES.


Now let's check how dfilter compile "bootp.option.value == 04":

$ ./dftest 'bootp.option.value == 04'
Filter: "bootp.option.value == 04"
dfilter ptr = 0x017f78e0

Constants:
00000 PUT_FVALUE        1 <FT_BOOLEAN> -> reg#1

Instructions:
00000 READ_TREE         bootp.option.value -> reg#0
00001 IF-FALSE-GOTO     3
00002 ANY_EQ            reg#0 == reg#1
00003 RETURN

So we're comparing (ANY_EQ) FT_???? with *FT_BOOLEAN*

In attached capture file (BootpCrash.pcap) we're comparing FT_BYTES with
FT_BOOLEAN

gdb session:

Program received signal SIGSEGV, Segmentation fault.
0x00007f3a237f51fd in cmp_eq (fv_a=0x7f3a2810cfd8, fv_b=0x7f3a2810f4b0)
    at ftype-bytes.c:305
305             if (a->len != b->len) {

(gdb) print b
$4 = (GByteArray *) 0x4

(0x4 is value from reg#1)

#1  0x00007f3a237f4883 in fvalue_eq (a=0x7f3a2810cfd8, b=0x7f3a2810f4b0) at
ftypes.c:499

Just as proof:

(gdb) frame 1
#1  0x00007f3a237f4883 in fvalue_eq (a=0x7f3a2810cfd8, b=0x7f3a2810f4b0) at
ftypes.c:499
499             return a->ftype->cmp_eq(a, b);
(gdb) print a->ftype->ftype
$13 = FT_BYTES
(gdb) print b->ftype->ftype
$14 = FT_BOOLEAN

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

References:
- [Wireshark-bugs] [Bug 7391] New: Wireshark crashes on bootp filter
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 7381] The file appears to be damaged or corrupt.. (pcapng: interface index 1 is not less than interface count 1.)
Next by Date: [Wireshark-bugs] [Bug 7391] Wireshark crashes on bootp filter
Previous by thread: [Wireshark-bugs] [Bug 7391] Wireshark crashes on bootp filter
Next by thread: [Wireshark-bugs] [Bug 7391] Wireshark crashes on bootp filter
Index(es):
- Date
- Thread