Wireshark-bugs: [Wireshark-bugs] [Bug 7892] Buildbot crash output: fuzz-2012-10-21-27120.pcap

Date: Sun, 21 Oct 2012 23:36:27 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7892

Jakub Zawadzki <darkjames-ws@xxxxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |darkjames-ws@xxxxxxxxxxxx

--- Comment #1 from Jakub Zawadzki <darkjames-ws@xxxxxxxxxxxx> 2012-10-21 23:36:26 PDT ---
>From packet-ieee802154 dissector:
  SET_ADDRESS(&pinfo->dl_dst, AT_STRINGZ, (int)strlen(dst_addr)+1, dst_addr);
  SET_ADDRESS(&pinfo->dst, AT_STRINGZ, (int)strlen(dst_addr)+1, dst_addr);

where dst_addr is allocated from ep_ pool. 
Later pinfo->dst is accessed by col_fill_in() => col_set_addr() but it's after
dissection, so ep_ pool was freed (and scrubbed).

#FAIL, we need either to do col_fill_in() before ep_free_all() or revert
r45673.

*Probably* all recent fuzz testing report is dup of this one.
Bug catched thanks to se_solve_address_to_name(), which for AT_STRINGZ assume
NUL-terminated addr->data. and lot of memory is allocated in se_ pool.

backtrace:

#0  0x00007f0d32df227c in se_alloc (size=75033) at emem.c:884
#1  0x00007f0d32df266d in emem_strdup (
    src=0x7f0d2f1c1200 "ďž­Ţďž­Ţďž­Ţďž­Ţďž­Ţďž­Ţďž­Ţďž­Ţďž­Ţďž­Ţďž­...
    allocator=0x7f0d32df2260 <se_alloc>) at emem.c:964
#2  0x00007f0d32df26cc in se_strdup (
    src=0x7f0d2f1c1200 "ďž­Ţďž­Ţďž­Ţďž­Ţďž­Ţďž­Ţďž­Ţďž­Ţďž­Ţďž­Ţďž­...
    at emem.c:978
#3  0x00007f0d32ddf6bd in se_solve_address_to_name (addr=0x7fff9d24bf38) at
addr_resolv.c:995
#4  0x00007f0d32ddf595 in se_get_addr_name (addr=0x7fff9d24bf38) at
addr_resolv.c:2951
#5  0x00007f0d32dee288 in col_set_addr () from
/tmp/wireshark/epan/.libs/libwireshark.so.0
#6  0x00007f0d32dede3a in col_fill_in () from
/tmp/wireshark/epan/.libs/libwireshark.so.0
#7  0x00007f0d32df7c7b in epan_dissect_fill_in_columns () from
/tmp/wireshark/epan/.libs/libwiresha
#8 0x0000000000423390 in print_packet (cf=0x658a38, edt=0x7fff9d24be98) at
tshark.c:3483

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.