Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 9343] New: Buildbot crash output: fuzz-2013-10-29-18153.pcap

Wireshark-bugs: [Wireshark-bugs] [Bug 9343] New: Buildbot crash output: fuzz-2013-10-29-18153.pc

Date: Tue, 29 Oct 2013 11:30:04 +0000
Bug ID	9343
Summary	Buildbot crash output: fuzz-2013-10-29-18153.pcap
Classification	Unclassified
Product	Wireshark
Version	unspecified
Hardware	x86-64
URL	http://www.wireshark.org/download/automated/captures/fuzz-2013-10-29-18153.pcap
OS	Ubuntu
Status	CONFIRMED
Severity	Major
Priority	High
Component	Dissection engine (libwireshark)
Assignee	[email protected]
Reporter	[email protected]
Problems have been found with the following capture file:

http://www.wireshark.org/download/automated/captures/fuzz-2013-10-29-18153.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/03-13_los_altos.pcap

Build host information:
Linux wsbb04 3.2.0-49-generic #75-Ubuntu SMP Tue Jun 18 17:39:32 UTC 2013
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:    Ubuntu
Description:    Ubuntu 12.04.2 LTS
Release:    12.04
Codename:    precise

Buildbot information:
BUILDBOT_REPOSITORY=http://code.wireshark.org/git/wireshark
BUILDBOT_BUILDNUMBER=2144
BUILDBOT_URL=http://buildbot.wireshark.org/trunk/
BUILDBOT_BUILDERNAME=Clang-Code-Analysis
BUILDBOT_SLAVENAME=clang-code-analysis
BUILDBOT_GOT_REVISION=eb560aa56a0ae28ba5622b161c805d9a8c333867

Return value:  0

Dissector bug:  0

Valgrind error count:  359



Git commit
commit eb560aa56a0ae28ba5622b161c805d9a8c333867
Author: Jörg Mayer <[email protected]>
Date:   Sun Oct 27 02:18:57 2013 +0000

    Various updates - go into a little depth now.

    svn path=/trunk/; revision=52887


Command and args: ./tools/valgrind-wireshark.sh -T

==28014== Memcheck, a memory error detector
==28014== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==28014== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==28014== Command:
/home/wireshark/builders/trunk-clang-ca/clangcodeanalysis/install/bin/tshark
-Vx -nr
/fuzz/buildbot/clangcodeanalysis/valgrind-fuzz/fuzz-2013-10-29-18153.pcap
==28014== 

** (process:28014): WARNING **: Could not load tpncp.dat file, tpncp dissector
will not work
==28014== Conditional jump or move depends on uninitialised value(s)
==28014==    at 0x4C2BFB8: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28014==    by 0x954E2D1: g_strdup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
==28014==    by 0x64F314A: string_fvalue_set (ftype-string.c:55)
==28014==    by 0x64BD2B7: proto_tree_add_string (proto.c:2494)
==28014==    by 0x64BD3B0: proto_tree_add_string_format (proto.c:2534)
==28014==    by 0x67EEE08: dissect_http_message (packet-http.c:2433)
==28014==    by 0x67EFE98: dissect_http (packet-http.c:2704)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014==    by 0x64AB5A4: call_dissector_work (packet.c:609)
==28014==    by 0x64ABF52: dissector_try_uint_new (packet.c:1040)
==28014==    by 0x64ABFA6: dissector_try_uint (packet.c:1066)
==28014==    by 0x6B34DBC: decode_tcp_ports (packet-tcp.c:3867)
==28014== 
==28014== Invalid read of size 1
==28014==    at 0x4C2BFB4: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28014==    by 0x954E2D1: g_strdup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
==28014==    by 0x64F314A: string_fvalue_set (ftype-string.c:55)
==28014==    by 0x64BD2B7: proto_tree_add_string (proto.c:2494)
==28014==    by 0x64BD3B0: proto_tree_add_string_format (proto.c:2534)
==28014==    by 0x67EEE08: dissect_http_message (packet-http.c:2433)
==28014==    by 0x67EFE98: dissect_http (packet-http.c:2704)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014==    by 0x64AB5A4: call_dissector_work (packet.c:609)
==28014==    by 0x64ABF52: dissector_try_uint_new (packet.c:1040)
==28014==    by 0x64ABFA6: dissector_try_uint (packet.c:1066)
==28014==    by 0x6B34DBC: decode_tcp_ports (packet-tcp.c:3867)
==28014==  Address 0x111835ad is 0 bytes after a block of size 173 alloc'd
==28014==    at 0x4C2B6CD: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28014==    by 0x9539A78: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
==28014==    by 0x64C8C19: fragment_add_work.isra.7 (reassemble.c:1064)
==28014==    by 0x64C9013: fragment_add_common (reassemble.c:1371)
==28014==    by 0x64C97F7: fragment_add (reassemble.c:1391)
==28014==    by 0x6B375BE: dissect_tcp (packet-tcp.c:4686)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014==    by 0x64AB5A4: call_dissector_work (packet.c:609)
==28014==    by 0x64ABF52: dissector_try_uint_new (packet.c:1040)
==28014==    by 0x64ABFA6: dissector_try_uint (packet.c:1066)
==28014==    by 0x683EFFF: dissect_ip (packet-ip.c:2396)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014== 
==28014== Invalid read of size 1
==28014==    at 0x4C2D1A0: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28014==    by 0x954E2EE: g_strdup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
==28014==    by 0x64F314A: string_fvalue_set (ftype-string.c:55)
==28014==    by 0x64BD2B7: proto_tree_add_string (proto.c:2494)
==28014==    by 0x64BD3B0: proto_tree_add_string_format (proto.c:2534)
==28014==    by 0x67EEE08: dissect_http_message (packet-http.c:2433)
==28014==    by 0x67EFE98: dissect_http (packet-http.c:2704)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014==    by 0x64AB5A4: call_dissector_work (packet.c:609)
==28014==    by 0x64ABF52: dissector_try_uint_new (packet.c:1040)
==28014==    by 0x64ABFA6: dissector_try_uint (packet.c:1066)
==28014==    by 0x6B34DBC: decode_tcp_ports (packet-tcp.c:3867)
==28014==  Address 0x111835ad is 0 bytes after a block of size 173 alloc'd
==28014==    at 0x4C2B6CD: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28014==    by 0x9539A78: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
==28014==    by 0x64C8C19: fragment_add_work.isra.7 (reassemble.c:1064)
==28014==    by 0x64C9013: fragment_add_common (reassemble.c:1371)
==28014==    by 0x64C97F7: fragment_add (reassemble.c:1391)
==28014==    by 0x6B375BE: dissect_tcp (packet-tcp.c:4686)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014==    by 0x64AB5A4: call_dissector_work (packet.c:609)
==28014==    by 0x64ABF52: dissector_try_uint_new (packet.c:1040)
==28014==    by 0x64ABFA6: dissector_try_uint (packet.c:1066)
==28014==    by 0x683EFFF: dissect_ip (packet-ip.c:2396)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014== 
==28014== Invalid read of size 2
==28014==    at 0x4C2D160: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28014==    by 0x954E2EE: g_strdup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
==28014==    by 0x64F314A: string_fvalue_set (ftype-string.c:55)
==28014==    by 0x64BD2B7: proto_tree_add_string (proto.c:2494)
==28014==    by 0x64BD3B0: proto_tree_add_string_format (proto.c:2534)
==28014==    by 0x67EEE08: dissect_http_message (packet-http.c:2433)
==28014==    by 0x67EFE98: dissect_http (packet-http.c:2704)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014==    by 0x64AB5A4: call_dissector_work (packet.c:609)
==28014==    by 0x64ABF52: dissector_try_uint_new (packet.c:1040)
==28014==    by 0x64ABFA6: dissector_try_uint (packet.c:1066)
==28014==    by 0x6B34DBC: decode_tcp_ports (packet-tcp.c:3867)
==28014==  Address 0x111835ac is 172 bytes inside a block of size 173 alloc'd
==28014==    at 0x4C2B6CD: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28014==    by 0x9539A78: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
==28014==    by 0x64C8C19: fragment_add_work.isra.7 (reassemble.c:1064)
==28014==    by 0x64C9013: fragment_add_common (reassemble.c:1371)
==28014==    by 0x64C97F7: fragment_add (reassemble.c:1391)
==28014==    by 0x6B375BE: dissect_tcp (packet-tcp.c:4686)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014==    by 0x64AB5A4: call_dissector_work (packet.c:609)
==28014==    by 0x64ABF52: dissector_try_uint_new (packet.c:1040)
==28014==    by 0x64ABFA6: dissector_try_uint (packet.c:1066)
==28014==    by 0x683EFFF: dissect_ip (packet-ip.c:2396)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014== 
==28014== Invalid read of size 2
==28014==    at 0x4C2D060: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28014==    by 0x954E2EE: g_strdup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
==28014==    by 0x64F314A: string_fvalue_set (ftype-string.c:55)
==28014==    by 0x64BD2B7: proto_tree_add_string (proto.c:2494)
==28014==    by 0x64BD3B0: proto_tree_add_string_format (proto.c:2534)
==28014==    by 0x67EEE08: dissect_http_message (packet-http.c:2433)
==28014==    by 0x67EFE98: dissect_http (packet-http.c:2704)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014==    by 0x64AB5A4: call_dissector_work (packet.c:609)
==28014==    by 0x64ABF52: dissector_try_uint_new (packet.c:1040)
==28014==    by 0x64ABFA6: dissector_try_uint (packet.c:1066)
==28014==    by 0x6B34DE7: decode_tcp_ports (packet-tcp.c:3853)
==28014==  Address 0x1124b762 is 306 bytes inside a block of size 307 alloc'd
==28014==    at 0x4C2B6CD: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28014==    by 0x9539A78: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
==28014==    by 0x64C8C19: fragment_add_work.isra.7 (reassemble.c:1064)
==28014==    by 0x64C9013: fragment_add_common (reassemble.c:1371)
==28014==    by 0x64C97F7: fragment_add (reassemble.c:1391)
==28014==    by 0x6B355D4: dissect_tcp_payload (packet-tcp.c:1713)
==28014==    by 0x6B36D10: dissect_tcp (packet-tcp.c:4779)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014==    by 0x64AB5A4: call_dissector_work (packet.c:609)
==28014==    by 0x64ABF52: dissector_try_uint_new (packet.c:1040)
==28014==    by 0x64ABFA6: dissector_try_uint (packet.c:1066)
==28014==    by 0x683EFFF: dissect_ip (packet-ip.c:2396)
==28014== 
==28014== Invalid read of size 1
==28014==    at 0x4C2D08F: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28014==    by 0x954E2EE: g_strdup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
==28014==    by 0x64F314A: string_fvalue_set (ftype-string.c:55)
==28014==    by 0x64BD2B7: proto_tree_add_string (proto.c:2494)
==28014==    by 0x64BD3B0: proto_tree_add_string_format (proto.c:2534)
==28014==    by 0x67EEE08: dissect_http_message (packet-http.c:2433)
==28014==    by 0x67EFE98: dissect_http (packet-http.c:2704)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014==    by 0x64AB5A4: call_dissector_work (packet.c:609)
==28014==    by 0x64ABF52: dissector_try_uint_new (packet.c:1040)
==28014==    by 0x64ABFA6: dissector_try_uint (packet.c:1066)
==28014==    by 0x6B34DE7: decode_tcp_ports (packet-tcp.c:3853)
==28014==  Address 0x114cbbad is 0 bytes after a block of size 173 alloc'd
==28014==    at 0x4C2B6CD: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28014==    by 0x9539A78: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
==28014==    by 0x64C8C19: fragment_add_work.isra.7 (reassemble.c:1064)
==28014==    by 0x64C9013: fragment_add_common (reassemble.c:1371)
==28014==    by 0x64C97F7: fragment_add (reassemble.c:1391)
==28014==    by 0x6B375BE: dissect_tcp (packet-tcp.c:4686)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014==    by 0x64AB5A4: call_dissector_work (packet.c:609)
==28014==    by 0x64ABF52: dissector_try_uint_new (packet.c:1040)
==28014==    by 0x64ABFA6: dissector_try_uint (packet.c:1066)
==28014==    by 0x683EFFF: dissect_ip (packet-ip.c:2396)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014== 
==28014== Invalid read of size 1
==28014==    at 0x4C2D080: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28014==    by 0x954E2EE: g_strdup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
==28014==    by 0x64F314A: string_fvalue_set (ftype-string.c:55)
==28014==    by 0x64BD2B7: proto_tree_add_string (proto.c:2494)
==28014==    by 0x64BD3B0: proto_tree_add_string_format (proto.c:2534)
==28014==    by 0x67EEE08: dissect_http_message (packet-http.c:2433)
==28014==    by 0x67EFE98: dissect_http (packet-http.c:2704)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014==    by 0x64AB5A4: call_dissector_work (packet.c:609)
==28014==    by 0x64ABF52: dissector_try_uint_new (packet.c:1040)
==28014==    by 0x64ABFA6: dissector_try_uint (packet.c:1066)
==28014==    by 0x6B34DE7: decode_tcp_ports (packet-tcp.c:3853)
==28014==  Address 0x11154694 is 1 bytes after a block of size 243 alloc'd
==28014==    at 0x4C2B6CD: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28014==    by 0x9539A78: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
==28014==    by 0x64C8C19: fragment_add_work.isra.7 (reassemble.c:1064)
==28014==    by 0x64C9013: fragment_add_common (reassemble.c:1371)
==28014==    by 0x64C97F7: fragment_add (reassemble.c:1391)
==28014==    by 0x6B355D4: dissect_tcp_payload (packet-tcp.c:1713)
==28014==    by 0x6B36D10: dissect_tcp (packet-tcp.c:4779)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014==    by 0x64AB5A4: call_dissector_work (packet.c:609)
==28014==    by 0x64ABF52: dissector_try_uint_new (packet.c:1040)
==28014==    by 0x64ABFA6: dissector_try_uint (packet.c:1066)
==28014==    by 0x683EFFF: dissect_ip (packet-ip.c:2396)
==28014== 
==28014== Invalid read of size 2
==28014==    at 0x4C2D050: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28014==    by 0x954E2EE: g_strdup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
==28014==    by 0x64F314A: string_fvalue_set (ftype-string.c:55)
==28014==    by 0x64BD2B7: proto_tree_add_string (proto.c:2494)
==28014==    by 0x64BD3B0: proto_tree_add_string_format (proto.c:2534)
==28014==    by 0x67EEE08: dissect_http_message (packet-http.c:2433)
==28014==    by 0x67EFE98: dissect_http (packet-http.c:2704)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014==    by 0x64AB5A4: call_dissector_work (packet.c:609)
==28014==    by 0x64ABF52: dissector_try_uint_new (packet.c:1040)
==28014==    by 0x64ABFA6: dissector_try_uint (packet.c:1066)
==28014==    by 0x6B34DE7: decode_tcp_ports (packet-tcp.c:3853)
==28014==  Address 0x11154692 is 242 bytes inside a block of size 243 alloc'd
==28014==    at 0x4C2B6CD: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28014==    by 0x9539A78: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
==28014==    by 0x64C8C19: fragment_add_work.isra.7 (reassemble.c:1064)
==28014==    by 0x64C9013: fragment_add_common (reassemble.c:1371)
==28014==    by 0x64C97F7: fragment_add (reassemble.c:1391)
==28014==    by 0x6B355D4: dissect_tcp_payload (packet-tcp.c:1713)
==28014==    by 0x6B36D10: dissect_tcp (packet-tcp.c:4779)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014==    by 0x64AB5A4: call_dissector_work (packet.c:609)
==28014==    by 0x64ABF52: dissector_try_uint_new (packet.c:1040)
==28014==    by 0x64ABFA6: dissector_try_uint (packet.c:1066)
==28014==    by 0x683EFFF: dissect_ip (packet-ip.c:2396)
==28014== 
==28014== Invalid read of size 1
==28014==    at 0x4C2D1AD: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28014==    by 0x954E2EE: g_strdup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3)
==28014==    by 0x64F314A: string_fvalue_set (ftype-string.c:55)
==28014==    by 0x64BD2B7: proto_tree_add_string (proto.c:2494)
==28014==    by 0x64BD3B0: proto_tree_add_string_format (proto.c:2534)
==28014==    by 0x67EF5ED: dissect_http_message (packet-http.c:2369)
==28014==    by 0x67EFE98: dissect_http (packet-http.c:2704)
==28014==    by 0x64AAC57: call_dissector_through_handle (packet.c:515)
==28014==    by 0x64AB5A4: call_dissector_work (packet.c:609)
==28014==    by 0x64ABF52: dissector_try_uint_new (packet.c:1040)
==28014==    by 0x64ABFA6: dissector_try_uint (packet.c:1066)
==28014==    by 0x6B34DE7: decode_tcp_ports (packet-tcp.c:3853)
==28014==  Address 0x119e7d5e is not stack'd, malloc'd or (recently) free'd
==28014== 
==28014== 
==28014== HEAP SUMMARY:
==28014==     in use at exit: 435,716 bytes in 7,531 blocks
==28014==   total heap usage: 8,802,990 allocs, 8,795,459 frees, 816,617,547
bytes allocated
==28014== 
==28014== LEAK SUMMARY:
==28014==    definitely lost: 8,627 bytes in 1,744 blocks
==28014==    indirectly lost: 1,288 bytes in 44 blocks
==28014==      possibly lost: 0 bytes in 0 blocks
==28014==    still reachable: 425,801 bytes in 5,743 blocks
==28014==         suppressed: 0 bytes in 0 blocks
==28014== Rerun with --leak-check=full to see details of leaked memory
==28014== 
==28014== For counts of detected and suppressed errors, rerun with: -v
==28014== Use --track-origins=yes to see where uninitialised values come from
==28014== ERROR SUMMARY: 359 errors from 9 contexts (suppressed: 11 from 5)

[ no debug trace ]
You are receiving this mail because:
You are watching all bug changes.
Follow-Ups:
- [Wireshark-bugs] [Bug 9343] Buildbot crash output: fuzz-2013-10-29-18153.pcap
  - From: bugzilla-daemon
Prev by Date: [Wireshark-bugs] [Bug 9112] epan/follow.c - Incorrect "bytes missing in capture file" in "check_fragments" due to an unsigned int wraparound?
Next by Date: [Wireshark-bugs] [Bug 9344] New: remove redundant or use faster col_xxx functions
Previous by thread: [Wireshark-bugs] [Bug 5664] Some files needed for running from build directory aren't there when doing out-of-source-tree build
Next by thread: [Wireshark-bugs] [Bug 9343] Buildbot crash output: fuzz-2013-10-29-18153.pcap
Index(es):
- Date
- Thread