Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 10056] New: Buildbot crash output: fuzz-2014-04-28-13573.pcap

Wireshark-bugs: [Wireshark-bugs] [Bug 10056] New: Buildbot crash output: fuzz-2014-04-28-13573.p

Date: Mon, 28 Apr 2014 13:30:04 +0000
Bug ID	10056
Summary	Buildbot crash output: fuzz-2014-04-28-13573.pcap
Classification	Unclassified
Product	Wireshark
Version	unspecified
Hardware	x86-64
URL	http://www.wireshark.org/download/automated/captures/fuzz-2014-04-28-13573.pcap
OS	Ubuntu
Status	CONFIRMED
Severity	Major
Priority	High
Component	Dissection engine (libwireshark)
Assignee	[email protected]
Reporter	[email protected]
Problems have been found with the following capture file:

http://www.wireshark.org/download/automated/captures/fuzz-2014-04-28-13573.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/10129-trc_00004_20130227111552

Build host information:
Linux wsbb04 3.2.0-60-generic #91-Ubuntu SMP Wed Feb 19 03:54:44 UTC 2014
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:    Ubuntu
Description:    Ubuntu 12.04.4 LTS
Release:    12.04
Codename:    precise

Buildbot information:
BUILDBOT_REPOSITORY=ssh://[email protected]:29418/wireshark
BUILDBOT_BUILDNUMBER=2727
BUILDBOT_URL=http://buildbot.wireshark.org/trunk/
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_SLAVENAME=clang-code-analysis
BUILDBOT_GOT_REVISION=616d4c9c1b0f38e82b28bfb985ca4a319fa8218a

Return value:  0

Dissector bug:  0

Valgrind error count:  86



Git commit
commit 616d4c9c1b0f38e82b28bfb985ca4a319fa8218a
Author: Martin Mathieson <[email protected]>
Date:   Sat Apr 26 23:26:32 2014 +0100

    Change preferences - always want to try to decrypt signalling PDUs

    Change-Id: Ib34f12b5f8dd276612aed2fe0192c94e847858f2
    Reviewed-on: https://code.wireshark.org/review/1377
    Reviewed-by: Martin Mathieson <[email protected]>


Command and args: ./tools/valgrind-wireshark.sh 

==30990== Memcheck, a memory error detector
==30990== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==30990== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==30990== Command:
/home/wireshark/builders/trunk-clang-ca/clangcodeanalysis/install/bin/tshark
-nr /fuzz/buildbot/clangcodeanalysis/valgrind-fuzz/fuzz-2014-04-28-13573.pcap
==30990== 

** (process:30990): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet
3769: packet-dcerpc.c:2585: failed assertion "id <= ((guint32) 0xffffffff)"

** (process:30990): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet
3813: packet-dcerpc.c:2585: failed assertion "id <= ((guint32) 0xffffffff)"

** (process:30990): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet
4050: packet-dcerpc.c:2585: failed assertion "id <= ((guint32) 0xffffffff)"

** (process:30990): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet
6269: packet-dcerpc.c:2585: failed assertion "id <= ((guint32) 0xffffffff)"

** (process:30990): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet
8106: packet-dcerpc.c:2585: failed assertion "id <= ((guint32) 0xffffffff)"

** (process:30990): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet
8273: packet-dcerpc.c:2585: failed assertion "id <= ((guint32) 0xffffffff)"

** (process:30990): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet
10470: packet-dcerpc.c:2585: failed assertion "id <= ((guint32) 0xffffffff)"
==30990== Use of uninitialised value of size 8
==30990==    at 0x985BE40: g_hash_table_lookup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x6C48E62: dissect_smb2_tree_connect_response
(packet-smb2.c:2670)
==30990==    by 0x6C4A590: dissect_smb2 (packet-smb2.c:6778)
==30990==    by 0x6C4AE87: dissect_smb2_heur (packet-smb2.c:7220)
==30990==    by 0x65A4BF6: dissector_try_heuristic (packet.c:1993)
==30990==    by 0x6A94513: dissect_netbios_payload (packet-netbios.c:1071)
==30990==    by 0x6A60CE1: dissect_nbss_packet (packet-nbns.c:1541)
==30990==    by 0x6A60E9A: dissect_nbss (packet-nbns.c:1861)
==30990==    by 0x65A28FE: call_dissector_through_handle (packet.c:591)
==30990==    by 0x65A33DD: call_dissector_work (packet.c:682)
==30990==    by 0x65A3C02: dissector_try_uint_new (packet.c:1113)
==30990==    by 0x6C92EEE: decode_tcp_ports (packet-tcp.c:3916)
==30990== 
==30990== Use of uninitialised value of size 8
==30990==    at 0x985B8D8: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x6C48EC3: dissect_smb2_tree_connect_response
(packet-smb2.c:2680)
==30990==    by 0x6C4A590: dissect_smb2 (packet-smb2.c:6778)
==30990==    by 0x6C4AE87: dissect_smb2_heur (packet-smb2.c:7220)
==30990==    by 0x65A4BF6: dissector_try_heuristic (packet.c:1993)
==30990==    by 0x6A94513: dissect_netbios_payload (packet-netbios.c:1071)
==30990==    by 0x6A60CE1: dissect_nbss_packet (packet-nbns.c:1541)
==30990==    by 0x6A60E9A: dissect_nbss (packet-nbns.c:1861)
==30990==    by 0x65A28FE: call_dissector_through_handle (packet.c:591)
==30990==    by 0x65A33DD: call_dissector_work (packet.c:682)
==30990==    by 0x65A3C02: dissector_try_uint_new (packet.c:1113)
==30990==    by 0x6C92EEE: decode_tcp_ports (packet-tcp.c:3916)
==30990== 
==30990== Use of uninitialised value of size 8
==30990==    at 0x985B4A8: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x985B979: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x6C48EC3: dissect_smb2_tree_connect_response
(packet-smb2.c:2680)
==30990==    by 0x6C4A590: dissect_smb2 (packet-smb2.c:6778)
==30990==    by 0x6C4AE87: dissect_smb2_heur (packet-smb2.c:7220)
==30990==    by 0x65A4BF6: dissector_try_heuristic (packet.c:1993)
==30990==    by 0x6A94513: dissect_netbios_payload (packet-netbios.c:1071)
==30990==    by 0x6A60CE1: dissect_nbss_packet (packet-nbns.c:1541)
==30990==    by 0x6A60E9A: dissect_nbss (packet-nbns.c:1861)
==30990==    by 0x65A28FE: call_dissector_through_handle (packet.c:591)
==30990==    by 0x65A33DD: call_dissector_work (packet.c:682)
==30990==    by 0x65A3C02: dissector_try_uint_new (packet.c:1113)
==30990== 
==30990== Use of uninitialised value of size 8
==30990==    at 0x985B4BD: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x985B979: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x6C48EC3: dissect_smb2_tree_connect_response
(packet-smb2.c:2680)
==30990==    by 0x6C4A590: dissect_smb2 (packet-smb2.c:6778)
==30990==    by 0x6C4AE87: dissect_smb2_heur (packet-smb2.c:7220)
==30990==    by 0x65A4BF6: dissector_try_heuristic (packet.c:1993)
==30990==    by 0x6A94513: dissect_netbios_payload (packet-netbios.c:1071)
==30990==    by 0x6A60CE1: dissect_nbss_packet (packet-nbns.c:1541)
==30990==    by 0x6A60E9A: dissect_nbss (packet-nbns.c:1861)
==30990==    by 0x65A28FE: call_dissector_through_handle (packet.c:591)
==30990==    by 0x65A33DD: call_dissector_work (packet.c:682)
==30990==    by 0x65A3C02: dissector_try_uint_new (packet.c:1113)
==30990== 
==30990== Use of uninitialised value of size 8
==30990==    at 0x985B4C0: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x985B979: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x6C48EC3: dissect_smb2_tree_connect_response
(packet-smb2.c:2680)
==30990==    by 0x6C4A590: dissect_smb2 (packet-smb2.c:6778)
==30990==    by 0x6C4AE87: dissect_smb2_heur (packet-smb2.c:7220)
==30990==    by 0x65A4BF6: dissector_try_heuristic (packet.c:1993)
==30990==    by 0x6A94513: dissect_netbios_payload (packet-netbios.c:1071)
==30990==    by 0x6A60CE1: dissect_nbss_packet (packet-nbns.c:1541)
==30990==    by 0x6A60E9A: dissect_nbss (packet-nbns.c:1861)
==30990==    by 0x65A28FE: call_dissector_through_handle (packet.c:591)
==30990==    by 0x65A33DD: call_dissector_work (packet.c:682)
==30990==    by 0x65A3C02: dissector_try_uint_new (packet.c:1113)
==30990== 
==30990== Use of uninitialised value of size 8
==30990==    at 0x985B588: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x985B979: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x6C48EC3: dissect_smb2_tree_connect_response
(packet-smb2.c:2680)
==30990==    by 0x6C4A590: dissect_smb2 (packet-smb2.c:6778)
==30990==    by 0x6C4AE87: dissect_smb2_heur (packet-smb2.c:7220)
==30990==    by 0x65A4BF6: dissector_try_heuristic (packet.c:1993)
==30990==    by 0x6A94513: dissect_netbios_payload (packet-netbios.c:1071)
==30990==    by 0x6A60CE1: dissect_nbss_packet (packet-nbns.c:1541)
==30990==    by 0x6A60E9A: dissect_nbss (packet-nbns.c:1861)
==30990==    by 0x65A28FE: call_dissector_through_handle (packet.c:591)
==30990==    by 0x65A33DD: call_dissector_work (packet.c:682)
==30990==    by 0x65A3C02: dissector_try_uint_new (packet.c:1113)
==30990== 
==30990== Use of uninitialised value of size 8
==30990==    at 0x985B58F: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x985B979: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x6C48EC3: dissect_smb2_tree_connect_response
(packet-smb2.c:2680)
==30990==    by 0x6C4A590: dissect_smb2 (packet-smb2.c:6778)
==30990==    by 0x6C4AE87: dissect_smb2_heur (packet-smb2.c:7220)
==30990==    by 0x65A4BF6: dissector_try_heuristic (packet.c:1993)
==30990==    by 0x6A94513: dissect_netbios_payload (packet-netbios.c:1071)
==30990==    by 0x6A60CE1: dissect_nbss_packet (packet-nbns.c:1541)
==30990==    by 0x6A60E9A: dissect_nbss (packet-nbns.c:1861)
==30990==    by 0x65A28FE: call_dissector_through_handle (packet.c:591)
==30990==    by 0x65A33DD: call_dissector_work (packet.c:682)
==30990==    by 0x65A3C02: dissector_try_uint_new (packet.c:1113)
==30990== 
==30990== Use of uninitialised value of size 8
==30990==    at 0x985B597: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x985B979: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x6C48EC3: dissect_smb2_tree_connect_response
(packet-smb2.c:2680)
==30990==    by 0x6C4A590: dissect_smb2 (packet-smb2.c:6778)
==30990==    by 0x6C4AE87: dissect_smb2_heur (packet-smb2.c:7220)
==30990==    by 0x65A4BF6: dissector_try_heuristic (packet.c:1993)
==30990==    by 0x6A94513: dissect_netbios_payload (packet-netbios.c:1071)
==30990==    by 0x6A60CE1: dissect_nbss_packet (packet-nbns.c:1541)
==30990==    by 0x6A60E9A: dissect_nbss (packet-nbns.c:1861)
==30990==    by 0x65A28FE: call_dissector_through_handle (packet.c:591)
==30990==    by 0x65A33DD: call_dissector_work (packet.c:682)
==30990==    by 0x65A3C02: dissector_try_uint_new (packet.c:1113)
==30990== 
==30990== Conditional jump or move depends on uninitialised value(s)
==30990==    at 0x985BE47: g_hash_table_lookup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x6C4A8C8: dissect_smb2 (packet-smb2.c:6872)
==30990==    by 0x6C4AE87: dissect_smb2_heur (packet-smb2.c:7220)
==30990==    by 0x65A4BF6: dissector_try_heuristic (packet.c:1993)
==30990==    by 0x6A94513: dissect_netbios_payload (packet-netbios.c:1071)
==30990==    by 0x6A60CE1: dissect_nbss_packet (packet-nbns.c:1541)
==30990==    by 0x6A60E9A: dissect_nbss (packet-nbns.c:1861)
==30990==    by 0x65A28FE: call_dissector_through_handle (packet.c:591)
==30990==    by 0x65A33DD: call_dissector_work (packet.c:682)
==30990==    by 0x65A3C02: dissector_try_uint_new (packet.c:1113)
==30990==    by 0x6C92EEE: decode_tcp_ports (packet-tcp.c:3916)
==30990==    by 0x6C9324A: process_tcp_payload (packet-tcp.c:3989)
==30990== 
==30990== Conditional jump or move depends on uninitialised value(s)
==30990==    at 0x985BE8C: g_hash_table_lookup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x6C4A8C8: dissect_smb2 (packet-smb2.c:6872)
==30990==    by 0x6C4AE87: dissect_smb2_heur (packet-smb2.c:7220)
==30990==    by 0x65A4BF6: dissector_try_heuristic (packet.c:1993)
==30990==    by 0x6A94513: dissect_netbios_payload (packet-netbios.c:1071)
==30990==    by 0x6A60CE1: dissect_nbss_packet (packet-nbns.c:1541)
==30990==    by 0x6A60E9A: dissect_nbss (packet-nbns.c:1861)
==30990==    by 0x65A28FE: call_dissector_through_handle (packet.c:591)
==30990==    by 0x65A33DD: call_dissector_work (packet.c:682)
==30990==    by 0x65A3C02: dissector_try_uint_new (packet.c:1113)
==30990==    by 0x6C92EEE: decode_tcp_ports (packet-tcp.c:3916)
==30990==    by 0x6C9324A: process_tcp_payload (packet-tcp.c:3989)
==30990== 
==30990== Conditional jump or move depends on uninitialised value(s)
==30990==    at 0x985BED5: g_hash_table_lookup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x6C4A8C8: dissect_smb2 (packet-smb2.c:6872)
==30990==    by 0x6C4AE87: dissect_smb2_heur (packet-smb2.c:7220)
==30990==    by 0x65A4BF6: dissector_try_heuristic (packet.c:1993)
==30990==    by 0x6A94513: dissect_netbios_payload (packet-netbios.c:1071)
==30990==    by 0x6A60CE1: dissect_nbss_packet (packet-nbns.c:1541)
==30990==    by 0x6A60E9A: dissect_nbss (packet-nbns.c:1861)
==30990==    by 0x65A28FE: call_dissector_through_handle (packet.c:591)
==30990==    by 0x65A33DD: call_dissector_work (packet.c:682)
==30990==    by 0x65A3C02: dissector_try_uint_new (packet.c:1113)
==30990==    by 0x6C92EEE: decode_tcp_ports (packet-tcp.c:3916)
==30990==    by 0x6C9324A: process_tcp_payload (packet-tcp.c:3989)
==30990== 
==30990== Conditional jump or move depends on uninitialised value(s)
==30990==    at 0x985BEB9: g_hash_table_lookup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==30990==    by 0x6C4A8C8: dissect_smb2 (packet-smb2.c:6872)
==30990==    by 0x6C4AE87: dissect_smb2_heur (packet-smb2.c:7220)
==30990==    by 0x65A4BF6: dissector_try_heuristic (packet.c:1993)
==30990==    by 0x6A94513: dissect_netbios_payload (packet-netbios.c:1071)
==30990==    by 0x6A60CE1: dissect_nbss_packet (packet-nbns.c:1541)
==30990==    by 0x6A60E9A: dissect_nbss (packet-nbns.c:1861)
==30990==    by 0x65A28FE: call_dissector_through_handle (packet.c:591)
==30990==    by 0x65A33DD: call_dissector_work (packet.c:682)
==30990==    by 0x65A3C02: dissector_try_uint_new (packet.c:1113)
==30990==    by 0x6C92EEE: decode_tcp_ports (packet-tcp.c:3916)
==30990==    by 0x6C9324A: process_tcp_payload (packet-tcp.c:3989)
==30990== 

** (process:30990): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet
17420: packet-dcerpc.c:2585: failed assertion "id <= ((guint32) 0xffffffff)"

** (process:30990): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet
19683: packet-dcerpc.c:2585: failed assertion "id <= ((guint32) 0xffffffff)"

** (process:30990): WARNING **: Dissector bug, protocol RPC_NETLOGON, in packet
28849: packet-dcerpc.c:2585: failed assertion "id <= ((guint32) 0xffffffff)"
==30990== 
==30990== HEAP SUMMARY:
==30990==     in use at exit: 1,286,525 bytes in 29,924 blocks
==30990==   total heap usage: 1,798,387 allocs, 1,768,463 frees, 104,290,604
bytes allocated
==30990== 
==30990== LEAK SUMMARY:
==30990==    definitely lost: 13,728 bytes in 757 blocks
==30990==    indirectly lost: 40,424 bytes in 155 blocks
==30990==      possibly lost: 0 bytes in 0 blocks
==30990==    still reachable: 1,232,373 bytes in 29,012 blocks
==30990==         suppressed: 0 bytes in 0 blocks
==30990== Rerun with --leak-check=full to see details of leaked memory
==30990== 
==30990== For counts of detected and suppressed errors, rerun with: -v
==30990== Use --track-origins=yes to see where uninitialised values come from
==30990== ERROR SUMMARY: 86 errors from 12 contexts (suppressed: 3 from 3)

[ no debug trace ]
You are receiving this mail because:
You are watching all bug changes.
Follow-Ups:
- [Wireshark-bugs] [Bug 10056] Buildbot crash output: fuzz-2014-04-28-13573.pcap
  - From: bugzilla-daemon
Prev by Date: [Wireshark-bugs] [Bug 9996] IPv6 Next Header is Unknown yet Wireshark tries parsing an IPv6 Extension Header
Next by Date: [Wireshark-bugs] [Bug 10057] New: Same AVP Codes for two different AVPs
Previous by thread: [Wireshark-bugs] [Bug 10055] Sample Captures for IEEE - DCBx (802.1az)
Next by thread: [Wireshark-bugs] [Bug 10056] Buildbot crash output: fuzz-2014-04-28-13573.pcap
Index(es):
- Date
- Thread