Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 10270] New: Buildbot crash output: fuzz-2014-07-09-26760.pcap

Wireshark-bugs: [Wireshark-bugs] [Bug 10270] New: Buildbot crash output: fuzz-2014-07-09-26760.p

Date: Wed, 09 Jul 2014 22:30:03 +0000

Bug ID	10270
Summary	Buildbot crash output: fuzz-2014-07-09-26760.pcap
Classification	Unclassified
Product	Wireshark
Version	unspecified
Hardware	x86-64
URL	http://www.wireshark.org/download/automated/captures/fuzz-2014-07-09-26760.pcap
OS	Ubuntu
Status	CONFIRMED
Severity	Major
Priority	High
Component	Dissection engine (libwireshark)
Assignee	[email protected]
Reporter	[email protected]

Problems have been found with the following capture file:

http://www.wireshark.org/download/automated/captures/fuzz-2014-07-09-26760.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/1393-protection_gunidiv.pcap

Build host information:
Linux wsbb04 3.2.0-65-generic #98-Ubuntu SMP Wed Jun 11 20:27:07 UTC 2014
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:    Ubuntu
Description:    Ubuntu 12.04.4 LTS
Release:    12.04
Codename:    precise

Buildbot information:
BUILDBOT_REPOSITORY=ssh://[email protected]:29418/wireshark
BUILDBOT_BUILDNUMBER=2851
BUILDBOT_URL=http://buildbot.wireshark.org/trunk/
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_SLAVENAME=clang-code-analysis
BUILDBOT_GOT_REVISION=9d5bf53346d3ac8b9d3c37726928b41dc50400e0

Return value:  0

Dissector bug:  0

Valgrind error count:  11



Git commit
commit 9d5bf53346d3ac8b9d3c37726928b41dc50400e0
Author: Evan Huus <[email protected]>
Date:   Tue Jul 8 00:04:21 2014 -0400

    udvm: free the buffer *before* throwing the exception

    Freeing it after the exception doesn't do much, for obvious reasons. Also
move
    the allocation a bit later, and add modelines.

    This fixes one major memory leak, although on inspection this code still
isn't
    safe since there are exception-throwing functions called all over the place
with
    glib memory active. Outside the scope of this fix though.

    Bug: 10265
    Change-Id: I1fe272e92b92cac6b99abb84866b8ae9b582e24c
    Reviewed-on: https://code.wireshark.org/review/2931
    Reviewed-by: Anders Broman <[email protected]>


Command and args: ./tools/valgrind-wireshark.sh -T

==10183== Memcheck, a memory error detector
==10183== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==10183== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==10183== Command:
/home/wireshark/builders/trunk-clang-ca/clangcodeanalysis/install/bin/tshark
-Vx -nr
/fuzz/buildbot/clangcodeanalysis/valgrind-fuzz/fuzz-2014-07-09-26760.pcap
==10183== 
==10183== Conditional jump or move depends on uninitialised value(s)
==10183==    at 0x661F23E: proto_item_set_text (proto.c:4442)
==10183==    by 0x6C1020F: dissect_rsvp_session.isra.6 (packet-rsvp.c:2213)
==10183==    by 0x6C13AC9: dissect_rsvp_gen_uni.isra.26 (packet-rsvp.c:5661)
==10183==    by 0x6C1918F: dissect_rsvp_msg_tree (packet-rsvp.c:7118)
==10183==    by 0x6C1B7B6: dissect_rsvp_common (packet-rsvp.c:7241)
==10183==    by 0x6C1BAE0: dissect_rsvp (packet-rsvp.c:7337)
==10183==    by 0x660AE7E: call_dissector_through_handle (packet.c:622)
==10183==    by 0x660B8BD: call_dissector_work (packet.c:713)
==10183==    by 0x660C0E2: dissector_try_uint_new (packet.c:1145)
==10183==    by 0x69C9C93: dissect_ip (packet-ip.c:2408)
==10183==    by 0x660AE37: call_dissector_through_handle (packet.c:626)
==10183==    by 0x660B8BD: call_dissector_work (packet.c:713)
==10183== 
==10183== Use of uninitialised value of size 8
==10183==    at 0x661F240: proto_item_set_text (proto.c:4446)
==10183==    by 0x6C1020F: dissect_rsvp_session.isra.6 (packet-rsvp.c:2213)
==10183==    by 0x6C13AC9: dissect_rsvp_gen_uni.isra.26 (packet-rsvp.c:5661)
==10183==    by 0x6C1918F: dissect_rsvp_msg_tree (packet-rsvp.c:7118)
==10183==    by 0x6C1B7B6: dissect_rsvp_common (packet-rsvp.c:7241)
==10183==    by 0x6C1BAE0: dissect_rsvp (packet-rsvp.c:7337)
==10183==    by 0x660AE7E: call_dissector_through_handle (packet.c:622)
==10183==    by 0x660B8BD: call_dissector_work (packet.c:713)
==10183==    by 0x660C0E2: dissector_try_uint_new (packet.c:1145)
==10183==    by 0x69C9C93: dissect_ip (packet-ip.c:2408)
==10183==    by 0x660AE37: call_dissector_through_handle (packet.c:626)
==10183==    by 0x660B8BD: call_dissector_work (packet.c:713)
==10183== 
==10183== Use of uninitialised value of size 8
==10183==    at 0x661A9E6: proto_tree_set_representation (proto.c:4035)
==10183==    by 0x661F2A6: proto_item_set_text (proto.c:4456)
==10183==    by 0x6C1020F: dissect_rsvp_session.isra.6 (packet-rsvp.c:2213)
==10183==    by 0x6C13AC9: dissect_rsvp_gen_uni.isra.26 (packet-rsvp.c:5661)
==10183==    by 0x6C1918F: dissect_rsvp_msg_tree (packet-rsvp.c:7118)
==10183==    by 0x6C1B7B6: dissect_rsvp_common (packet-rsvp.c:7241)
==10183==    by 0x6C1BAE0: dissect_rsvp (packet-rsvp.c:7337)
==10183==    by 0x660AE7E: call_dissector_through_handle (packet.c:622)
==10183==    by 0x660B8BD: call_dissector_work (packet.c:713)
==10183==    by 0x660C0E2: dissector_try_uint_new (packet.c:1145)
==10183==    by 0x69C9C93: dissect_ip (packet-ip.c:2408)
==10183==    by 0x660AE37: call_dissector_through_handle (packet.c:626)
==10183== 
==10183== Conditional jump or move depends on uninitialised value(s)
==10183==    at 0x661A9F5: proto_tree_set_representation (proto.c:4039)
==10183==    by 0x661F2A6: proto_item_set_text (proto.c:4456)
==10183==    by 0x6C1020F: dissect_rsvp_session.isra.6 (packet-rsvp.c:2213)
==10183==    by 0x6C13AC9: dissect_rsvp_gen_uni.isra.26 (packet-rsvp.c:5661)
==10183==    by 0x6C1918F: dissect_rsvp_msg_tree (packet-rsvp.c:7118)
==10183==    by 0x6C1B7B6: dissect_rsvp_common (packet-rsvp.c:7241)
==10183==    by 0x6C1BAE0: dissect_rsvp (packet-rsvp.c:7337)
==10183==    by 0x660AE7E: call_dissector_through_handle (packet.c:622)
==10183==    by 0x660B8BD: call_dissector_work (packet.c:713)
==10183==    by 0x660C0E2: dissector_try_uint_new (packet.c:1145)
==10183==    by 0x69C9C93: dissect_ip (packet-ip.c:2408)
==10183==    by 0x660AE37: call_dissector_through_handle (packet.c:626)
==10183== 
==10183== Use of uninitialised value of size 8
==10183==    at 0x661A9FD: proto_tree_set_representation (proto.c:4040)
==10183==    by 0x661F2A6: proto_item_set_text (proto.c:4456)
==10183==    by 0x6C1020F: dissect_rsvp_session.isra.6 (packet-rsvp.c:2213)
==10183==    by 0x6C13AC9: dissect_rsvp_gen_uni.isra.26 (packet-rsvp.c:5661)
==10183==    by 0x6C1918F: dissect_rsvp_msg_tree (packet-rsvp.c:7118)
==10183==    by 0x6C1B7B6: dissect_rsvp_common (packet-rsvp.c:7241)
==10183==    by 0x6C1BAE0: dissect_rsvp (packet-rsvp.c:7337)
==10183==    by 0x660AE7E: call_dissector_through_handle (packet.c:622)
==10183==    by 0x660B8BD: call_dissector_work (packet.c:713)
==10183==    by 0x660C0E2: dissector_try_uint_new (packet.c:1145)
==10183==    by 0x69C9C93: dissect_ip (packet-ip.c:2408)
==10183==    by 0x660AE37: call_dissector_through_handle (packet.c:626)
==10183== 
==10183== Conditional jump or move depends on uninitialised value(s)
==10183==    at 0x661F23E: proto_item_set_text (proto.c:4442)
==10183==    by 0x6C1093D: dissect_rsvp_template_filter.isra.10
(packet-rsvp.c:3037)
==10183==    by 0x6C13D76: dissect_rsvp_gen_uni.isra.26 (packet-rsvp.c:5679)
==10183==    by 0x6C1918F: dissect_rsvp_msg_tree (packet-rsvp.c:7118)
==10183==    by 0x6C1B7B6: dissect_rsvp_common (packet-rsvp.c:7241)
==10183==    by 0x6C1BAE0: dissect_rsvp (packet-rsvp.c:7337)
==10183==    by 0x660AE7E: call_dissector_through_handle (packet.c:622)
==10183==    by 0x660B8BD: call_dissector_work (packet.c:713)
==10183==    by 0x660C0E2: dissector_try_uint_new (packet.c:1145)
==10183==    by 0x69C9C93: dissect_ip (packet-ip.c:2408)
==10183==    by 0x660AE37: call_dissector_through_handle (packet.c:626)
==10183==    by 0x660B8BD: call_dissector_work (packet.c:713)
==10183== 
==10183== Use of uninitialised value of size 8
==10183==    at 0x661F240: proto_item_set_text (proto.c:4446)
==10183==    by 0x6C1093D: dissect_rsvp_template_filter.isra.10
(packet-rsvp.c:3037)
==10183==    by 0x6C13D76: dissect_rsvp_gen_uni.isra.26 (packet-rsvp.c:5679)
==10183==    by 0x6C1918F: dissect_rsvp_msg_tree (packet-rsvp.c:7118)
==10183==    by 0x6C1B7B6: dissect_rsvp_common (packet-rsvp.c:7241)
==10183==    by 0x6C1BAE0: dissect_rsvp (packet-rsvp.c:7337)
==10183==    by 0x660AE7E: call_dissector_through_handle (packet.c:622)
==10183==    by 0x660B8BD: call_dissector_work (packet.c:713)
==10183==    by 0x660C0E2: dissector_try_uint_new (packet.c:1145)
==10183==    by 0x69C9C93: dissect_ip (packet-ip.c:2408)
==10183==    by 0x660AE37: call_dissector_through_handle (packet.c:626)
==10183==    by 0x660B8BD: call_dissector_work (packet.c:713)
==10183== 
==10183== Use of uninitialised value of size 8
==10183==    at 0x661F253: proto_item_set_text (proto.c:4451)
==10183==    by 0x6C1093D: dissect_rsvp_template_filter.isra.10
(packet-rsvp.c:3037)
==10183==    by 0x6C13D76: dissect_rsvp_gen_uni.isra.26 (packet-rsvp.c:5679)
==10183==    by 0x6C1918F: dissect_rsvp_msg_tree (packet-rsvp.c:7118)
==10183==    by 0x6C1B7B6: dissect_rsvp_common (packet-rsvp.c:7241)
==10183==    by 0x6C1BAE0: dissect_rsvp (packet-rsvp.c:7337)
==10183==    by 0x660AE7E: call_dissector_through_handle (packet.c:622)
==10183==    by 0x660B8BD: call_dissector_work (packet.c:713)
==10183==    by 0x660C0E2: dissector_try_uint_new (packet.c:1145)
==10183==    by 0x69C9C93: dissect_ip (packet-ip.c:2408)
==10183==    by 0x660AE37: call_dissector_through_handle (packet.c:626)
==10183==    by 0x660B8BD: call_dissector_work (packet.c:713)
==10183== 
==10183== Use of uninitialised value of size 8
==10183==    at 0x661A9E6: proto_tree_set_representation (proto.c:4035)
==10183==    by 0x661F2A6: proto_item_set_text (proto.c:4456)
==10183==    by 0x6C1093D: dissect_rsvp_template_filter.isra.10
(packet-rsvp.c:3037)
==10183==    by 0x6C13D76: dissect_rsvp_gen_uni.isra.26 (packet-rsvp.c:5679)
==10183==    by 0x6C1918F: dissect_rsvp_msg_tree (packet-rsvp.c:7118)
==10183==    by 0x6C1B7B6: dissect_rsvp_common (packet-rsvp.c:7241)
==10183==    by 0x6C1BAE0: dissect_rsvp (packet-rsvp.c:7337)
==10183==    by 0x660AE7E: call_dissector_through_handle (packet.c:622)
==10183==    by 0x660B8BD: call_dissector_work (packet.c:713)
==10183==    by 0x660C0E2: dissector_try_uint_new (packet.c:1145)
==10183==    by 0x69C9C93: dissect_ip (packet-ip.c:2408)
==10183==    by 0x660AE37: call_dissector_through_handle (packet.c:626)
==10183== 
==10183== Conditional jump or move depends on uninitialised value(s)
==10183==    at 0x661A9F5: proto_tree_set_representation (proto.c:4039)
==10183==    by 0x661F2A6: proto_item_set_text (proto.c:4456)
==10183==    by 0x6C1093D: dissect_rsvp_template_filter.isra.10
(packet-rsvp.c:3037)
==10183==    by 0x6C13D76: dissect_rsvp_gen_uni.isra.26 (packet-rsvp.c:5679)
==10183==    by 0x6C1918F: dissect_rsvp_msg_tree (packet-rsvp.c:7118)
==10183==    by 0x6C1B7B6: dissect_rsvp_common (packet-rsvp.c:7241)
==10183==    by 0x6C1BAE0: dissect_rsvp (packet-rsvp.c:7337)
==10183==    by 0x660AE7E: call_dissector_through_handle (packet.c:622)
==10183==    by 0x660B8BD: call_dissector_work (packet.c:713)
==10183==    by 0x660C0E2: dissector_try_uint_new (packet.c:1145)
==10183==    by 0x69C9C93: dissect_ip (packet-ip.c:2408)
==10183==    by 0x660AE37: call_dissector_through_handle (packet.c:626)
==10183== 
==10183== Use of uninitialised value of size 8
==10183==    at 0x661A9FD: proto_tree_set_representation (proto.c:4040)
==10183==    by 0x661F2A6: proto_item_set_text (proto.c:4456)
==10183==    by 0x6C1093D: dissect_rsvp_template_filter.isra.10
(packet-rsvp.c:3037)
==10183==    by 0x6C13D76: dissect_rsvp_gen_uni.isra.26 (packet-rsvp.c:5679)
==10183==    by 0x6C1918F: dissect_rsvp_msg_tree (packet-rsvp.c:7118)
==10183==    by 0x6C1B7B6: dissect_rsvp_common (packet-rsvp.c:7241)
==10183==    by 0x6C1BAE0: dissect_rsvp (packet-rsvp.c:7337)
==10183==    by 0x660AE7E: call_dissector_through_handle (packet.c:622)
==10183==    by 0x660B8BD: call_dissector_work (packet.c:713)
==10183==    by 0x660C0E2: dissector_try_uint_new (packet.c:1145)
==10183==    by 0x69C9C93: dissect_ip (packet-ip.c:2408)
==10183==    by 0x660AE37: call_dissector_through_handle (packet.c:626)
==10183== 
==10183== 
==10183== HEAP SUMMARY:
==10183==     in use at exit: 1,207,734 bytes in 29,323 blocks
==10183==   total heap usage: 221,163 allocs, 191,840 frees, 28,231,154 bytes
allocated
==10183== 
==10183== LEAK SUMMARY:
==10183==    definitely lost: 3,592 bytes in 158 blocks
==10183==    indirectly lost: 36,648 bytes in 49 blocks
==10183==      possibly lost: 0 bytes in 0 blocks
==10183==    still reachable: 1,167,494 bytes in 29,116 blocks
==10183==         suppressed: 0 bytes in 0 blocks
==10183== Rerun with --leak-check=full to see details of leaked memory
==10183== 
==10183== For counts of detected and suppressed errors, rerun with: -v
==10183== Use --track-origins=yes to see where uninitialised values come from
==10183== ERROR SUMMARY: 11 errors from 11 contexts (suppressed: 3 from 3)

[ no debug trace ]

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 10270] Buildbot crash output: fuzz-2014-07-09-26760.pcap
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10270] Buildbot crash output: fuzz-2014-07-09-26760.pcap
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10270] Buildbot crash output: fuzz-2014-07-09-26760.pcap
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10270] Buildbot crash output: fuzz-2014-07-09-26760.pcap
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 10268] Build fails on Mac with gtk-3.12 and gtk-mac-integration because GTKSelectionData is now private
Next by Date: [Wireshark-bugs] [Bug 10270] Buildbot crash output: fuzz-2014-07-09-26760.pcap
Previous by thread: [Wireshark-bugs] [Bug 10269] Filtering on mp2t.cc.drop does not catch CC errors in 1.10.8
Next by thread: [Wireshark-bugs] [Bug 10270] Buildbot crash output: fuzz-2014-07-09-26760.pcap
Index(es):
- Date
- Thread