Wireshark-bugs: [Wireshark-bugs] [Bug 10281] New: Buildbot crash output: fuzz-2014-07-12-9393.pc

Date: Mon, 14 Jul 2014 00:30:02 +0000
Bug ID 10281
Summary Buildbot crash output: fuzz-2014-07-12-9393.pcap
Classification Unclassified
Product Wireshark
Version unspecified
Hardware x86-64
URL http://www.wireshark.org/download/automated/captures/fuzz-2014-07-12-9393.pcap
OS Ubuntu
Status CONFIRMED
Severity Major
Priority High
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Problems have been found with the following capture file:

http://www.wireshark.org/download/automated/captures/fuzz-2014-07-12-9393.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/6575-test-dlmapc-wmx.pcap

Build host information:
Linux wsbb04 3.2.0-65-generic #98-Ubuntu SMP Wed Jun 11 20:27:07 UTC 2014
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:    Ubuntu
Description:    Ubuntu 12.04.4 LTS
Release:    12.04
Codename:    precise

Buildbot information:
BUILDBOT_REPOSITORY=ssh://[email protected]:29418/wireshark
BUILDBOT_BUILDNUMBER=2853
BUILDBOT_URL=http://buildbot.wireshark.org/trunk/
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_SLAVENAME=clang-code-analysis
BUILDBOT_GOT_REVISION=b3b1f7c3aa2233a147294bad833b748d38fba84d

Return value:  0

Dissector bug:  0

Valgrind error count:  248



Git commit
commit b3b1f7c3aa2233a147294bad833b748d38fba84d
Author: Peter Wu <[email protected]>
Date:   Thu Jul 3 11:23:19 2014 +0200

    logcat: improve (crash) robustness, improve names

    The logcat version detector would crash with ASAN enabled because it did
    not validate the payload length and hence a payload length of 0 would
    trigger out-of-bounds access. (This happened on non-logcat data.)

    This patch tries to get rid of all magic numbers by using a structure,
    improves the version detector to validate the payload length and
    prevents crashes due to missing nul-terminators in the input. Older
    Android kernels would create entries with __pad with random contents, so
    that cannot be used to determine version for v1. Instead, use heuristics
    on the priority, tag and maybe the msg field.

    Furthermore, Android is mostly (if not, always?) Little-Endian, so add
    conversions where necessary (just in case WS supports BE arches).

    "microseconds" has been renamed to "milliseconds" because that is what
    they are, actually. A duplicate logcat_log loop has been refactored
    such that one loop is sufficient, instead of separate buffers for each
    log part, a single one is now used. get_priority does not really need
    a pointer, just make it accept a character.

    The output has been validated against v1 and v2 logcat binary formats
    with __pad (hdr_size) equal to 0, and on attachment 9906 [details].

    Change-Id: I46c8813e76fe705b293ffdee85b4c1bfff7d8362
    Reviewed-on: https://code.wireshark.org/review/2803
    Reviewed-by: Michal Labedzki <[email protected]>
    Tested-by: Michal Labedzki <[email protected]>


Command and args: ./tools/valgrind-wireshark.sh 

==5561== Memcheck, a memory error detector
==5561== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==5561== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==5561== Command:
/home/wireshark/builders/trunk-clang-ca/clangcodeanalysis/install/bin/tshark
-nr /fuzz/buildbot/clangcodeanalysis/valgrind-fuzz/fuzz-2014-07-12-9393.pcap
==5561== 
==5561== Conditional jump or move depends on uninitialised value(s)
==5561==    at 0xEE7A905: dissect_dlmap_ie (msg_dlmap.c:1774)
==5561==    by 0xEE7CE88: wimax_decode_dlmapc (msg_dlmap.c:2110)
==5561==    by 0xEE6C19F: dissect_wimax_pdu_decoder (wimax_pdu_decoder.c:136)
==5561==    by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561==    by 0x660D2BD: call_dissector_work (packet.c:713)
==5561==    by 0x660F220: call_dissector_with_data (packet.c:2297)
==5561==    by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561==    by 0x660D2BD: call_dissector_work (packet.c:713)
==5561==    by 0x660DAE2: dissector_try_uint_new (packet.c:1145)
==5561==    by 0x660DB36: dissector_try_uint (packet.c:1171)
==5561==    by 0x6D51924: decode_udp_ports (packet-udp.c:412)
==5561==    by 0x6D5206E: dissect (packet-udp.c:762)
==5561== 
==5561== Conditional jump or move depends on uninitialised value(s)
==5561==    at 0xEE7A90F: dissect_dlmap_ie (msg_dlmap.c:1852)
==5561==    by 0xEE7CE88: wimax_decode_dlmapc (msg_dlmap.c:2110)
==5561==    by 0xEE6C19F: dissect_wimax_pdu_decoder (wimax_pdu_decoder.c:136)
==5561==    by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561==    by 0x660D2BD: call_dissector_work (packet.c:713)
==5561==    by 0x660F220: call_dissector_with_data (packet.c:2297)
==5561==    by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561==    by 0x660D2BD: call_dissector_work (packet.c:713)
==5561==    by 0x660DAE2: dissector_try_uint_new (packet.c:1145)
==5561==    by 0x660DB36: dissector_try_uint (packet.c:1171)
==5561==    by 0x6D51924: decode_udp_ports (packet-udp.c:412)
==5561==    by 0x6D5206E: dissect (packet-udp.c:762)
==5561== 
==5561== Conditional jump or move depends on uninitialised value(s)
==5561==    at 0xEE7A95D: dissect_dlmap_ie (msg_dlmap.c:1940)
==5561==    by 0xEE7CE88: wimax_decode_dlmapc (msg_dlmap.c:2110)
==5561==    by 0xEE6C19F: dissect_wimax_pdu_decoder (wimax_pdu_decoder.c:136)
==5561==    by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561==    by 0x660D2BD: call_dissector_work (packet.c:713)
==5561==    by 0x660F220: call_dissector_with_data (packet.c:2297)
==5561==    by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561==    by 0x660D2BD: call_dissector_work (packet.c:713)
==5561==    by 0x660DAE2: dissector_try_uint_new (packet.c:1145)
==5561==    by 0x660DB36: dissector_try_uint (packet.c:1171)
==5561==    by 0x6D51924: decode_udp_ports (packet-udp.c:412)
==5561==    by 0x6D5206E: dissect (packet-udp.c:762)
==5561== 
==5561== Conditional jump or move depends on uninitialised value(s)
==5561==    at 0xEE7A9C5: dissect_dlmap_ie (msg_dlmap.c:1953)
==5561==    by 0xEE7CE88: wimax_decode_dlmapc (msg_dlmap.c:2110)
==5561==    by 0xEE6C19F: dissect_wimax_pdu_decoder (wimax_pdu_decoder.c:136)
==5561==    by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561==    by 0x660D2BD: call_dissector_work (packet.c:713)
==5561==    by 0x660F220: call_dissector_with_data (packet.c:2297)
==5561==    by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561==    by 0x660D2BD: call_dissector_work (packet.c:713)
==5561==    by 0x660DAE2: dissector_try_uint_new (packet.c:1145)
==5561==    by 0x660DB36: dissector_try_uint (packet.c:1171)
==5561==    by 0x6D51924: decode_udp_ports (packet-udp.c:412)
==5561==    by 0x6D5206E: dissect (packet-udp.c:762)
==5561== 
==5561== Conditional jump or move depends on uninitialised value(s)
==5561==    at 0xEE7AA8D: dissect_dlmap_ie (msg_dlmap.c:1774)
==5561==    by 0xEE7CE88: wimax_decode_dlmapc (msg_dlmap.c:2110)
==5561==    by 0xEE6C19F: dissect_wimax_pdu_decoder (wimax_pdu_decoder.c:136)
==5561==    by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561==    by 0x660D2BD: call_dissector_work (packet.c:713)
==5561==    by 0x660F220: call_dissector_with_data (packet.c:2297)
==5561==    by 0x660C837: call_dissector_through_handle (packet.c:626)
==5561==    by 0x660D2BD: call_dissector_work (packet.c:713)
==5561==    by 0x660DAE2: dissector_try_uint_new (packet.c:1145)
==5561==    by 0x660DB36: dissector_try_uint (packet.c:1171)
==5561==    by 0x6D51924: decode_udp_ports (packet-udp.c:412)
==5561==    by 0x6D5206E: dissect (packet-udp.c:762)
==5561== 
==5561== 
==5561== HEAP SUMMARY:
==5561==     in use at exit: 1,207,177 bytes in 29,301 blocks
==5561==   total heap usage: 221,382 allocs, 192,081 frees, 28,226,687 bytes
allocated
==5561== 
==5561== LEAK SUMMARY:
==5561==    definitely lost: 5,411 bytes in 165 blocks
==5561==    indirectly lost: 36,648 bytes in 49 blocks
==5561==      possibly lost: 0 bytes in 0 blocks
==5561==    still reachable: 1,165,118 bytes in 29,087 blocks
==5561==         suppressed: 0 bytes in 0 blocks
==5561== Rerun with --leak-check=full to see details of leaked memory
==5561== 
==5561== For counts of detected and suppressed errors, rerun with: -v
==5561== Use --track-origins=yes to see where uninitialised values come from
==5561== ERROR SUMMARY: 248 errors from 5 contexts (suppressed: 3 from 3)

[ no debug trace ]


You are receiving this mail because:
  • You are watching all bug changes.