Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 10685] New: Crash (segfault) when enabling monitor mode

Wireshark-bugs: [Wireshark-bugs] [Bug 10685] New: Crash (segfault) when enabling monitor mode

Date: Mon, 10 Nov 2014 11:08:53 +0000

Bug ID	10685
Summary	Crash (segfault) when enabling monitor mode
Product	Wireshark
Version	1.12.1
Hardware	x86-64
OS	Debian
Status	UNCONFIRMED
Severity	Major
Priority	Low
Component	GTK+ UI
Assignee	[email protected]
Reporter	[email protected]

Build Information:
Debian version 1.12.1+g01b65bf-1

--
When I try to enable monitor mode on my rt2800usb or Intel 6250 interface,
wireshark crashes. I've seen this happen both when enabling it on the wlan1
interface, as well as when using the mon0 interface (created by airmon-ng
manually).

To reproduce:
 - Open wireshark
 - Open capture options
 - Doubleclick mon0
 - Check the monitor mode check box. When I do this, wireshark stalls for a few
seconds and afterwards I see that all interfaces in the capture options dialog
get deselected.
 - Click close
 - Wireshark segfaults

It seems this does not always happen - I've been able to enable monitor mode
once.

gdb traces the segfault to this line in update_options_table:

  device = g_array_index(global_capture_opts.all_ifaces, interface_t,
marked_interface);

According to gdb, global_capture_opts.all_ifaces is NULL, which probably
explains the segfault (or does 0x0 indicate an empty array?):

(gdb) print global_capture_opts 
$7 = {ifaces = 0x96bc90, all_ifaces = 0x0, num_selected = 2, default_options =
{name = 0x0, descr = 0x0, console_display_name = 0x0, cfilter = 0x1c07d30 "", 
    has_snaplen = 0, snaplen = 262144, linktype = -1, promisc_mode = 1, if_type
= IF_WIRED, buffer_size = 2, monitor_mode = 0}, saving_to_file = 0, 
  save_file = 0x0, group_read_access = 0, use_pcapng = 0, real_time_mode = 1,
show_info = 0, quit_after_cap = 0, restart = 0, orig_save_file = 0x0, 
  multi_files_on = 0, has_file_duration = 0, file_duration = 60,
has_ring_num_files = 0, ring_num_files = 0, has_autostop_files = 0,
autostop_files = 1, 
  has_autostop_packets = 0, autostop_packets = 0, has_autostop_filesize = 0,
autostop_filesize = 1000, has_autostop_duration = 0, autostop_duration = 60, 
  capture_comment = 0x0, output_to_pipe = 0, capture_child = 0}

Putting a breakpoint at the end of capture_prep_monitor_changed_cb confirms
that all_ifaces still has a value then. Also, after adding a breakpoint here,
the monitor mode suddenly started working - not surre if that's a coincdence.
Removing the breakpoint (and restarting) did not break things again, but now I
see that even though monitor mode is shown as disabled on mon0, the link type
is fixed to 802.11 plus radiotap - so I guess that the switch from ethernet to
802.11 plus radiotap somehow breaks things.

Adding a watch to the all_ifaces variable shows that this line in
save_options_cb changes all_ifaces to 0x0:

  device = g_array_index(global_capture_opts.all_ifaces, interface_t,
marked_interface);

Just before this, I see an assertion failure:

    (wireshark:24336): GLib-CRITICAL **: g_array_remove_index: assertion
'index_ < array->len' failed

For some reason, the array length is reduced to 3:

(wireshark:26054): GLib-CRITICAL **: g_array_remove_index: assertion 'index_ <
array->len' failed
Hardware watchpoint 3: -location global_capture_opts.all_ifaces

Old value = (GArray *) 0x96bc60
New value = (GArray *) 0x0
save_options_cb (win=<optimized out>, user_data=<optimized out>) at
/build/wireshark-8J91yn/wireshark-1.12.1+g01b65bf/ui/gtk/capture_dlg.c:2493
(gdb) print *((GArray *) 0x96bc60)                                              
$22 = {data = "" "@\003r\001", len = 3}

Apparently, the length is reduced while rescanning interfaces:
Hardware watchpoint 5: -location ((GArray *) 0x96bc60)->len

Old value = 9
New value = 8
g_array_remove_index (farray=0x96bc60, index_=index_@entry=8) at
/build/glib2.0-tWPgvS/glib2.0-2.40.0/./glib/garray.c:600
600     in /build/glib2.0-tWPgvS/glib2.0-2.40.0/./glib/garray.c
(gdb) bt
#0  g_array_remove_index (farray=0x96bc60, index_=index_@entry=8) at
/build/glib2.0-tWPgvS/glib2.0-2.40.0/./glib/garray.c:600
#1  0x0000000000520187 in scan_local_interfaces (update_cb=0x443bb0
<main_window_update>)
    at /build/wireshark-8J91yn/wireshark-1.12.1+g01b65bf/ui/iface_lists.c:89
#2  0x00000000004cdad0 in refresh_local_interface_lists () at
/build/wireshark-8J91yn/wireshark-1.12.1+g01b65bf/ui/gtk/capture_dlg.c:6133
#3  0x0000000000430a8b in iface_mon_handler2 (obj=0x1dd7c40, arg=0x4ee0e0
<gtk_iface_mon_event_cb>)
    at /build/wireshark-8J91yn/wireshark-1.12.1+g01b65bf/iface_monitor.c:108
#4  0x00007ffff0d3b08e in ?? () from /lib/x86_64-linux-gnu/libnl-3.so.200
#5  0x00007ffff0f659ec in ?? () from
/usr/lib/x86_64-linux-gnu/libnl-route-3.so.200
#6  0x00007ffff0d383f9 in nl_cache_parse () from
/lib/x86_64-linux-gnu/libnl-3.so.200
#7  0x00007ffff0d3c8eb in nl_msg_parse () from
/lib/x86_64-linux-gnu/libnl-3.so.200
#8  0x0000000000430a33 in iface_mon_handler (msg=<optimized out>,
arg=<optimized out>)
    at /build/wireshark-8J91yn/wireshark-1.12.1+g01b65bf/iface_monitor.c:118
#9  0x00007ffff0d3dbef in nl_recvmsgs_report () from
/lib/x86_64-linux-gnu/libnl-3.so.200
#10 0x00007ffff0d3dfb9 in nl_recvmsgs () from
/lib/x86_64-linux-gnu/libnl-3.so.200
#11 0x00000000004ee0c9 in gtk_iface_mon_event (source=<optimized out>,
condition=<optimized out>, data="" out>)
    at
/build/wireshark-8J91yn/wireshark-1.12.1+g01b65bf/ui/gtk/gtk_iface_monitor.c:85
#12 0x00007ffff642addd in g_main_dispatch (context=0x86a320) at
/build/glib2.0-tWPgvS/glib2.0-2.40.0/./glib/gmain.c:3064
#13 g_main_context_dispatch (context=context@entry=0x86a320) at
/build/glib2.0-tWPgvS/glib2.0-2.40.0/./glib/gmain.c:3663
#14 0x00007ffff642b1b8 in g_main_context_iterate (context=0x86a320,
block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at /build/glib2.0-tWPgvS/glib2.0-2.40.0/./glib/gmain.c:3734
#15 0x00007ffff642b4e2 in g_main_loop_run (loop=0x16ba320) at
/build/glib2.0-tWPgvS/glib2.0-2.40.0/./glib/gmain.c:3928
#16 0x00007ffff77c7ba0 in gtk_main () from
/usr/lib/x86_64-linux-gnu/libgtk-3.so.0
#17 0x0000000000423eed in main (argc=0, argv=0x7fffffffe560) at
/build/wireshark-8J91yn/wireshark-1.12.1+g01b65bf/ui/gtk/main.c:3248


This goes down to zero, and then counts up again:

Hardware watchpoint 5: -location ((GArray *) 0x96bc60)->len

Old value = 0
New value = 1
g_array_append_vals (farray=0x96bc60, data=""
len=len@entry=1) at /build/glib2.0-tWPgvS/glib2.0-2.40.0/./glib/garray.c:425
425     in /build/glib2.0-tWPgvS/glib2.0-2.40.0/./glib/garray.c
(gdb) bt
#0  g_array_append_vals (farray=0x96bc60, data=""
len=len@entry=1) at /build/glib2.0-tWPgvS/glib2.0-2.40.0/./glib/garray.c:425
#1  0x000000000052095a in scan_local_interfaces (update_cb=0x443bb0
<main_window_update>)
    at /build/wireshark-8J91yn/wireshark-1.12.1+g01b65bf/ui/iface_lists.c:301
#2  0x00000000004cdad0 in refresh_local_interface_lists () at
/build/wireshark-8J91yn/wireshark-1.12.1+g01b65bf/ui/gtk/capture_dlg.c:6133
#3  0x0000000000430a8b in iface_mon_handler2 (obj=0x1dd7c40, arg=0x4ee0e0
<gtk_iface_mon_event_cb>)
    at /build/wireshark-8J91yn/wireshark-1.12.1+g01b65bf/iface_monitor.c:108
#4  0x00007ffff0d3b08e in ?? () from /lib/x86_64-linux-gnu/libnl-3.so.200
#5  0x00007ffff0f659ec in ?? () from
/usr/lib/x86_64-linux-gnu/libnl-route-3.so.200
#6  0x00007ffff0d383f9 in nl_cache_parse () from
/lib/x86_64-linux-gnu/libnl-3.so.200
#7  0x00007ffff0d3c8eb in nl_msg_parse () from
/lib/x86_64-linux-gnu/libnl-3.so.200
#8  0x0000000000430a33 in iface_mon_handler (msg=<optimized out>,
arg=<optimized out>)
    at /build/wireshark-8J91yn/wireshark-1.12.1+g01b65bf/iface_monitor.c:118
#9  0x00007ffff0d3dbef in nl_recvmsgs_report () from
/lib/x86_64-linux-gnu/libnl-3.so.200
#10 0x00007ffff0d3dfb9 in nl_recvmsgs () from
/lib/x86_64-linux-gnu/libnl-3.so.200
#11 0x00000000004ee0c9 in gtk_iface_mon_event (source=<optimized out>,
condition=<optimized out>, data="" out>)
    at
/build/wireshark-8J91yn/wireshark-1.12.1+g01b65bf/ui/gtk/gtk_iface_monitor.c:85
#12 0x00007ffff642addd in g_main_dispatch (context=0x86a320) at
/build/glib2.0-tWPgvS/glib2.0-2.40.0/./glib/gmain.c:3064
#13 g_main_context_dispatch (context=context@entry=0x86a320) at
/build/glib2.0-tWPgvS/glib2.0-2.40.0/./glib/gmain.c:3663
#14 0x00007ffff642b1b8 in g_main_context_iterate (context=0x86a320,
block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at /build/glib2.0-tWPgvS/glib2.0-2.40.0/./glib/gmain.c:3734
#15 0x00007ffff642b4e2 in g_main_loop_run (loop=0x16ba320) at
/build/glib2.0-tWPgvS/glib2.0-2.40.0/./glib/gmain.c:3928
#16 0x00007ffff77c7ba0 in gtk_main () from
/usr/lib/x86_64-linux-gnu/libgtk-3.so.0
#17 0x0000000000423eed in main (argc=0, argv=0x7fffffffe560) at
/build/wireshark-8J91yn/wireshark-1.12.1+g01b65bf/ui/gtk/main.c:3248

This counting down and up happens twice. When I had watchpoints in place, it
counted back up to 12 and the crash didn't happen, which again suggests a race
condition some sort.

I can't see any more quick debug steps I could take but I'm happy to collect
more info if anyone can suggest things to try.

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 10685] Crash (segfault) when enabling monitor mode
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10685] Crash (segfault) when enabling monitor mode
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10685] Crash (segfault) when enabling monitor mode
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 10641] WCCP v.2.01 extended assignment data element parsed wrong
Next by Date: [Wireshark-bugs] [Bug 10641] WCCP v.2.01 extended assignment data element parsed wrong
Previous by thread: [Wireshark-bugs] [Bug 10574] Wireshark is unable to understand ethertype 8902 for MPLS TP packets conforming to ITU Y.1731
Next by thread: [Wireshark-bugs] [Bug 10685] Crash (segfault) when enabling monitor mode
Index(es):
- Date
- Thread