Wireshark-bugs: [Wireshark-bugs] [Bug 10773] New: Buildbot crash output: fuzz-2014-12-12-16980.p

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Fri, 12 Dec 2014 13:00:02 +0000
Bug ID 10773
Summary Buildbot crash output: fuzz-2014-12-12-16980.pcap
Product Wireshark
Version unspecified
Hardware x86-64
URL https://www.wireshark.org/download/automated/captures/fuzz-2014-12-12-16980.pcap
OS Ubuntu
Status CONFIRMED
Severity Major
Priority High
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected] 

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2014-12-12-16980.pcap

stderr:
Input file:
/home/wireshark/menagerie/menagerie/13320-ESMLC01-OTDOA-Test02-031214.pcap

Build host information:
Linux wsbb04 3.13.0-39-generic #66-Ubuntu SMP Tue Oct 28 13:30:27 UTC 2014
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:    Ubuntu
Description:    Ubuntu 14.04.1 LTS
Release:    14.04
Codename:    trusty

Buildbot information:
BUILDBOT_REPOSITORY=ssh://[email protected]:29418/wireshark
BUILDBOT_BUILDNUMBER=3081
BUILDBOT_URL=http://buildbot.wireshark.org/trunk/
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_SLAVENAME=clang-code-analysis
BUILDBOT_GOT_REVISION=4c229ca40dcc0a75b356282e7e9dabd90fa7f1e3

Return value:  139

Dissector bug:  0

Valgrind error count:  3



Git commit
commit 4c229ca40dcc0a75b356282e7e9dabd90fa7f1e3
Author: Gerald Combs <[email protected]>
Date:   Wed Dec 10 09:30:32 2014 -0800

    Build 1.99.1.

    Change-Id: Ic6dcbfc880817ad4bcc07a21ec88d14c8c92df58
    Reviewed-on: https://code.wireshark.org/review/5703
    Reviewed-by: Gerald Combs <[email protected]>


Command and args: ./tools/valgrind-wireshark.sh -T

==14427== Memcheck, a memory error detector
==14427== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==14427== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright
info
==14427== Command:
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/bin/tshark
-Vx -nr
/fuzz/buildbot/clangcodeanalysis/valgrind-fuzz/fuzz-2014-12-12-16980.pcap
==14427== 
==14427== Conditional jump or move depends on uninitialised value(s)
==14427==    at 0xA7B269B: vfprintf (vfprintf.c:1661)
==14427==    by 0xA870D74: __vsnprintf_chk (vsnprintf_chk.c:63)
==14427==    by 0x66D8A77: proto_item_append_text (proto.c:4537)
==14427==    by 0x6F6474D: dissect_lpp_T_reportingInterval (lpp.cnf:271)
==14427==    by 0x6C3D51E: dissect_per_sequence (packet-per.c:1858)
==14427==    by 0x6F5F25A: dissect_lpp_PeriodicalReportingCriteria
(lpp.cnf:286)
==14427==    by 0x6C3D51E: dissect_per_sequence (packet-per.c:1858)
==14427==    by 0x6F5F17A: dissect_lpp_CommonIEsRequestLocationInformation
(lpp.cnf:365)
==14427==    by 0x6C3D51E: dissect_per_sequence (packet-per.c:1858)
==14427==    by 0x6F5F0DA: dissect_lpp_RequestLocationInformation_r9_IEs
(lpp.cnf:1409)
==14427==    by 0x6C3D1AF: dissect_per_choice (packet-per.c:1706)
==14427==    by 0x6F63A23: dissect_lpp_T_c1_05 (lpp.cnf:1434)
==14427== 
==14427== Use of uninitialised value of size 8
==14427==    at 0xA7B28F3: vfprintf (vfprintf.c:1661)
==14427==    by 0xA870D74: __vsnprintf_chk (vsnprintf_chk.c:63)
==14427==    by 0x66D8A77: proto_item_append_text (proto.c:4537)
==14427==    by 0x6F6474D: dissect_lpp_T_reportingInterval (lpp.cnf:271)
==14427==    by 0x6C3D51E: dissect_per_sequence (packet-per.c:1858)
==14427==    by 0x6F5F25A: dissect_lpp_PeriodicalReportingCriteria
(lpp.cnf:286)
==14427==    by 0x6C3D51E: dissect_per_sequence (packet-per.c:1858)
==14427==    by 0x6F5F17A: dissect_lpp_CommonIEsRequestLocationInformation
(lpp.cnf:365)
==14427==    by 0x6C3D51E: dissect_per_sequence (packet-per.c:1858)
==14427==    by 0x6F5F0DA: dissect_lpp_RequestLocationInformation_r9_IEs
(lpp.cnf:1409)
==14427==    by 0x6C3D1AF: dissect_per_choice (packet-per.c:1706)
==14427==    by 0x6F63A23: dissect_lpp_T_c1_05 (lpp.cnf:1434)
==14427== 
==14427== Invalid read of size 1
==14427==    at 0xA7B28F3: vfprintf (vfprintf.c:1661)
==14427==    by 0xA870D74: __vsnprintf_chk (vsnprintf_chk.c:63)
==14427==    by 0x66D8A77: proto_item_append_text (proto.c:4537)
==14427==    by 0x6F6474D: dissect_lpp_T_reportingInterval (lpp.cnf:271)
==14427==    by 0x6C3D51E: dissect_per_sequence (packet-per.c:1858)
==14427==    by 0x6F5F25A: dissect_lpp_PeriodicalReportingCriteria
(lpp.cnf:286)
==14427==    by 0x6C3D51E: dissect_per_sequence (packet-per.c:1858)
==14427==    by 0x6F5F17A: dissect_lpp_CommonIEsRequestLocationInformation
(lpp.cnf:365)
==14427==    by 0x6C3D51E: dissect_per_sequence (packet-per.c:1858)
==14427==    by 0x6F5F0DA: dissect_lpp_RequestLocationInformation_r9_IEs
(lpp.cnf:1409)
==14427==    by 0x6C3D1AF: dissect_per_choice (packet-per.c:1706)
==14427==    by 0x6F63A23: dissect_lpp_T_c1_05 (lpp.cnf:1434)
==14427==  Address 0x1feffe200 is not stack'd, malloc'd or (recently) free'd
==14427== 
==14427== 
==14427== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==14427==  Access not within mapped region at address 0x1FEFFE200
==14427==    at 0xA7B28F3: vfprintf (vfprintf.c:1661)
==14427==    by 0xA870D74: __vsnprintf_chk (vsnprintf_chk.c:63)
==14427==    by 0x66D8A77: proto_item_append_text (proto.c:4537)
==14427==    by 0x6F6474D: dissect_lpp_T_reportingInterval (lpp.cnf:271)
==14427==    by 0x6C3D51E: dissect_per_sequence (packet-per.c:1858)
==14427==    by 0x6F5F25A: dissect_lpp_PeriodicalReportingCriteria
(lpp.cnf:286)
==14427==    by 0x6C3D51E: dissect_per_sequence (packet-per.c:1858)
==14427==    by 0x6F5F17A: dissect_lpp_CommonIEsRequestLocationInformation
(lpp.cnf:365)
==14427==    by 0x6C3D51E: dissect_per_sequence (packet-per.c:1858)
==14427==    by 0x6F5F0DA: dissect_lpp_RequestLocationInformation_r9_IEs
(lpp.cnf:1409)
==14427==    by 0x6C3D1AF: dissect_per_choice (packet-per.c:1706)
==14427==    by 0x6F63A23: dissect_lpp_T_c1_05 (lpp.cnf:1434)
==14427==  If you believe this happened as a result of a stack
==14427==  overflow in your program's main thread (unlikely but
==14427==  possible), you can try to increase the size of the
==14427==  main thread stack using the --main-stacksize= flag.
==14427==  The main thread stack size used in this run was 2084864.
==14427== 
==14427== HEAP SUMMARY:
==14427==     in use at exit: 16,102,239 bytes in 177,146 blocks
==14427==   total heap usage: 837,370 allocs, 660,224 frees, 76,320,832 bytes
allocated
==14427== 
==14427== LEAK SUMMARY:
==14427==    definitely lost: 295 bytes in 20 blocks
==14427==    indirectly lost: 8 bytes in 1 blocks
==14427==      possibly lost: 0 bytes in 0 blocks
==14427==    still reachable: 16,101,936 bytes in 177,125 blocks
==14427==         suppressed: 0 bytes in 0 blocks
==14427== Rerun with --leak-check=full to see details of leaked memory
==14427== 
==14427== For counts of detected and suppressed errors, rerun with: -v
==14427== Use --track-origins=yes to see where uninitialised values come from
==14427== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
./tools/valgrind-wireshark.sh: line 113: 14427 Segmentation fault      (core
dumped) $LIBTOOL valgrind --suppressions=`dirname $0`/vg-suppressions
--tool=$TOOL $CALLGRIND_OUT_FILE $VERBOSE $LEAK_CHECK $REACHABLE $TRACK_ORIGINS
$COMMAND $COMMAND_ARGS $PCAP $COMMAND_ARGS2 > /dev/null

[ no debug trace ]

You are receiving this mail because:
  • You are watching all bug changes.