Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 10983] Buildbot crash output: fuzz-2015-02-20-11117.pcap

Wireshark-bugs: [Wireshark-bugs] [Bug 10983] Buildbot crash output: fuzz-2015-02-20-11117.pcap

Date: Fri, 20 Feb 2015 21:05:28 +0000

Comment # 2 on bug 10983 from Guy Harris

Several issues here.

On the trunk, it crashes even harder, with an assertion failure in wmem.

The stack trace is

#0  0x00007fff96d37d46 in __kill ()
#1  0x00007fff9457af83 in abort ()
#2  0x000000010ee39d9f in g_assertion_message (domain=<value temporarily
unavailable, due to optimizations>, file=<value temporarily unavailable, due to
optimizations>, line=<value temporarily unavailable, due to optimizations>,
func=<value temporarily unavailable, due to optimizations>, message=<value
temporarily unavailable, due to optimizations>) at gtestutils.c:1912
#3  0x000000010ee3a235 in g_assertion_message_expr (domain=<value temporarily
unavailable, due to optimizations>, file=<value temporarily unavailable, due to
optimizations>, line=<value temporarily unavailable, due to optimizations>,
func=<value temporarily unavailable, due to optimizations>, expr=<value
temporarily unavailable, due to optimizations>) at gtestutils.c:1923
#4  0x000000010ad3ee2f in wmem_alloc0 (allocator=<value temporarily
unavailable, due to optimizations>, size=<value temporarily unavailable, due to
optimizations>) at wmem_core.c:50
#5  0x000000010ad41fcd in wmem_strdup_vprintf (allocator=0x7f8d7a416d90,
fmt=0x10adb7264 "%s:%u: failed assertion \"DISSECTOR_ASSERT_NOT_REACHED\"",
ap=0x7fff55bc57b0) at wmem_strutl.c:101
#6  0x000000010ad41f5d in wmem_strdup_printf (allocator=0x10a97, fmt=0x6
<Address 0x6 out of bounds>) at wmem_strutl.c:75
#7  0x000000010a1c5df0 in fill_label_number64 (fi=<value temporarily
unavailable, due to optimizations>, label_str=<value temporarily unavailable,
due to optimizations>, is_signed=<value temporarily unavailable, due to
optimizations>) at proto.c:6741
#8  0x000000010a1c3b86 in proto_item_fill_label (fi=0x1120711a0,
label_str=0x7fff55bc5980 "1000 00.. = Latitude Resolution: 32") at proto.c:6114
#9  0x000000010a1b570d in proto_tree_print_node (node=0x112071210,
data="" at print.c:146
#10 0x000000010a1b8e5a in proto_tree_children_foreach (tree=<value temporarily
unavailable, due to optimizations>, func=0x10a1b56a0 <proto_tree_print_node>,
data="" at proto.c:640
#11 0x000000010a1b5844 in proto_tree_print_node (node=0x112070c40,
data="" at print.c:201
#12 0x000000010a1b8e5a in proto_tree_children_foreach (tree=<value temporarily
unavailable, due to optimizations>, func=0x10a1b56a0 <proto_tree_print_node>,
data="" at proto.c:640
#13 0x000000010a1b5844 in proto_tree_print_node (node=0x11206bac0,
data="" at print.c:201
#14 0x000000010a1b8e5a in proto_tree_children_foreach (tree=<value temporarily
unavailable, due to optimizations>, func=0x10a1b56a0 <proto_tree_print_node>,
data="" at proto.c:640
#15 0x000000010a1b568d in proto_tree_print (print_args=<value temporarily
unavailable, due to optimizations>, edt=<value temporarily unavailable, due to
optimizations>, output_only_tables=<value temporarily unavailable, due to
optimizations>, stream=<value temporarily unavailable, due to optimizations>)
at print.c:115
#16 0x000000010a049091 in print_packet () at tshark.c:4021
#17 0x000000010a0485f2 in process_packet (cf=0x10a073798, edt=0x7f8d7b5d0cc0,
offset=<value temporarily unavailable, due to optimizations>,
whdr=0x7f8d7b5c8500, pd=0x7f8d7a83b000 "\001??", tap_flags=<value temporarily
unavailable, due to optimizations>) at tshark.c:3633
#18 0x000000010a045f92 in main (argc=3, argv=<value temporarily unavailable,
due to optimizations>) at tshark.c:3381

and:

(gdb) frame 4
#4  0x000000010ad3ee2f in wmem_alloc0 (allocator=<value temporarily
unavailable, due to optimizations>, size=<value temporarily unavailable, due to
optimizations>) at wmem_core.c:50
50          g_assert(allocator->in_scope);

So there's code that thinks it's running in a dissector which is running
outside the dissection code path, and is calling
DISSECTOR_ASSERT_NOT_REACHED(), which:

    1) as a result of calling REPORT_DISSECTOR_BUG() throws an exception that's
not caught in the print_packet() code path, hence the "Unhandled exception"
crash in 1.12

and

    2) in the trunk, calls wmem_strdup_printf with a scope of
wmem_packet_scope(), which is not a valid scope in that code path.

So we have:

    1) an field with an invalid specification, which is the underlying problem;

    2) DISSECTOR_ASSERT_NOT_REACHED() being used outside the dissection code
path.

You are receiving this mail because:

You are watching all bug changes.

References:
- [Wireshark-bugs] [Bug 10983] New: Buildbot crash output: fuzz-2015-02-20-11117.pcap
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 10983] Buildbot crash output: fuzz-2015-02-20-11117.pcap
Next by Date: [Wireshark-bugs] [Bug 10985] New: Buildbot crash output: fuzz-2015-02-20-16504.pcap
Previous by thread: [Wireshark-bugs] [Bug 10983] Buildbot crash output: fuzz-2015-02-20-11117.pcap
Next by thread: [Wireshark-bugs] [Bug 10983] Buildbot crash output: fuzz-2015-02-20-11117.pcap
Index(es):
- Date
- Thread