Wireshark-bugs: [Wireshark-bugs] [Bug 10885] Crash when use Telephony / Voip calls
Date: Wed, 11 Mar 2015 02:31:22 +0000
Jeff Morriss changed bug 10885
| What | Removed | Added |
|---|---|---|
| CC | [email protected] |
Comment # 3
on bug 10885
from Jeff Morriss
Valgrind says this (amongst other complaints):
~~~
==9624== Conditional jump or move depends on uninitialised value(s)
==9624== at 0x4E799C: packet_list_get_value (packet_list_store.c:377)
==9624== by 0x39AC835574: gtk_tree_model_get_valist (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.25)
==9624== by 0x39AC8358A8: gtk_tree_model_get (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.25)
==9624== by 0x453FCB: packet_list_get_record (packet_list.c:791)
==9624== by 0x456664: packet_list_get_row_data (packet_list.c:1235)
==9624== by 0x523A07: insert_to_graph_t38 (voip_calls.c:433)
==9624== by 0x523A07: t38_packet (voip_calls.c:976)
==9624== by 0x65294FE: tap_push_tapped_queue (tap.c:331)
==9624== by 0x64F9FCB: epan_dissect_run_with_taps (epan.c:344)
==9624== by 0x42A8AE: retap_packet (file.c:2338)
==9624== by 0x42E23D: process_specified_records.constprop.14 (file.c:2308)
==9624== by 0x42E3E2: cf_retap_packets (file.c:2382)
==9624== by 0x4AD895: voip_calls_dlg_init_taps (voip_calls_dlg.c:919)
==9624==
21:43:19 Crit packet_list_get_value: assertion 'iter->stamp ==
packet_list->stamp' failed
(lt-wireshark-gtk:9624): GLib-GObject-WARNING **: gtype.c:4221: type id '0' is
invalid
(lt-wireshark-gtk:9624): GLib-GObject-WARNING **: can't peek value table for
type '<invalid>' which is not currently referenced
==9624== Invalid read of size 8
==9624== at 0x39AC835582: gtk_tree_model_get_valist (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.25)
==9624== by 0x39AC8358A8: gtk_tree_model_get (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.25)
==9624== by 0x453FCB: packet_list_get_record (packet_list.c:791)
==9624== by 0x456664: packet_list_get_row_data (packet_list.c:1235)
==9624== by 0x523A07: insert_to_graph_t38 (voip_calls.c:433)
==9624== by 0x523A07: t38_packet (voip_calls.c:976)
==9624== by 0x65294FE: tap_push_tapped_queue (tap.c:331)
==9624== by 0x64F9FCB: epan_dissect_run_with_taps (epan.c:344)
==9624== by 0x42A8AE: retap_packet (file.c:2338)
==9624== by 0x42E23D: process_specified_records.constprop.14 (file.c:2308)
==9624== by 0x42E3E2: cf_retap_packets (file.c:2382)
==9624== by 0x4AD895: voip_calls_dlg_init_taps (voip_calls_dlg.c:919)
==9624== by 0x39A1E0FD34: g_closure_invoke (in
/usr/lib64/libgobject-2.0.so.0.4200.1)
==9624== Address 0x30 is not stack'd, malloc'd or (recently) free'd
==9624==
==9624==
==9624== Process terminating with default action of signal 11 (SIGSEGV)
==9624== Access not within mapped region at address 0x30
==9624== at 0x39AC835582: gtk_tree_model_get_valist (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.25)
==9624== by 0x39AC8358A8: gtk_tree_model_get (in
/usr/lib64/libgtk-x11-2.0.so.0.2400.25)
==9624== by 0x453FCB: packet_list_get_record (packet_list.c:791)
==9624== by 0x456664: packet_list_get_row_data (packet_list.c:1235)
==9624== by 0x523A07: insert_to_graph_t38 (voip_calls.c:433)
==9624== by 0x523A07: t38_packet (voip_calls.c:976)
==9624== by 0x65294FE: tap_push_tapped_queue (tap.c:331)
==9624== by 0x64F9FCB: epan_dissect_run_with_taps (epan.c:344)
==9624== by 0x42A8AE: retap_packet (file.c:2338)
==9624== by 0x42E23D: process_specified_records.constprop.14 (file.c:2308)
==9624== by 0x42E3E2: cf_retap_packets (file.c:2382)
==9624== by 0x4AD895: voip_calls_dlg_init_taps (voip_calls_dlg.c:919)
==9624== by 0x39A1E0FD34: g_closure_invoke (in
/usr/lib64/libgobject-2.0.so.0.4200.1)
~~~
The basic problem is that the T.38 dissector is passing a frame-number of 0 to
its tap (in t38_info->frame_num_first_t4_data) which then causes heartburn in
packet_list_get_row_data() and below.
An assertion is probably appropriate here:
~~~
--- a/ui/gtk/packet_list.c
+++ b/ui/gtk/packet_list.c
@@ -1228,6 +1228,7 @@ packet_list_get_row_data(gint row)
GtkTreeIter iter;
frame_data *fdata;
+ g_assert(row > 0);
gtk_tree_path_append_index(path, row-1);
gtk_tree_model_get_iter(GTK_TREE_MODEL(packetlist), &iter, path);
~~~
Except for that minor detail that the row number could come from a dissector
(in this case via a tap). Hmmm. Too bad we can except out of taps.
This avoids the crash:
~~~
--- a/ui/voip_calls.c
+++ b/ui/voip_calls.c
@@ -973,6 +973,7 @@ t38_packet(void *tap_offset_ptr, packet_info *pinfo,
epan_dissect_t *edt, const
frame_label = g_strdup_printf("t4-non-ecm-data:%s", tmp_str1);
comment = g_strdup_printf("t38:t4-non-ecm-data:%s
Duration: %.2fs %s",
tmp_str1, duration, t38_info->desc_comment );
+ if (t38_info->frame_num_first_t4_data > 0)
insert_to_graph_t38(tapinfo, pinfo, edt, frame_label, comment,
(guint16)conv_num, &(pinfo->src), &(pinfo->dst),
line_style, t38_info->frame_num_first_t4_data);
~~~
But obviously doesn't solve the root cause. I looked around the T.38 dissector
a bit and it's at least possible the root cause is that evil nasty global
variable p_t38_conv_info. Or maybe it's just a bug but following the logic
seemed a bit much for this evening...
You are receiving this mail because:
- You are watching all bug changes.
- Prev by Date: [Wireshark-bugs] [Bug 10889] Qt Wireshark - On startup occasionally see: Error from waitpid(): Interrupted system call
- Next by Date: [Wireshark-bugs] [Bug 10885] Crash when use Telephony / Voip calls
- Previous by thread: [Wireshark-bugs] [Bug 10889] Qt Wireshark - On startup occasionally see: Error from waitpid(): Interrupted system call
- Next by thread: [Wireshark-bugs] [Bug 10885] Crash when use Telephony / Voip calls
- Index(es):