Wireshark-bugs: [Wireshark-bugs] [Bug 11533] New: Buildbot crash output: fuzz-2015-09-20-32107.p

Date: Tue, 22 Sep 2015 03:50:03 +0000
Bug ID 11533
Summary Buildbot crash output: fuzz-2015-09-20-32107.pcap
Product Wireshark
Version unspecified
Hardware x86-64
URL https://www.wireshark.org/download/automated/captures/fuzz-2015-09-20-32107.pcap
OS Ubuntu
Status CONFIRMED
Severity Major
Priority High
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2015-09-20-32107.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/9186-avrcp.log

Build host information:
Linux wsbb04 3.13.0-61-generic #100-Ubuntu SMP Wed Jul 29 11:21:34 UTC 2015
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:    Ubuntu
Description:    Ubuntu 14.04.3 LTS
Release:    14.04
Codename:    trusty

Buildbot information:
BUILDBOT_REPOSITORY=ssh://[email protected]:29418/wireshark
BUILDBOT_BUILDNUMBER=3314
BUILDBOT_URL=http://buildbot.wireshark.org/trunk/
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_SLAVENAME=clang-code-analysis
BUILDBOT_GOT_REVISION=22bc307c8dc99c6c8e1664d1f8994863e459f884

Return value:  0

Dissector bug:  0

Valgrind error count:  5



Git commit
commit 22bc307c8dc99c6c8e1664d1f8994863e459f884
Author: Hadriel Kaplan <[email protected]>
Date:   Wed Aug 5 09:24:50 2015 -0400

    RTP: handle payload reassembly for multiple fragments

    If an RTP payload spans more than two packets, the dissector needs to
    save the previous fragment info.

    Bug: 11413
    Change-Id: I62558f40136881d70bf2a9597eabd3697966ac4a
    Reviewed-on: https://code.wireshark.org/review/9875
    Petri-Dish: Hadriel Kaplan <[email protected]>
    Tested-by: Petri Dish Buildbot <[email protected]>
    Reviewed-by: Anders Broman <[email protected]>


Command and args: ./tools/valgrind-wireshark.sh 

==3922== Memcheck, a memory error detector
==3922== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==3922== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==3922== Command:
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install/bin/tshark
-nr /fuzz/buildbot/clangcodeanalysis/valgrind-fuzz/fuzz-2015-09-20-32107.pcap
==3922== 
==3922== Invalid read of size 4
==3922==    at 0x694F465: dissect_bthcrp (packet-bthcrp.c:415)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E7C19: dissector_try_string (packet.c:1458)
==3922==    by 0x693068B: dissect_btavctp (packet-btavctp.c:216)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E750E: dissector_try_uint_new (packet.c:1163)
==3922==    by 0x695A0FF: dissect_b_frame (packet-btl2cap.c:1485)
==3922==    by 0x69585A7: dissect_btl2cap (packet-btl2cap.c:2141)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E6C2C: call_dissector_with_data (packet.c:2570)
==3922==    by 0x693C2A3: dissect_bthci_acl (packet-bthci_acl.c:417)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==  Address 0x15569bac is 20 bytes before a block of size 72 alloc'd
==3922==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3922==    by 0xA34C610: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0)
==3922==    by 0xA36222D: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0)
==3922==    by 0x681AC41: tvb_new (tvbuff.c:87)
==3922==    by 0x681A3E4: tvb_new_subset_length (tvbuff_subset.c:113)
==3922==    by 0x69304EA: dissect_btavctp (packet-btavctp.c:207)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E750E: dissector_try_uint_new (packet.c:1163)
==3922==    by 0x695A0FF: dissect_b_frame (packet-btl2cap.c:1485)
==3922==    by 0x69585A7: dissect_btl2cap (packet-btl2cap.c:2141)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E6C2C: call_dissector_with_data (packet.c:2570)
==3922== 
==3922== Invalid read of size 4
==3922==    at 0x694F486: dissect_bthcrp (packet-bthcrp.c:416)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E7C19: dissector_try_string (packet.c:1458)
==3922==    by 0x693068B: dissect_btavctp (packet-btavctp.c:216)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E750E: dissector_try_uint_new (packet.c:1163)
==3922==    by 0x695A0FF: dissect_b_frame (packet-btl2cap.c:1485)
==3922==    by 0x69585A7: dissect_btl2cap (packet-btl2cap.c:2141)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E6C2C: call_dissector_with_data (packet.c:2570)
==3922==    by 0x693C2A3: dissect_bthci_acl (packet-bthci_acl.c:417)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==  Address 0x15569bb0 is 16 bytes before a block of size 72 alloc'd
==3922==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3922==    by 0xA34C610: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0)
==3922==    by 0xA36222D: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0)
==3922==    by 0x681AC41: tvb_new (tvbuff.c:87)
==3922==    by 0x681A3E4: tvb_new_subset_length (tvbuff_subset.c:113)
==3922==    by 0x69304EA: dissect_btavctp (packet-btavctp.c:207)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E750E: dissector_try_uint_new (packet.c:1163)
==3922==    by 0x695A0FF: dissect_b_frame (packet-btl2cap.c:1485)
==3922==    by 0x69585A7: dissect_btl2cap (packet-btl2cap.c:2141)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E6C2C: call_dissector_with_data (packet.c:2570)
==3922== 
==3922== Invalid read of size 4
==3922==    at 0x694F48F: dissect_bthcrp (packet-bthcrp.c:417)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E7C19: dissector_try_string (packet.c:1458)
==3922==    by 0x693068B: dissect_btavctp (packet-btavctp.c:216)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E750E: dissector_try_uint_new (packet.c:1163)
==3922==    by 0x695A0FF: dissect_b_frame (packet-btl2cap.c:1485)
==3922==    by 0x69585A7: dissect_btl2cap (packet-btl2cap.c:2141)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E6C2C: call_dissector_with_data (packet.c:2570)
==3922==    by 0x693C2A3: dissect_bthci_acl (packet-bthci_acl.c:417)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==  Address 0x15569bb4 is 12 bytes before a block of size 72 alloc'd
==3922==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3922==    by 0xA34C610: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0)
==3922==    by 0xA36222D: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0)
==3922==    by 0x681AC41: tvb_new (tvbuff.c:87)
==3922==    by 0x681A3E4: tvb_new_subset_length (tvbuff_subset.c:113)
==3922==    by 0x69304EA: dissect_btavctp (packet-btavctp.c:207)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E750E: dissector_try_uint_new (packet.c:1163)
==3922==    by 0x695A0FF: dissect_b_frame (packet-btl2cap.c:1485)
==3922==    by 0x69585A7: dissect_btl2cap (packet-btl2cap.c:2141)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E6C2C: call_dissector_with_data (packet.c:2570)
==3922== 
==3922== Invalid read of size 2
==3922==    at 0x694F4A1: dissect_bthcrp (packet-bthcrp.c:427)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E7C19: dissector_try_string (packet.c:1458)
==3922==    by 0x693068B: dissect_btavctp (packet-btavctp.c:216)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E750E: dissector_try_uint_new (packet.c:1163)
==3922==    by 0x695A0FF: dissect_b_frame (packet-btl2cap.c:1485)
==3922==    by 0x69585A7: dissect_btl2cap (packet-btl2cap.c:2141)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E6C2C: call_dissector_with_data (packet.c:2570)
==3922==    by 0x693C2A3: dissect_bthci_acl (packet-bthci_acl.c:417)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==  Address 0x15569b90 is 16 bytes after a block of size 16 alloc'd
==3922==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3922==    by 0xA34C610: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4002.0)
==3922==    by 0x73CBE0A: wmem_simple_alloc (wmem_allocator_simple.c:55)
==3922==    by 0x693049D: dissect_btavctp (packet-btavctp.c:197)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E750E: dissector_try_uint_new (packet.c:1163)
==3922==    by 0x695A0FF: dissect_b_frame (packet-btl2cap.c:1485)
==3922==    by 0x69585A7: dissect_btl2cap (packet-btl2cap.c:2141)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E6C2C: call_dissector_with_data (packet.c:2570)
==3922==    by 0x693C2A3: dissect_bthci_acl (packet-bthci_acl.c:417)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922== 
==3922== Invalid read of size 2
==3922==    at 0x694F98E: dissect_bthcrp (packet-bthcrp.c:493)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E7C19: dissector_try_string (packet.c:1458)
==3922==    by 0x693068B: dissect_btavctp (packet-btavctp.c:216)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E750E: dissector_try_uint_new (packet.c:1163)
==3922==    by 0x695A0FF: dissect_b_frame (packet-btl2cap.c:1485)
==3922==    by 0x69585A7: dissect_btl2cap (packet-btl2cap.c:2141)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==    by 0x67E6C2C: call_dissector_with_data (packet.c:2570)
==3922==    by 0x693C2A3: dissect_bthci_acl (packet-bthci_acl.c:417)
==3922==    by 0x67E766F: call_dissector_work (packet.c:618)
==3922==  Address 0x15569ba0 is not stack'd, malloc'd or (recently) free'd
==3922== 
==3922== 
==3922== HEAP SUMMARY:
==3922==     in use at exit: 1,036,473 bytes in 28,185 blocks
==3922==   total heap usage: 613,446 allocs, 585,261 frees, 51,275,534 bytes
allocated
==3922== 
==3922== LEAK SUMMARY:
==3922==    definitely lost: 2,932 bytes in 126 blocks
==3922==    indirectly lost: 36,456 bytes in 49 blocks
==3922==      possibly lost: 0 bytes in 0 blocks
==3922==    still reachable: 997,085 bytes in 28,010 blocks
==3922==         suppressed: 0 bytes in 0 blocks
==3922== Rerun with --leak-check=full to see details of leaked memory
==3922== 
==3922== For counts of detected and suppressed errors, rerun with: -v
==3922== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 0 from 0)

[ no debug trace ]


You are receiving this mail because:
  • You are watching all bug changes.