Wireshark-bugs: [Wireshark-bugs] [Bug 13074] New: Buildbot crash output: fuzz-2016-10-30-3319.pc

Date: Sun, 30 Oct 2016 14:40:04 +0000
Bug ID 13074
Summary Buildbot crash output: fuzz-2016-10-30-3319.pcap
Product Wireshark
Version unspecified
Hardware x86-64
URL https://www.wireshark.org/download/automated/captures/fuzz-2016-10-30-3319.pcap
OS Ubuntu
Status CONFIRMED
Severity Major
Priority High
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2016-10-30-3319.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/11027-packet-ber.pcap

Build host information:
Linux wsbb04 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:    Ubuntu
Description:    Ubuntu 16.04.1 LTS
Release:    16.04
Codename:    xenial

Buildbot information:
BUILDBOT_REPOSITORY=ssh://[email protected]:29418/wireshark
BUILDBOT_WORKERNAME=clang-code-analysis
BUILDBOT_BUILDNUMBER=3768
BUILDBOT_URL=http://buildbot.wireshark.org/wireshark-master/
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_GOT_REVISION=bdf99169cc699e36bd47e22514f8ac6b31f59bee

Return value:  0

Dissector bug:  0

Valgrind error count:  71



Git commit
commit bdf99169cc699e36bd47e22514f8ac6b31f59bee
Author: Alexis La Goutte <[email protected]>
Date:   Thu Oct 27 18:22:30 2016 +0200

    btavdtp: fix fix spelling typo found by lintian

    Change-Id: I15d4343787a7c6b1c16ca8aa77ef2ddd159e6ef0
    Reviewed-on: https://code.wireshark.org/review/18543
    Petri-Dish: Alexis La Goutte <[email protected]>
    Reviewed-by: Michal Labedzki <[email protected]>


==14009== Memcheck, a memory error detector
==14009== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==14009== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==14009== Command:
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.plain/bin/tshark
-nr /fuzz/buildbot/clangcodeanalysis/valgrind-fuzz/fuzz-2016-10-30-3319.pcap
==14009== 
==14009== Use of uninitialised value of size 8
==14009==    at 0x69D9E79: format_text (strutil.c:185)
==14009==    by 0x6FDE2AB: dissect_pop (packet-pop.c:197)
==14009==    by 0x69A9795: call_dissector_through_handle (packet.c:650)
==14009==    by 0x69A9795: call_dissector_work (packet.c:725)
==14009==    by 0x69A965E: dissector_try_uint_new (packet.c:1290)
==14009==    by 0x7183007: decode_tcp_ports (packet-tcp.c:5191)
==14009==    by 0x718446F: process_tcp_payload (packet-tcp.c:5260)
==14009==    by 0x7183930: desegment_tcp (packet-tcp.c:2778)
==14009==    by 0x7183930: dissect_tcp_payload (packet-tcp.c:5327)
==14009==    by 0x71885A9: dissect_tcp (packet-tcp.c:6209)
==14009==    by 0x69A9795: call_dissector_through_handle (packet.c:650)
==14009==    by 0x69A9795: call_dissector_work (packet.c:725)
==14009==    by 0x69A965E: dissector_try_uint_new (packet.c:1290)
==14009==    by 0x6DD5A22: ip_try_dissect (packet-ip.c:1976)
==14009==    by 0x6DD5A22: dissect_ip_v4 (packet-ip.c:2439)
==14009==    by 0x69A9795: call_dissector_through_handle (packet.c:650)
==14009==    by 0x69A9795: call_dissector_work (packet.c:725)
==14009== 
==14009== Conditional jump or move depends on uninitialised value(s)
==14009==    at 0x69D9E92: format_text (strutil.c:191)
==14009==    by 0x6FDE2AB: dissect_pop (packet-pop.c:197)
==14009==    by 0x69A9795: call_dissector_through_handle (packet.c:650)
==14009==    by 0x69A9795: call_dissector_work (packet.c:725)
==14009==    by 0x69A965E: dissector_try_uint_new (packet.c:1290)
==14009==    by 0x7183007: decode_tcp_ports (packet-tcp.c:5191)
==14009==    by 0x718446F: process_tcp_payload (packet-tcp.c:5260)
==14009==    by 0x7183930: desegment_tcp (packet-tcp.c:2778)
==14009==    by 0x7183930: dissect_tcp_payload (packet-tcp.c:5327)
==14009==    by 0x71885A9: dissect_tcp (packet-tcp.c:6209)
==14009==    by 0x69A9795: call_dissector_through_handle (packet.c:650)
==14009==    by 0x69A9795: call_dissector_work (packet.c:725)
==14009==    by 0x69A965E: dissector_try_uint_new (packet.c:1290)
==14009==    by 0x6DD5A22: ip_try_dissect (packet-ip.c:1976)
==14009==    by 0x6DD5A22: dissect_ip_v4 (packet-ip.c:2439)
==14009==    by 0x69A9795: call_dissector_through_handle (packet.c:650)
==14009==    by 0x69A9795: call_dissector_work (packet.c:725)
==14009== 
==14009== Conditional jump or move depends on uninitialised value(s)
==14009==    at 0xBDEDC80: vfprintf (vfprintf.c:1632)
==14009==    by 0xBEB4FD5: __vsnprintf_chk (vsnprintf_chk.c:63)
==14009==    by 0x6995F31: ws_vsnprintf (ws_printf.h:78)
==14009==    by 0x6995F31: col_add_fstr (column-utils.c:792)
==14009==    by 0x6FDE2C9: dissect_pop (packet-pop.c:196)
==14009==    by 0x69A9795: call_dissector_through_handle (packet.c:650)
==14009==    by 0x69A9795: call_dissector_work (packet.c:725)
==14009==    by 0x69A965E: dissector_try_uint_new (packet.c:1290)
==14009==    by 0x7183007: decode_tcp_ports (packet-tcp.c:5191)
==14009==    by 0x718446F: process_tcp_payload (packet-tcp.c:5260)
==14009==    by 0x7183930: desegment_tcp (packet-tcp.c:2778)
==14009==    by 0x7183930: dissect_tcp_payload (packet-tcp.c:5327)
==14009==    by 0x71885A9: dissect_tcp (packet-tcp.c:6209)
==14009==    by 0x69A9795: call_dissector_through_handle (packet.c:650)
==14009==    by 0x69A9795: call_dissector_work (packet.c:725)
==14009==    by 0x69A965E: dissector_try_uint_new (packet.c:1290)
==14009== 
==14009== Conditional jump or move depends on uninitialised value(s)
==14009==    at 0x69D9D57: get_token_len (strutil.c:124)
==14009==    by 0x6FDE4B2: dissect_pop (packet-pop.c:274)
==14009==    by 0x69A9795: call_dissector_through_handle (packet.c:650)
==14009==    by 0x69A9795: call_dissector_work (packet.c:725)
==14009==    by 0x69A965E: dissector_try_uint_new (packet.c:1290)
==14009==    by 0x7183007: decode_tcp_ports (packet-tcp.c:5191)
==14009==    by 0x718446F: process_tcp_payload (packet-tcp.c:5260)
==14009==    by 0x7183930: desegment_tcp (packet-tcp.c:2778)
==14009==    by 0x7183930: dissect_tcp_payload (packet-tcp.c:5327)
==14009==    by 0x71885A9: dissect_tcp (packet-tcp.c:6209)
==14009==    by 0x69A9795: call_dissector_through_handle (packet.c:650)
==14009==    by 0x69A9795: call_dissector_work (packet.c:725)
==14009==    by 0x69A965E: dissector_try_uint_new (packet.c:1290)
==14009==    by 0x6DD5A22: ip_try_dissect (packet-ip.c:1976)
==14009==    by 0x6DD5A22: dissect_ip_v4 (packet-ip.c:2439)
==14009==    by 0x69A9795: call_dissector_through_handle (packet.c:650)
==14009==    by 0x69A9795: call_dissector_work (packet.c:725)
==14009== 
==14009== Use of uninitialised value of size 8
==14009==    at 0x69D9D59: get_token_len (strutil.c:124)
==14009==    by 0x1000023FF: ???
==14009==    by 0xD80E2020B010002: ???
==14009==    by 0xA22010001FE: ???
==14009==    by 0xA0C: ???
==14009== 
==14009== Conditional jump or move depends on uninitialised value(s)
==14009==    at 0x69D9D5D: get_token_len (strutil.c:124)
==14009==    by 0x6FDE4B2: dissect_pop (packet-pop.c:274)
==14009==    by 0x69A9795: call_dissector_through_handle (packet.c:650)
==14009==    by 0x69A9795: call_dissector_work (packet.c:725)
==14009==    by 0x69A965E: dissector_try_uint_new (packet.c:1290)
==14009==    by 0x7183007: decode_tcp_ports (packet-tcp.c:5191)
==14009==    by 0x718446F: process_tcp_payload (packet-tcp.c:5260)
==14009==    by 0x7183930: desegment_tcp (packet-tcp.c:2778)
==14009==    by 0x7183930: dissect_tcp_payload (packet-tcp.c:5327)
==14009==    by 0x71885A9: dissect_tcp (packet-tcp.c:6209)
==14009==    by 0x69A9795: call_dissector_through_handle (packet.c:650)
==14009==    by 0x69A9795: call_dissector_work (packet.c:725)
==14009==    by 0x69A965E: dissector_try_uint_new (packet.c:1290)
==14009==    by 0x6DD5A22: ip_try_dissect (packet-ip.c:1976)
==14009==    by 0x6DD5A22: dissect_ip_v4 (packet-ip.c:2439)
==14009==    by 0x69A9795: call_dissector_through_handle (packet.c:650)
==14009==    by 0x69A9795: call_dissector_work (packet.c:725)
==14009== 
==14009== Conditional jump or move depends on uninitialised value(s)
==14009==    at 0x4C30F78: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14009==    by 0x4162C3: print_columns (tshark.c:3656)
==14009==    by 0x4162C3: print_packet (tshark.c:3818)
==14009==    by 0x415DB9: process_packet (tshark.c:3451)
==14009==    by 0x413B15: load_cap_file (tshark.c:3193)
==14009==    by 0x413B15: main (tshark.c:1893)
==14009== 
==14009== Conditional jump or move depends on uninitialised value(s)
==14009==    at 0x4C30F78: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14009==    by 0xBE0CF7E: fputs (iofputs.c:33)
==14009==    by 0x69BAAEE: print_line_text (print_stream.c:154)
==14009==    by 0x41692A: print_columns (tshark.c:3801)
==14009==    by 0x41692A: print_packet (tshark.c:3818)
==14009==    by 0x415DB9: process_packet (tshark.c:3451)
==14009==    by 0x413B15: load_cap_file (tshark.c:3193)
==14009==    by 0x413B15: main (tshark.c:1893)
==14009== 
==14009== Syscall param write(buf) points to uninitialised byte(s)
==14009==    at 0xBE95A10: __write_nocancel (syscall-template.S:84)
==14009==    by 0xBE17B2E: _IO_file_write@@GLIBC_2.2.5 (fileops.c:1263)
==14009==    by 0xBE19338: new_do_write (fileops.c:518)
==14009==    by 0xBE19338: _IO_do_write@@GLIBC_2.2.5 (fileops.c:494)
==14009==    by 0xBE183AC: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1331)
==14009==    by 0xBE0D007: fputs (iofputs.c:38)
==14009==    by 0x69BAAEE: print_line_text (print_stream.c:154)
==14009==    by 0x41692A: print_columns (tshark.c:3801)
==14009==    by 0x41692A: print_packet (tshark.c:3818)
==14009==    by 0x415DB9: process_packet (tshark.c:3451)
==14009==    by 0x413B15: load_cap_file (tshark.c:3193)
==14009==    by 0x413B15: main (tshark.c:1893)
==14009==  Address 0x1388854a is 2,026 bytes inside a block of size 4,096
alloc'd
==14009==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14009==    by 0xBE0C184: _IO_file_doallocate (filedoalloc.c:127)
==14009==    by 0xBE1A4C3: _IO_doallocbuf (genops.c:398)
==14009==    by 0xBE19827: _IO_file_overflow@@GLIBC_2.2.5 (fileops.c:820)
==14009==    by 0xBE181BC: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1331)
==14009==    by 0xBE0D007: fputs (iofputs.c:38)
==14009==    by 0x69BAAEE: print_line_text (print_stream.c:154)
==14009==    by 0x41692A: print_columns (tshark.c:3801)
==14009==    by 0x41692A: print_packet (tshark.c:3818)
==14009==    by 0x415DB9: process_packet (tshark.c:3451)
==14009==    by 0x413B15: load_cap_file (tshark.c:3193)
==14009==    by 0x413B15: main (tshark.c:1893)
==14009== 
==14009== 
==14009== HEAP SUMMARY:
==14009==     in use at exit: 6,089,528 bytes in 9,813 blocks
==14009==   total heap usage: 596,548 allocs, 586,735 frees, 53,238,883 bytes
allocated
==14009== 
==14009== LEAK SUMMARY:
==14009==    definitely lost: 1,704 bytes in 171 blocks
==14009==    indirectly lost: 0 bytes in 0 blocks
==14009==      possibly lost: 0 bytes in 0 blocks
==14009==    still reachable: 6,087,824 bytes in 9,642 blocks
==14009==         suppressed: 0 bytes in 0 blocks
==14009== Rerun with --leak-check=full to see details of leaked memory
==14009== 
==14009== For counts of detected and suppressed errors, rerun with: -v
==14009== Use --track-origins=yes to see where uninitialised values come from
==14009== ERROR SUMMARY: 71 errors from 9 contexts (suppressed: 0 from 0)

[ no debug trace ]


You are receiving this mail because:
  • You are watching all bug changes.