Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 13082] New: Buildbot crash output: fuzz-2016-11-01-27809.pcap

Wireshark-bugs: [Wireshark-bugs] [Bug 13082] New: Buildbot crash output: fuzz-2016-11-01-27809.p

Date: Tue, 01 Nov 2016 22:00:03 +0000
Bug ID	13082
Summary	Buildbot crash output: fuzz-2016-11-01-27809.pcap
Product	Wireshark
Version	unspecified
Hardware	x86-64
URL	https://www.wireshark.org/download/automated/captures/fuzz-2016-11-01-27809.pcap
OS	Ubuntu
Status	CONFIRMED
Severity	Major
Priority	High
Component	Dissection engine (libwireshark)
Assignee	[email protected]
Reporter	[email protected]
Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2016-11-01-27809.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/11027-packet-ber.pcap

Build host information:
Linux wsbb04 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:    Ubuntu
Description:    Ubuntu 16.04.1 LTS
Release:    16.04
Codename:    xenial

Buildbot information:
BUILDBOT_REPOSITORY=ssh://[email protected]:29418/wireshark
BUILDBOT_WORKERNAME=clang-code-analysis
BUILDBOT_BUILDNUMBER=3769
BUILDBOT_URL=http://buildbot.wireshark.org/wireshark-master/
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_GOT_REVISION=211f321f8530dae7cb2cdd1cbf6c659437dfba26

Return value:  0

Dissector bug:  0

Valgrind error count:  3782



Git commit
commit 211f321f8530dae7cb2cdd1cbf6c659437dfba26
Author: Guy Harris <[email protected]>
Date:   Sun Oct 30 02:08:15 2016 -0700

    Update libssh to 0.7.3.

    Also, don't try to uninstall it, as CMake helpfully provides no
    uninstall target.

    Change-Id: I936a8adeecc3c1f0ca71d044467846ffc33ae7b2
    Reviewed-on: https://code.wireshark.org/review/18574
    Reviewed-by: Guy Harris <[email protected]>


==4691== Memcheck, a memory error detector
==4691== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==4691== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==4691== Command:
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.plain/bin/tshark
-nr /fuzz/buildbot/clangcodeanalysis/valgrind-fuzz/fuzz-2016-11-01-27809.pcap
==4691== 
==4691== Use of uninitialised value of size 8
==4691==    at 0x69DA549: format_text (strutil.c:185)
==4691==    by 0x6FDEFCB: dissect_pop (packet-pop.c:197)
==4691==    by 0x69A9E65: call_dissector_through_handle (packet.c:650)
==4691==    by 0x69A9E65: call_dissector_work (packet.c:725)
==4691==    by 0x69A9D2E: dissector_try_uint_new (packet.c:1290)
==4691==    by 0x7183C57: decode_tcp_ports (packet-tcp.c:5191)
==4691==    by 0x71850BF: process_tcp_payload (packet-tcp.c:5260)
==4691==    by 0x7184580: desegment_tcp (packet-tcp.c:2778)
==4691==    by 0x7184580: dissect_tcp_payload (packet-tcp.c:5327)
==4691==    by 0x71891F9: dissect_tcp (packet-tcp.c:6209)
==4691==    by 0x69A9E65: call_dissector_through_handle (packet.c:650)
==4691==    by 0x69A9E65: call_dissector_work (packet.c:725)
==4691==    by 0x69A9D2E: dissector_try_uint_new (packet.c:1290)
==4691==    by 0x6DD63B2: ip_try_dissect (packet-ip.c:1977)
==4691==    by 0x6DD63B2: dissect_ip_v4 (packet-ip.c:2440)
==4691==    by 0x69A9E65: call_dissector_through_handle (packet.c:650)
==4691==    by 0x69A9E65: call_dissector_work (packet.c:725)
==4691== 
==4691== Conditional jump or move depends on uninitialised value(s)
==4691==    at 0x69DA562: format_text (strutil.c:191)
==4691==    by 0x6FDEFCB: dissect_pop (packet-pop.c:197)
==4691==    by 0x69A9E65: call_dissector_through_handle (packet.c:650)
==4691==    by 0x69A9E65: call_dissector_work (packet.c:725)
==4691==    by 0x69A9D2E: dissector_try_uint_new (packet.c:1290)
==4691==    by 0x7183C57: decode_tcp_ports (packet-tcp.c:5191)
==4691==    by 0x71850BF: process_tcp_payload (packet-tcp.c:5260)
==4691==    by 0x7184580: desegment_tcp (packet-tcp.c:2778)
==4691==    by 0x7184580: dissect_tcp_payload (packet-tcp.c:5327)
==4691==    by 0x71891F9: dissect_tcp (packet-tcp.c:6209)
==4691==    by 0x69A9E65: call_dissector_through_handle (packet.c:650)
==4691==    by 0x69A9E65: call_dissector_work (packet.c:725)
==4691==    by 0x69A9D2E: dissector_try_uint_new (packet.c:1290)
==4691==    by 0x6DD63B2: ip_try_dissect (packet-ip.c:1977)
==4691==    by 0x6DD63B2: dissect_ip_v4 (packet-ip.c:2440)
==4691==    by 0x69A9E65: call_dissector_through_handle (packet.c:650)
==4691==    by 0x69A9E65: call_dissector_work (packet.c:725)
==4691== 
==4691== Conditional jump or move depends on uninitialised value(s)
==4691==    at 0xBDEEC80: vfprintf (vfprintf.c:1632)
==4691==    by 0xBEB5FD5: __vsnprintf_chk (vsnprintf_chk.c:63)
==4691==    by 0x6996601: ws_vsnprintf (ws_printf.h:78)
==4691==    by 0x6996601: col_add_fstr (column-utils.c:792)
==4691==    by 0x6FDEFE9: dissect_pop (packet-pop.c:196)
==4691==    by 0x69A9E65: call_dissector_through_handle (packet.c:650)
==4691==    by 0x69A9E65: call_dissector_work (packet.c:725)
==4691==    by 0x69A9D2E: dissector_try_uint_new (packet.c:1290)
==4691==    by 0x7183C57: decode_tcp_ports (packet-tcp.c:5191)
==4691==    by 0x71850BF: process_tcp_payload (packet-tcp.c:5260)
==4691==    by 0x7184580: desegment_tcp (packet-tcp.c:2778)
==4691==    by 0x7184580: dissect_tcp_payload (packet-tcp.c:5327)
==4691==    by 0x71891F9: dissect_tcp (packet-tcp.c:6209)
==4691==    by 0x69A9E65: call_dissector_through_handle (packet.c:650)
==4691==    by 0x69A9E65: call_dissector_work (packet.c:725)
==4691==    by 0x69A9D2E: dissector_try_uint_new (packet.c:1290)
==4691== 
==4691== Conditional jump or move depends on uninitialised value(s)
==4691==    at 0x69DA427: get_token_len (strutil.c:124)
==4691==    by 0x6FDF1D2: dissect_pop (packet-pop.c:274)
==4691==    by 0x69A9E65: call_dissector_through_handle (packet.c:650)
==4691==    by 0x69A9E65: call_dissector_work (packet.c:725)
==4691==    by 0x69A9D2E: dissector_try_uint_new (packet.c:1290)
==4691==    by 0x7183C57: decode_tcp_ports (packet-tcp.c:5191)
==4691==    by 0x71850BF: process_tcp_payload (packet-tcp.c:5260)
==4691==    by 0x7184580: desegment_tcp (packet-tcp.c:2778)
==4691==    by 0x7184580: dissect_tcp_payload (packet-tcp.c:5327)
==4691==    by 0x71891F9: dissect_tcp (packet-tcp.c:6209)
==4691==    by 0x69A9E65: call_dissector_through_handle (packet.c:650)
==4691==    by 0x69A9E65: call_dissector_work (packet.c:725)
==4691==    by 0x69A9D2E: dissector_try_uint_new (packet.c:1290)
==4691==    by 0x6DD63B2: ip_try_dissect (packet-ip.c:1977)
==4691==    by 0x6DD63B2: dissect_ip_v4 (packet-ip.c:2440)
==4691==    by 0x69A9E65: call_dissector_through_handle (packet.c:650)
==4691==    by 0x69A9E65: call_dissector_work (packet.c:725)
==4691== 
==4691== Use of uninitialised value of size 8
==4691==    at 0x69DA429: get_token_len (strutil.c:124)
==4691==    by 0x1000023FF: ???
==4691==    by 0x7: ???
==4691== 
==4691== Conditional jump or move depends on uninitialised value(s)
==4691==    at 0x69DA42D: get_token_len (strutil.c:124)
==4691==    by 0x6FDF1D2: dissect_pop (packet-pop.c:274)
==4691==    by 0x69A9E65: call_dissector_through_handle (packet.c:650)
==4691==    by 0x69A9E65: call_dissector_work (packet.c:725)
==4691==    by 0x69A9D2E: dissector_try_uint_new (packet.c:1290)
==4691==    by 0x7183C57: decode_tcp_ports (packet-tcp.c:5191)
==4691==    by 0x71850BF: process_tcp_payload (packet-tcp.c:5260)
==4691==    by 0x7184580: desegment_tcp (packet-tcp.c:2778)
==4691==    by 0x7184580: dissect_tcp_payload (packet-tcp.c:5327)
==4691==    by 0x71891F9: dissect_tcp (packet-tcp.c:6209)
==4691==    by 0x69A9E65: call_dissector_through_handle (packet.c:650)
==4691==    by 0x69A9E65: call_dissector_work (packet.c:725)
==4691==    by 0x69A9D2E: dissector_try_uint_new (packet.c:1290)
==4691==    by 0x6DD63B2: ip_try_dissect (packet-ip.c:1977)
==4691==    by 0x6DD63B2: dissect_ip_v4 (packet-ip.c:2440)
==4691==    by 0x69A9E65: call_dissector_through_handle (packet.c:650)
==4691==    by 0x69A9E65: call_dissector_work (packet.c:725)
==4691== 
==4691== Conditional jump or move depends on uninitialised value(s)
==4691==    at 0x4C30F78: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4691==    by 0x4162C3: print_columns (tshark.c:3656)
==4691==    by 0x4162C3: print_packet (tshark.c:3818)
==4691==    by 0x415DB9: process_packet (tshark.c:3451)
==4691==    by 0x413B15: load_cap_file (tshark.c:3193)
==4691==    by 0x413B15: main (tshark.c:1893)
==4691== 
==4691== Conditional jump or move depends on uninitialised value(s)
==4691==    at 0x4C30F78: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4691==    by 0xBE0DF7E: fputs (iofputs.c:33)
==4691==    by 0x69BB1BE: print_line_text (print_stream.c:154)
==4691==    by 0x41692A: print_columns (tshark.c:3801)
==4691==    by 0x41692A: print_packet (tshark.c:3818)
==4691==    by 0x415DB9: process_packet (tshark.c:3451)
==4691==    by 0x413B15: load_cap_file (tshark.c:3193)
==4691==    by 0x413B15: main (tshark.c:1893)
==4691== 
==4691== Syscall param write(buf) points to uninitialised byte(s)
==4691==    at 0xBE96A10: __write_nocancel (syscall-template.S:84)
==4691==    by 0xBE18B2E: _IO_file_write@@GLIBC_2.2.5 (fileops.c:1263)
==4691==    by 0xBE1A338: new_do_write (fileops.c:518)
==4691==    by 0xBE1A338: _IO_do_write@@GLIBC_2.2.5 (fileops.c:494)
==4691==    by 0xBE193AC: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1331)
==4691==    by 0xBE0E007: fputs (iofputs.c:38)
==4691==    by 0x69BB1BE: print_line_text (print_stream.c:154)
==4691==    by 0x41692A: print_columns (tshark.c:3801)
==4691==    by 0x41692A: print_packet (tshark.c:3818)
==4691==    by 0x415DB9: process_packet (tshark.c:3451)
==4691==    by 0x413B15: load_cap_file (tshark.c:3193)
==4691==    by 0x413B15: main (tshark.c:1893)
==4691==  Address 0x136cc650 is 1,488 bytes inside a block of size 4,096
alloc'd
==4691==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4691==    by 0xBE0D184: _IO_file_doallocate (filedoalloc.c:127)
==4691==    by 0xBE1B4C3: _IO_doallocbuf (genops.c:398)
==4691==    by 0xBE1A827: _IO_file_overflow@@GLIBC_2.2.5 (fileops.c:820)
==4691==    by 0xBE191BC: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1331)
==4691==    by 0xBE0E007: fputs (iofputs.c:38)
==4691==    by 0x69BB1BE: print_line_text (print_stream.c:154)
==4691==    by 0x41692A: print_columns (tshark.c:3801)
==4691==    by 0x41692A: print_packet (tshark.c:3818)
==4691==    by 0x415DB9: process_packet (tshark.c:3451)
==4691==    by 0x413B15: load_cap_file (tshark.c:3193)
==4691==    by 0x413B15: main (tshark.c:1893)
==4691== 
==4691== Use of uninitialised value of size 8
==4691==    at 0x69DA429: get_token_len (strutil.c:124)
==4691==    by 0x1000023FF: ???
==4691==    by 0x10A: ???
==4691== 
==4691== 
==4691== HEAP SUMMARY:
==4691==     in use at exit: 6,095,217 bytes in 9,805 blocks
==4691==   total heap usage: 592,461 allocs, 582,656 frees, 52,072,098 bytes
allocated
==4691== 
==4691== LEAK SUMMARY:
==4691==    definitely lost: 1,584 bytes in 159 blocks
==4691==    indirectly lost: 176 bytes in 4 blocks
==4691==      possibly lost: 0 bytes in 0 blocks
==4691==    still reachable: 6,093,457 bytes in 9,642 blocks
==4691==         suppressed: 0 bytes in 0 blocks
==4691== Rerun with --leak-check=full to see details of leaked memory
==4691== 
==4691== For counts of detected and suppressed errors, rerun with: -v
==4691== Use --track-origins=yes to see where uninitialised values come from
==4691== ERROR SUMMARY: 3782 errors from 10 contexts (suppressed: 0 from 0)

[ no debug trace ]
You are receiving this mail because:
You are watching all bug changes.
Follow-Ups:
- [Wireshark-bugs] [Bug 13082] Buildbot crash output: fuzz-2016-11-01-27809.pcap
  - From: bugzilla-daemon
Prev by Date: [Wireshark-bugs] [Bug 13049] Buildbot crash output: fuzz-2016-10-24-11612.pcap
Next by Date: [Wireshark-bugs] [Bug 13082] Buildbot crash output: fuzz-2016-11-01-27809.pcap
Previous by thread: [Wireshark-bugs] [Bug 13081] Buildbot crash output: fuzz-2016-10-31-15388.pcap
Next by thread: [Wireshark-bugs] [Bug 13082] Buildbot crash output: fuzz-2016-11-01-27809.pcap
Index(es):
- Date
- Thread