Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 13144] New: Buildbot crash output: fuzz-2016-11-16-2756.pcap

Wireshark-bugs: [Wireshark-bugs] [Bug 13144] New: Buildbot crash output: fuzz-2016-11-16-2756.pc

Date: Wed, 16 Nov 2016 09:30:02 +0000
Bug ID	13144
Summary	Buildbot crash output: fuzz-2016-11-16-2756.pcap
Product	Wireshark
Version	unspecified
Hardware	x86-64
URL	https://www.wireshark.org/download/automated/captures/fuzz-2016-11-16-2756.pcap
OS	Ubuntu
Status	CONFIRMED
Severity	Major
Priority	High
Component	Dissection engine (libwireshark)
Assignee	[email protected]
Reporter	[email protected]
Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2016-11-16-2756.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/14032-sample_cid1_gen19.pcap

Build host information:
Linux wsbb04 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:    Ubuntu
Description:    Ubuntu 16.04.1 LTS
Release:    16.04
Codename:    xenial

Buildbot information:
BUILDBOT_REPOSITORY=ssh://[email protected]:29418/wireshark
BUILDBOT_WORKERNAME=clang-code-analysis
BUILDBOT_BUILDNUMBER=3774
BUILDBOT_URL=http://buildbot.wireshark.org/wireshark-master/
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_GOT_REVISION=7f2a83892204821145768b76bbdd0719b57787f8

Return value:  0

Dissector bug:  0

Valgrind error count:  5



Git commit
commit 7f2a83892204821145768b76bbdd0719b57787f8
Author: Franklin "Snaipe" Mathieu <[email protected]>
Date:   Tue Nov 8 17:13:41 2016 +0100

    lua: Allow proto:register_heuristic to be used on multiple list names

    In the C API, one can register a heuristic for the same protocol on
different
    lists by specifying another unique short_name. This is impossible in the
    lua API, as the protocol name is used as the short name itself.

    This change fixes that by creating an unique shortname composed of the
    protocol name and the target list name.

    Change-Id: I2c30ce6e4f7a3b38879180c64cf8564f779163b4
    Signed-off-by: Franklin "Snaipe" Mathieu <[email protected]>
    Reviewed-on: https://code.wireshark.org/review/18711
    Petri-Dish: Michael Mann <[email protected]>
    Tested-by: Petri Dish Buildbot <[email protected]>
    Reviewed-by: Peter Wu <[email protected]>


==21296== Memcheck, a memory error detector
==21296== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==21296== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==21296== Command:
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.plain/bin/tshark
-nr /fuzz/buildbot/clangcodeanalysis/valgrind-fuzz/fuzz-2016-11-16-2756.pcap
==21296== 
==21296== Invalid read of size 1
==21296==    at 0x69DE58B: fragment_add_seq_single_work (reassemble.c:2235)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B350E: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x6CCE5CE: dissect_frame (packet-frame.c:507)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B26FC: call_dissector_only (packet.c:2954)
==21296==    by 0x69B26FC: call_dissector_with_data (packet.c:2967)
==21296==  Address 0x14036f45 is 37 bytes inside a block of size 56 free'd
==21296==    at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21296==    by 0x69DCE3A: fragment_delete (reassemble.c:606)
==21296==    by 0x69DE4FD: fragment_add_seq_single_work (reassemble.c:2216)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B350E: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x6CCE5CE: dissect_frame (packet-frame.c:507)
==21296==  Block was alloc'd at
==21296==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21296==    by 0xA6F7728: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0xA70E932: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0xA70EFCD: g_slice_alloc0 (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0x69DE5D5: new_head (reassemble.c:366)
==21296==    by 0x69DE5D5: fragment_add_seq_single_work (reassemble.c:2274)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296== 
==21296== Invalid read of size 4
==21296==    at 0x69DE592: fragment_add_seq_single_work (reassemble.c:2238)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B350E: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x6CCE5CE: dissect_frame (packet-frame.c:507)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B26FC: call_dissector_only (packet.c:2954)
==21296==    by 0x69B26FC: call_dissector_with_data (packet.c:2967)
==21296==  Address 0x14036f38 is 24 bytes inside a block of size 56 free'd
==21296==    at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21296==    by 0x69DCE3A: fragment_delete (reassemble.c:606)
==21296==    by 0x69DE4FD: fragment_add_seq_single_work (reassemble.c:2216)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B350E: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x6CCE5CE: dissect_frame (packet-frame.c:507)
==21296==  Block was alloc'd at
==21296==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21296==    by 0xA6F7728: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0xA70E932: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0xA70EFCD: g_slice_alloc0 (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0x69DE5D5: new_head (reassemble.c:366)
==21296==    by 0x69DE5D5: fragment_add_seq_single_work (reassemble.c:2274)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296== 
==21296== Invalid read of size 1
==21296==    at 0x69DE954: fragment_add_seq_single_work (reassemble.c:2239)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B350E: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x6CCE5CE: dissect_frame (packet-frame.c:507)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B26FC: call_dissector_only (packet.c:2954)
==21296==    by 0x69B26FC: call_dissector_with_data (packet.c:2967)
==21296==  Address 0x14036f45 is 37 bytes inside a block of size 56 free'd
==21296==    at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21296==    by 0x69DCE3A: fragment_delete (reassemble.c:606)
==21296==    by 0x69DE4FD: fragment_add_seq_single_work (reassemble.c:2216)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B350E: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x6CCE5CE: dissect_frame (packet-frame.c:507)
==21296==  Block was alloc'd at
==21296==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21296==    by 0xA6F7728: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0xA70E932: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0xA70EFCD: g_slice_alloc0 (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0x69DE5D5: new_head (reassemble.c:366)
==21296==    by 0x69DE5D5: fragment_add_seq_single_work (reassemble.c:2274)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296== 
==21296== Invalid write of size 4
==21296==    at 0x69DE959: fragment_add_seq_single_work (reassemble.c:2240)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B350E: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x6CCE5CE: dissect_frame (packet-frame.c:507)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B26FC: call_dissector_only (packet.c:2954)
==21296==    by 0x69B26FC: call_dissector_with_data (packet.c:2967)
==21296==  Address 0x14036f38 is 24 bytes inside a block of size 56 free'd
==21296==    at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21296==    by 0x69DCE3A: fragment_delete (reassemble.c:606)
==21296==    by 0x69DE4FD: fragment_add_seq_single_work (reassemble.c:2216)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B350E: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x6CCE5CE: dissect_frame (packet-frame.c:507)
==21296==  Block was alloc'd at
==21296==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21296==    by 0xA6F7728: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0xA70E932: g_slice_alloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0xA70EFCD: g_slice_alloc0 (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==21296==    by 0x69DE5D5: new_head (reassemble.c:366)
==21296==    by 0x69DE5D5: fragment_add_seq_single_work (reassemble.c:2274)
==21296==    by 0x69DE9AD: fragment_add_seq_single_aging (reassemble.c:2401)
==21296==    by 0x6FF4A31: dissect_mp (packet-ppp.c:5322)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296==    by 0x69B3729: dissector_try_uint_new (packet.c:1290)
==21296==    by 0x69B3729: dissector_try_uint (packet.c:1316)
==21296==    by 0x6FF7A48: dissect_ppp_common (packet-ppp.c:4366)
==21296==    by 0x6FF44EC: dissect_ppp_hdlc (packet-ppp.c:5445)
==21296==    by 0x69B3645: call_dissector_through_handle (packet.c:650)
==21296==    by 0x69B3645: call_dissector_work (packet.c:725)
==21296== 
==21296== 
==21296== HEAP SUMMARY:
==21296==     in use at exit: 6,084,687 bytes in 9,719 blocks
==21296==   total heap usage: 309,195 allocs, 299,476 frees, 39,465,279 bytes
allocated
==21296== 
==21296== LEAK SUMMARY:
==21296==    definitely lost: 344 bytes in 86 blocks
==21296==    indirectly lost: 0 bytes in 0 blocks
==21296==      possibly lost: 0 bytes in 0 blocks
==21296==    still reachable: 6,084,343 bytes in 9,633 blocks
==21296==         suppressed: 0 bytes in 0 blocks
==21296== Rerun with --leak-check=full to see details of leaked memory
==21296== 
==21296== For counts of detected and suppressed errors, rerun with: -v
==21296== ERROR SUMMARY: 5 errors from 4 contexts (suppressed: 0 from 0)

[ no debug trace ]
You are receiving this mail because:
You are watching all bug changes.
Follow-Ups:
- [Wireshark-bugs] [Bug 13144] Buildbot crash output: fuzz-2016-11-16-2756.pcap
  - From: bugzilla-daemon
Prev by Date: [Wireshark-bugs] [Bug 13141] TCP options type filed interpreted as IP options type field
Next by Date: [Wireshark-bugs] [Bug 13141] TCP options type filed interpreted as IP options type field
Previous by thread: [Wireshark-bugs] [Bug 13143] Buildbot crash output: fuzz-2016-11-14-26123.pcap
Next by thread: [Wireshark-bugs] [Bug 13144] Buildbot crash output: fuzz-2016-11-16-2756.pcap
Index(es):
- Date
- Thread