Wireshark-dev: Re: [Wireshark-dev] Wireshark 1.0.7 segfault when loading PCNFSD capture

From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Tue, 21 Apr 2009 16:42:39 -0700
It looks like "data" in pcnfsd_decode_obscure() might be NULL or have an
invalid value. Would it be possible to open a ticket at
bugs.wireshark.org and attach your capture file? The bug and/or
attachment can be marked private if needed.


Mark Cave-Ayland wrote:
> Hi everyone,
> 
> I've been working on capturing some data from a server to diagnose some 
> PCNFSD login problems and I have found that when I attempt to load my 
> capture file into wireshark 1.0.7 then it immediately segfaults.
> 
> Using gdb I can attach to the wireshark process and obtain the following 
> backtrace:
> 
> 
> mcavea@zeno:/home/build/rel-wireshark/bin$ gdb wireshark
> GNU gdb 6.8-debian
> Copyright (C) 2008 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later 
> <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu"...
> (gdb) run
> Starting program: /home/build/rel-wireshark/bin/wireshark
> [Thread debugging using libthread_db enabled]
> [New Thread 0x7f6a1b64e700 (LWP 29170)]
> 
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7f6a1b64e700 (LWP 29170)]
> 0x00007f6a19a46ce9 in dissect_pcnfsd2_auth_call (tvb=0x190f4c0, 
> offset=<value optimized out>, pinfo=<value optimized out>,
>      tree=0x1967b10) at packet-pcnfsd.c:179
> 179                     *data = (*data ^ 0x5b) & 0x7f;
> (gdb) bt
> #0  0x00007f6a19a46ce9 in dissect_pcnfsd2_auth_call (tvb=0x190f4c0, 
> offset=<value optimized out>, pinfo=<value optimized out>,
>      tree=0x1967b10) at packet-pcnfsd.c:179
> #1  0x00007f6a19a81e2c in call_dissect_function (tvb=0x190f4c0, 
> pinfo=0x1b7ee80, tree=0x1967b10, offset=72,
>      dissect_function=0x7f6a19a46b20 <dissect_pcnfsd2_auth_call>, 
> progname=0x7f6a1a037378 "PCNFSD") at packet-rpc.c:1273
> #2  0x00007f6a19a84b45 in dissect_rpc_message (tvb=0x190f4c0, 
> pinfo=0x1b7ee80, tree=0x1967870, frag_tvb=0x18, ipfd_head=0x0,
>      is_tcp=<value optimized out>, rpc_rm=0, first_pdu=1) at 
> packet-rpc.c:2600
> #3  0x00007f6a19a861f0 in dissect_rpc_heur (tvb=0x7f6a1a045eaa, 
> pinfo=0x4, tree=0x7f6a1a045eaa) at packet-rpc.c:2713
> #4  0x00007f6a1971fcdc in dissector_try_heuristic (sub_dissectors=<value 
> optimized out>, tvb=0x190f4c0, pinfo=0x1b7ee80,
>      tree=0x1967870) at packet.c:1595
> #5  0x00007f6a19b413ed in decode_udp_ports (tvb=0x190f400, offset=<value 
> optimized out>, pinfo=0x1b7ee80, tree=0x1967870,
>      uh_sport=1023, uh_dport=690, uh_ulen=144) at packet-udp.c:168
> #6  0x00007f6a19b41a2f in dissect (tvb=0x190f400, pinfo=0x1b7ee80, 
> tree=0x1967870, ip_proto=1114112) at packet-udp.c:427
> #7  0x00007f6a1971fbb1 in call_dissector_through_handle 
> (handle=0x14d64d0, tvb=0x190f400, pinfo=0x1b7ee80, tree=0x1967870)
>      at packet.c:396
> #8  0x00007f6a197202f3 in call_dissector_work (handle=0x14d64d0, 
> tvb=0x190f400, pinfo_arg=0x1b7ee80, tree=0x1967870) at packet.c:485
> #9  0x00007f6a19721277 in dissector_try_port (sub_dissectors=<value 
> optimized out>, port=17, tvb=0x190f400, pinfo=0x1b7ee80,
>      tree=0x1967870) at packet.c:870
> #10 0x00007f6a1996643c in dissect_ip (tvb=0x190f5e0, pinfo=0x1b7ee80, 
> parent_tree=0x1967870) at packet-ip.c:1574
> #11 0x00007f6a1971fbb1 in call_dissector_through_handle 
> (handle=0xd2f730, tvb=0x190f5e0, pinfo=0x1b7ee80, tree=0x1967870)
>      at packet.c:396
> #12 0x00007f6a197202f3 in call_dissector_work (handle=0xd2f730, 
> tvb=0x190f5e0, pinfo_arg=0x1b7ee80, tree=0x1967870) at packet.c:485
> #13 0x00007f6a19721277 in dissector_try_port (sub_dissectors=<value 
> optimized out>, port=2048, tvb=0x190f5e0, pinfo=0x1b7ee80,
>      tree=0x1967870) at packet.c:870
> #14 0x00007f6a198b7d37 in ethertype (etype=2048, tvb=0x190f580, 
> offset_after_etype=14, pinfo=0x1b7ee80, tree=0x1967870,
>      fh_tree=0x1967900, etype_id=13894, trailer_id=13896, fcs_len=-1) at 
> packet-ethertype.c:215
> #15 0x00007f6a198b5556 in dissect_eth_common (tvb=0x190f580, 
> pinfo=0x1b7ee80, parent_tree=0x1967870, fcs_len=-1) at packet-eth.c:338
> #16 0x00007f6a1971fbb1 in call_dissector_through_handle 
> (handle=0x143f160, tvb=0x190f580, pinfo=0x1b7ee80, tree=0x1967870)
>      at packet.c:396
> #17 0x00007f6a197202f3 in call_dissector_work (handle=0x143f160, 
> tvb=0x190f580, pinfo_arg=0x1b7ee80, tree=0x1967870) at packet.c:485
> #18 0x00007f6a19721277 in dissector_try_port (sub_dissectors=<value 
> optimized out>, port=1, tvb=0x190f580, pinfo=0x1b7ee80,
>      tree=0x1967870) at packet.c:870
> #19 0x00007f6a198edde8 in dissect_frame (tvb=0x190f580, pinfo=0x1b7ee80, 
> parent_tree=0x1967870) at packet-frame.c:305
> #20 0x00007f6a1971fbb1 in call_dissector_through_handle 
> (handle=0xc49db0, tvb=0x190f580, pinfo=0x1b7ee80, tree=0x1967870)
>      at packet.c:396
> #21 0x00007f6a197202f3 in call_dissector_work (handle=0xc49db0, 
> tvb=0x190f580, pinfo_arg=0x1b7ee80, tree=0x1967870) at packet.c:485
> #22 0x00007f6a19720441 in call_dissector (handle=0x7f6a1a045eaa, 
> tvb=0x4, pinfo=0x7f6a1a045eaa, tree=0x7f6a1a045eb1) at packet.c:1787
> #23 0x00007f6a19721d92 in dissect_packet (edt=0x1b7ee70, 
> pseudo_header=<value optimized out>, pd=0x1988400 "", fd=0x1b8acd0,
>      cinfo=<value optimized out>) at packet.c:332
> #24 0x0000000000433a6b in add_packet_to_packet_list (fdata=0x1b8acd0, 
> cf=0x77b140, dfcode=0x0, pseudo_header=0x1939f88,
>      buf=0x1988400 "", refilter=<value optimized out>) at file.c:972
> #25 0x00000000004354cf in cf_read (cf=0x77b140) at file.c:503
> #26 0x0000000000474171 in file_open_cmd (w=0x15c2240) at 
> capture_file_dlg.c:726
> #27 0x00007f6a16f40e9d in g_closure_invoke () from 
> /usr/lib/libgobject-2.0.so.0
> #28 0x00007f6a16f53bfd in ?? () from /usr/lib/libgobject-2.0.so.0
> #29 0x00007f6a16f550ee in g_signal_emit_valist () from 
> /usr/lib/libgobject-2.0.so.0
> #30 0x00007f6a16f555f3 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
> #31 0x00007f6a184069cb in gtk_widget_activate () from 
> /usr/lib/libgtk-x11-2.0.so.0
> #32 0x00007f6a182fa2ad in gtk_menu_shell_activate_item () from 
> /usr/lib/libgtk-x11-2.0.so.0
> #33 0x00007f6a182fbf85 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
> #34 0x00007f6a182ed748 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
> #35 0x00007f6a16f40e9d in g_closure_invoke () from 
> /usr/lib/libgobject-2.0.so.0
> #36 0x00007f6a16f538dc in ?? () from /usr/lib/libgobject-2.0.so.0
> #37 0x00007f6a16f54f71 in g_signal_emit_valist () from 
> /usr/lib/libgobject-2.0.so.0
> #38 0x00007f6a16f555f3 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
> #39 0x00007f6a184021be in ?? () from /usr/lib/libgtk-x11-2.0.so.0
> #40 0x00007f6a182e62d3 in gtk_propagate_event () from 
> /usr/lib/libgtk-x11-2.0.so.0
> #41 0x00007f6a182e731b in gtk_main_do_event () from 
> /usr/lib/libgtk-x11-2.0.so.0
> #42 0x00007f6a17f48f8c in ?? () from /usr/lib/libgdk-x11-2.0.so.0
> #43 0x00007f6a1649778b in g_main_context_dispatch () from 
> /usr/lib/libglib-2.0.so.0
> #44 0x00007f6a1649af5d in ?? () from /usr/lib/libglib-2.0.so.0
> #45 0x00007f6a1649b48d in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
> #46 0x00007f6a182e7737 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
> #47 0x00000000004484ce in main (argc=0, argv=0x7fff23787c80) at main.c:3201
> 
> 
> So it looks as if there is a problem with the PCNFSD dissector :(  Can 
> anyone point me in the right direction as to how to go about fixing this?
> 
> 
> Many thanks,
> 
> Mark.
>