Ethereal-dev: [Ethereal-dev] Crash in packet-icmpv6.c

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Heikki Vatiainen <hessu@xxxxxxxxx>
Date: 28 Mar 2001 23:39:12 +0300
While trying to dissect IPv6 pings I got a crash with the stack trace
shown below. Since ICMPv6 dissector has not been tvbuffified, it
gives a NULL tvb to proto_tree_add_item_hidden() which gets delivered
all the way to check_offset_length_no_exception()

An easy fix was to comment out the call to
proto_tree_add_item_hidden() but since ICMPv6 dissector seems to be
the only dissector passing a NullTVB to this call, I can tvbuffify it
if nobody objects.

The problem seems to be at least in 0.8.16 and the latest CVS version.

An example of a crash producing capture is available at
http://atm.tut.fi/~hessu/ethereal/ipv6-ping.cap

(gdb) run -n -r ~/ipv6-trunk.cap

Starting program:
/home/hessu/src/ethereal-cvs/hack/ethereal/./ethereal -n -r
~/ipv6-trunk.cap

Program received signal SIGSEGV, Segmentation fault.

check_offset_length_no_exception (tvb=0x0, offset=60, length=2,
  offset_ptr=0xbfffddec, length_ptr=0xbfffddf0, exception=0xbfffdda0) at
  tvbuff.c:416
416             g_assert(tvb->initialized);
(gdb) where
#0  check_offset_length_no_exception (tvb=0x0, offset=60, length=2,
    offset_ptr=0xbfffddec, length_ptr=0xbfffddf0, exception=0xbfffdda0) at
    tvbuff.c:416
#1  0x8161edc in check_offset_length (tvb=0x0, offset=60, length=2,
    offset_ptr=0xbfffddec, length_ptr=0xbfffddf0) at tvbuff.c:450
#2  0x81627a9 in ensure_contiguous (tvb=0x0, offset=60, length=2) at
    tvbuff.c:781
#3  0x8162d2e in tvb_get_letohs (tvb=0x0, offset=60) at tvbuff.c:1002
#4  0x815d252 in get_uint_value (tvb=0x0, offset=60, length=2,
    little_endian=1) at proto.c:376
#5  0x815d455 in proto_tree_add_item (tree=0x82ddcc0, hfindex=582,
    tvb=0x0, start=60, length=2, little_endian=1) at proto.c:474
#6  0x815d714 in proto_tree_add_item_hidden (tree=0x82ddcc0,
    hfindex=582, tvb=0x0, start=60, length=2, little_endian=1) at
    proto.c:574
#7  0x809d57c in dissect_icmpv6 (pd=0x821fc60 "", offset=58,
    fd=0x82cac80, tree=0x82ddb80) at packet-icmpv6.c:991

-- 
Heikki Vatiainen                  * hessu@xxxxxxxxx
Tampere University of Technology  * Tampere, Finland