Ethereal-dev: Re: [Ethereal-dev] Crash by AJP13 protocol

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Greg Morris" <GMORRIS@xxxxxxxxxx>
Date: Wed, 26 Mar 2003 14:06:44 -0700
I just removed my development version of Ethereal and reinstalled the binary from the Ethereal website. I still get the crash from packet number 6 (pinfo->num == 6) in trace error2.cap. The offending function is  dissect_ajp13_tcp_pdu(tvbuff*, _packet_info*, _GNode*). This info is from Microsoft Visual C debugger.
 
Call stack
 
dissect_ajp13_tcp_pdu(tvbuff * 0x01e14850, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 667 + 3 bytes
tcp_dissect_pdus(tvbuff * 0x01e1474c, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8, int 1, unsigned int 4, unsigned int (tvbuff *, int)* 0x0041f2a8 get_ajp13_pdu_len(tvbuff *, int), void (tvbuff *, _packet_info *, _GNode *)* 0x0041e080 dissect_ajp13_tcp_pdu(tvbuff *, _packet_info *, _GNode *)) line 1504 + 15 bytes
dissect_ajp13(tvbuff * 0x01e1474c, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 745 + 31 bytes
call_dissector_through_handle(dissector_handle * 0x01137be8, tvbuff * 0x01e1474c, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 363 + 18 bytes
call_dissector_work(dissector_handle * 0x01137be8, tvbuff * 0x01e1474c, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 504 + 21 bytes
dissector_try_port(dissector_table * 0x0112d250, unsigned int 8009, tvbuff * 0x01e1474c, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 719 + 21 bytes
decode_tcp_ports(tvbuff * 0x01e14718, int 20, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8, int 8009, int 1078) line 1805 + 34 bytes
desegment_tcp(tvbuff * 0x01e14718, _packet_info * 0x01e138e0, int 20, unsigned int 3934855740, unsigned int 3934855747, unsigned int 8009, unsigned int 1078, _GNode * 0x01e13ea8, _GNode * 0x01e142a4) line 1084 + 29 bytes
dissect_tcp(tvbuff * 0x01e14718, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 2157 + 69 bytes
call_dissector_through_handle(dissector_handle * 0x01143478, tvbuff * 0x01e14718, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 363 + 18 bytes
call_dissector_work(dissector_handle * 0x01143478, tvbuff * 0x01e14718, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 504 + 21 bytes
dissector_try_port(dissector_table * 0x010db5f8, unsigned int 6, tvbuff * 0x01e14718, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 719 + 21 bytes
dissect_ip(tvbuff * 0x01e146e4, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 1098 + 34 bytes
call_dissector_through_handle(dissector_handle * 0x00c6ffe8, tvbuff * 0x01e146e4, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 363 + 18 bytes
call_dissector_work(dissector_handle * 0x00c6ffe8, tvbuff * 0x01e146e4, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 504 + 21 bytes
dissector_try_port(dissector_table * 0x00c6b688, unsigned int 2048, tvbuff * 0x01e146e4, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 719 + 21 bytes
ethertype(unsigned short 2048, tvbuff * 0x01e146b0, int 14, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8, _GNode * 0x01e14204, int 2392, int 2394) line 165 + 33 bytes
dissect_eth(tvbuff * 0x01e146b0, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 269 + 45 bytes
call_dissector_through_handle(dissector_handle * 0x00c6b600, tvbuff * 0x01e146b0, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 363 + 18 bytes
call_dissector_work(dissector_handle * 0x00c6b600, tvbuff * 0x01e146b0, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 504 + 21 bytes
dissector_try_port(dissector_table * 0x010d1968, unsigned int 1, tvbuff * 0x01e146b0, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 719 + 21 bytes
dissect_frame(tvbuff * 0x01e146b0, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 180 + 34 bytes
call_dissector_through_handle(dissector_handle * 0x010d1a18, tvbuff * 0x01e146b0, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 363 + 18 bytes
call_dissector_work(dissector_handle * 0x010d1a18, tvbuff * 0x01e146b0, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 504 + 21 bytes
call_dissector(dissector_handle * 0x010d1a18, tvbuff * 0x01e146b0, _packet_info * 0x01e138e0, _GNode * 0x01e13ea8) line 1225 + 21 bytes
dissect_packet(_epan_dissect_t * 0x01e138d8, wtap_pseudo_header * 0x01dcf4fc, const unsigned char * 0x01dee170, _frame_data * 0x01e03a14, _column_info * 0x009e9a18) line 319 + 32 bytes
epan_dissect_run(_epan_dissect_t * 0x01e138d8, void * 0x01dcf4fc, const unsigned char * 0x01dee170, _frame_data * 0x01e03a14, _column_info * 0x009e9a18) line 103 + 25 bytes
add_packet_to_packet_list(_frame_data * 0x01e03a14, _capture_file * 0x009d9900, wtap_pseudo_header * 0x01dcf4fc, const unsigned char * 0x01dee170, int 1) line 712 + 31 bytes
read_packet(_capture_file * 0x009d9900, long 851) line 831 + 23 bytes
read_cap_file(_capture_file * 0x009d9900, int * 0x0012fec0) line 388 + 13 bytes
main(int 0, char * * 0x00c63b70) line 2104 + 14 bytes
WinMain(HINSTANCE__ * 0x00400000, HINSTANCE__ * 0x00000000, char * 0x00133831, int 1) line 2315 + 23 bytes
ETHEREAL! WinMainCRTStartup + 308 bytes
KERNEL32! 77ea847c()
 


>>> Guy Harris <guy@xxxxxxxxxx> 3/26/2003 12:51:08 PM >>>
On Wed, Mar 26, 2003 at 12:05:17PM -0700, Greg Morris wrote:
> The attached packet traces will crash Ethereal on Windows if the AJP13
> protocol is enabled.

It doesn't happen for me with 0.9.11 on Windows 2000.

> Crash occurs in line 667 of packet-ajp13.c because
> cd->content_length == 0.

That line just does

    if (cd->content_length) {

in 0.9.11; testing whether something is non-zero generally doesn't cause
a crash if it's not non-zero, although it could crash if "cd" is null.

_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev