Ethereal-dev: [Ethereal-dev] Double-free tvb bug in HTTP dissector with gzip decompression?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Olivier Biot" <ethereal@xxxxxxxxxx>
Date: Thu, 6 May 2004 23:51:36 +0200
Hi list,

If you open the attached capture with Ethereal, you can freely inspect
it and see the dissected decompression. However, if you enter a
display filter like "http" which matches the packet, Ethereal will
crash in epan_dissect_free() at the very end of having filtered all
packets (I tested this with a 9 MB capture). The crash does not happen
if you disable the HTTP dissector.

Below is a transcript of a debugger session by reading the attached
capture and filtering with "http" as display filter:

Program received signal SIGSEGV, Segmentation fault.
tvb_free_chain (tvb=0x1) at tvbuff.c:221
221             for (slist = tvb->used_in; slist != NULL ; slist =
slist->next) {
(gdb) bt full
#0  tvb_free_chain (tvb=0x1) at tvbuff.c:221
        tvb = (tvbuff_t *) 0x1
        slist = (GSList *) 0x10540c20
#1  0x00e5609a in tvb_free_chain (tvb=0x10540298) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x10540298
        slist = (GSList *) 0x10540c20
#2  0x00e5609a in tvb_free_chain (tvb=0x10336e1c) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x10336e1c
        slist = (GSList *) 0x104802b0
#3  0x00e5609a in tvb_free_chain (tvb=0x10336ce4) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x10336ce4
        slist = (GSList *) 0x10540320
#4  0x00e5609a in tvb_free_chain (tvb=0x10336c7c) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x10336c7c
        slist = (GSList *) 0x10541718
#5  0x00e5609a in tvb_free_chain (tvb=0x10336cb0) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x10336cb0
        slist = (GSList *) 0x10323780
#6  0x00e461a1 in epan_dissect_free (edt=0x1053e3f0) at epan.c:166
        edt = (epan_dissect_t *) 0x1053e3f0
#7  0x0040f24d in select_packet (cf=0x4b3980, row=0) at file.c:2526
        cf = (capture_file *) 0x4b3980
        row = 4930056
        fdata = (frame_data *) 0x1053e3f0
        err = 11277970
        err_info = (gchar *) 0x0
#8  0x0042bad8 in packet_list_select_cb (w=0x10234750, row=0, col=-1,
evt=0x0)
    at packet_list.c:261
        row = 0
#9  0x00aae458 in _gtk_marshal_VOID__INT_INT_BOXED ()
No symbol table info available.
#10 0x00963410 in g_closure_invoke () from
/usr/bin/cyggobject-2.0-0.dll
No symbol table info available.
#11 0x009739b7 in signal_emit_unlocked_R () from
/usr/bin/cyggobject-2.0-0.dll
No symbol table info available.

Another back trace (only the top of it) shows tvb is not always 0x1
but sometimes 0x0:

Program received signal SIGSEGV, Segmentation fault.
tvb_free_chain (tvb=0x0) at tvbuff.c:221
221             for (slist = tvb->used_in; slist != NULL ; slist =
slist->next) {
(gdb) bt full
#0  tvb_free_chain (tvb=0x0) at tvbuff.c:221
        tvb = (tvbuff_t *) 0x0
        slist = (GSList *) 0x10313b80
#1  0x00e5609a in tvb_free_chain (tvb=0x105db5b4) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x105db5b4
        slist = (GSList *) 0x10313b80
#2  0x00e5609a in tvb_free_chain (tvb=0x105db580) at tvbuff.c:222
        tvb = (tvbuff_t *) 0x105db580
        slist = (GSList *) 0x10313cf0

The bug does not occur on chunked-but-not-gzipped entities.

Anyone a clue (overwritten tvbuffer pointer or something similar)?

Regards,

Olivier

Attachment: BigCap-gzip-not-chunked-response.snoop
Description: Binary data