Wireshark · Ethereal-dev: [Ethereal-dev] Core dump at start up - Ethereal 0.10.6

["Nicky Song" <nicky.song@xxxxxxxxxx>]

Hi,

 

My ethereal generates core dump at start up (windows 2000). The following information seems to indicate that the error exists in function proto_reg_handoff_asn1 (plugins\asn1\packet-asn1.c). Please correct me if I am wrong...

 

The stack trace:

---------------------------------------------------------

NTDLL! 77f813b1()
NTDLL! 77fb6972()
NTDLL! 77fb57a2()
NTDLL! 77fac49a()
ASN1! 024be497()
ASN1! 024bb2cd()
ASN1! 024bc22d()
register_all_plugin_handoffs() line 416 + 6 bytes
proto_init(const char * 0x00000000, void (void)* 0x00477d20 register_all_protocols, void (void)* 0x00477d26 register_all_protocol_handoffs) line 270
epan_init(const char * 0x00000000, void (void)* 0x00477d20 register_all_protocols, void (void)* 0x00477d26 register_all_protocol_handoffs, void (const char *, char *)* 0x00406990 failure_alert_box(const char *, char *), void (const char *, int, int)* 0x004069a9 open_failure_alert_box(const char *, int, int), void (const char *, int)* ...) line 64 + 17 bytes
main(int 0x00000001, char * * 0x01334d20) line 1633 + 32 bytes
WinMain(HINSTANCE__ * 0x00400000, HINSTANCE__ * 0x00000000, char * 0x001353d0, int 0x00000001) line 2588 + 23 bytes
ETHEREAL! WinMainCRTStartup + 308 bytes
KERNEL32! 7c581af6()

---------------------------------------------------------

 

It seems that the function upon "register_all_plugin_handoffs()" (namely, ASN1!024bc22d) should be plugin_reg_handoff. If so, then "ASN1!024bc2cd" should be "proto_reg_handoff_asn1". So double-click "ASN1!024bc2cd":

 

024BB268   mov         eax,dword ptr [edx]
024BB26A   push        eax
024BB26B   push        24C98CCh                      // The memory content for 24C98CCh is "sctp.port", so this should be the code at line 5090?
024BB270   call        dword ptr ds:[24D10ECh]
024BB276   add         esp,0Ch
024BB279   cmp         dword ptr [ebp-4],0
024BB27D   je          024BB28A
024BB27F   mov         ecx,dword ptr [ebp-4]
024BB282   mov         edx,dword ptr [ecx+4]
024BB285   mov         dword ptr [ebp-14h],edx
024BB288   jmp         024BB291
024BB28A   mov         dword ptr [ebp-14h],0
024BB291   mov         eax,dword ptr [ebp-14h]
024BB294   mov         dword ptr [ebp-4],eax
024BB297   jmp         024BB258
024BB299   mov         ecx,dword ptr ds:[24CCA10h]
024BB29F   push        ecx
024BB2A0   call        024BD316
024BB2A5   add         esp,4
024BB2A8   mov         edx,dword ptr ds:[24CC9FCh]
024BB2AE   push        edx
024BB2AF   call        024BD6C0
024BB2B4   add         esp,4
024BB2B7   add         eax,20h                      // Seems to be the code at line 5106?
024BB2BA   mov         dword ptr [ebp-8],eax
024BB2BD   mov         eax,dword ptr [ebp-8]
024BB2C0   push        eax
024BB2C1   mov         ecx,dword ptr ds:[24CC9FCh]
024BB2C7   push        ecx
024BB2C8   call        024BE216                  //Here, core dump
024BB2CD   add         esp,8
024BB2D0   mov         [024CC9FC],eax
024BB2D5   mov         edx,dword ptr [ebp-8]
024BB2D8   push        edx
024BB2D9   mov         eax,[024CC9FC]
024BB2DE   push        eax
024BB2DF   call        024BA92B

Therefore the core dump happens at line 5107:

    global_tcp_ports_asn1 = realloc(global_tcp_ports_asn1, len);

 

I traced to the stack for function proto_reg_handoff_asn1, and it appears like the following:

0012FAE8:  0012FB18  024BB2CD  01DFA2C8  00000023 
0012FAF8:  00000004  01E0C908  02278450  0012FB18 
0012FB08:  0248111F  0248E9E8  00000023  02278428 
0012FB18:  0012FB20  024BC22D  0012FB2C  004EB814

 

The data confuses me because I don't know why function proto_reg_handoff_asn1 contains 0x20 bytes of stack space. I also can't tell what causes realloc to generate core dump.