Ethereal-dev: [Ethereal-dev] Crash in ethereal 0.10.8, somewhat reproducible

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Peter Johansson <Peter.Johansson@xxxxxxxxxxxx>
Date: Thu, 13 Jan 2005 22:59:51 +0100
I am running ethereal compiled from SVN as of  2005-01-12.
Three times in a row now I got a crash when capturing 1Mb/s traffic in ethereal's reassemble.c, line 730 (function fragment_add_work). The crash ocurrs in MSVCRT.dll (memcpy). Since the parameter supplied to memcpy seem reasonable, I am not familiar of what this function does, so I can only say this based on the input values to memcpy. 

Therefor I have tried to assemble as much information as possible.

Call stack:
MSVCRT! 77c46fa3()
fragment_add_work(_fragment_data * 0x0738a3c0, tvbuff * 0x0746d950, int 20, _packet_info * 0x0539e870, unsigned int 2920, unsigned int 1460, int 0) line 730 + 51 bytes fragment_add_common(tvbuff * 0x0746d950, int 20, _packet_info * 0x0539e870, unsigned int 95238, _GHashTable * 0x01d392d8, unsigned int 2920, unsigned int 1460, int 0, int 1) line 835 + 33 bytes fragment_add(tvbuff * 0x0746d950, int 20, _packet_info * 0x0539e870, unsigned int 95238, _GHashTable * 0x01d392d8, unsigned int 2920, unsigned int 1460, int 0) line 854 + 39 bytes desegment_tcp(tvbuff * 0x0746d950, _packet_info * 0x0539e870, int 20, unsigned int 503383, unsigned int 504843, unsigned int 6881, unsigned int 4516, _proto_node * 0x03795e10, _proto_node * 0x01dc70c8) line 1719 + 73 bytes dissect_tcp_payload(tvbuff * 0x0746d950, _packet_info * 0x0539e870, int 20, unsigned int 503383, unsigned int 504843, unsigned int 6881, unsigned int 4516, _proto_node * 0x03795e10, _proto_node * 0x01dc70c8) line 2622 + 41 bytes dissect_tcp(tvbuff * 0x0746d950, _packet_info * 0x0539e870, _proto_node * 0x03795e10) line 3054 + 69 bytes call_dissector_through_handle(dissector_handle * 0x01c0d1e8, tvbuff * 0x0746d950, _packet_info * 0x0539e870, _proto_node * 0x03795e10) line 365 + 18 bytes call_dissector_work(dissector_handle * 0x01c0d1e8, tvbuff * 0x0746d950, _packet_info * 0x0539e870, _proto_node * 0x03795e10) line 526 + 21 bytes dissector_try_port(dissector_table * 0x01abc918, unsigned int 6, tvbuff * 0x0746d950, _packet_info * 0x0539e870, _proto_node * 0x03795e10) line 789 + 21 bytes dissect_ip(tvbuff * 0x0746d91c, _packet_info * 0x0539e870, _proto_node * 0x03795e10) line 1098 + 33 bytes call_dissector_through_handle(dissector_handle * 0x01abd258, tvbuff * 0x0746d91c, _packet_info * 0x0539e870, _proto_node * 0x03795e10) line 365 + 18 bytes call_dissector_work(dissector_handle * 0x01abd258, tvbuff * 0x0746d91c, _packet_info * 0x0539e870, _proto_node * 0x03795e10) line 526 + 21 bytes dissector_try_port(dissector_table * 0x01a8c008, unsigned int 2048, tvbuff * 0x0746d91c, _packet_info * 0x0539e870, _proto_node * 0x03795e10) line 789 + 21 bytes ethertype(unsigned short 2048, tvbuff * 0x0746d8e8, int 14, _packet_info * 0x0539e870, _proto_node * 0x03795e10, _proto_node * 0x03795b70, int 4369, int 4371, int -1) line 183 + 34 bytes dissect_eth_common(tvbuff * 0x0746d8e8, _packet_info * 0x0539e870, _proto_node * 0x03795e10, int -1) line 301 + 48 bytes dissect_eth_maybefcs(tvbuff * 0x0746d8e8, _packet_info * 0x0539e870, _proto_node * 0x03795e10) line 395 + 26 bytes call_dissector_through_handle(dissector_handle * 0x01bfc560, tvbuff * 0x0746d8e8, _packet_info * 0x0539e870, _proto_node * 0x03795e10) line 365 + 18 bytes call_dissector_work(dissector_handle * 0x01bfc560, tvbuff * 0x0746d8e8, _packet_info * 0x0539e870, _proto_node * 0x03795e10) line 526 + 21 bytes dissector_try_port(dissector_table * 0x01a99758, unsigned int 1, tvbuff * 0x0746d8e8, _packet_info * 0x0539e870, _proto_node * 0x03795e10) line 789 + 21 bytes dissect_frame(tvbuff * 0x0746d8e8, _packet_info * 0x0539e870, _proto_node * 0x03795e10) line 186 + 34 bytes call_dissector_through_handle(dissector_handle * 0x01aa4ff0, tvbuff * 0x0746d8e8, _packet_info * 0x0539e870, _proto_node * 0x03795e10) line 365 + 18 bytes call_dissector_work(dissector_handle * 0x01aa4ff0, tvbuff * 0x0746d8e8, _packet_info * 0x0539e870, _proto_node * 0x03795e10) line 526 + 21 bytes call_dissector(dissector_handle * 0x01aa4ff0, tvbuff * 0x0746d8e8, _packet_info * 0x0539e870, _proto_node * 0x03795e10) line 1627 + 21 bytes dissect_packet(_epan_dissect_t * 0x0539e868, wtap_pseudo_header * 0x01d67f2c, const unsigned char * 0x01d8a5e0, _frame_data * 0x07321344, _column_info * 0x004e496c) line 313 + 32 bytes epan_dissect_run(_epan_dissect_t * 0x0539e868, void * 0x01d67f2c, const unsigned char * 0x01d8a5e0, _frame_data * 0x07321344, _column_info * 0x004e496c) line 153 + 25 bytes add_packet_to_packet_list(_frame_data * 0x07321344, _capture_file * 0x004d4840, wtap_pseudo_header * 0x01d67f2c, const unsigned char * 0x01d8a5e0, int 1) line 814 + 30 bytes 
read_packet(_capture_file * 0x004d4840, long 52635152) line 960 + 23 bytes
cf_continue_tail(_capture_file * 0x004d4840, int 14, int * 0x0012f9fc) line 576 + 13 bytes 
sync_pipe_input_cb(int 4, void * 0x004d4840) line 625 + 17 bytes
pipe_timer_cb(void * 0x004cc6b8 pipe_input) line 652 + 19 bytes
LIBGLIB-2.0-0! 00339913()
LIBGLIB-2.0-0! 00337738()
LIBGLIB-2.0-0! 00338391()
LIBGLIB-2.0-0! 00338692()
LIBGLIB-2.0-0! 00338d07()
LIBGTK-WIN32-2.0-0! 0112e76d()
main(int 0, char * * 0x014144dc) line 2563
WinMain(HINSTANCE__ * 0x00400000, HINSTANCE__ * 0x00000000, char * 0x00142389, int 10) line 2603 + 23 bytes 
ETHEREAL-GTK2! WinMainCRTStartup + 308 bytes
KERNEL32! 7c816d4f()

These were the register contents at the time of the crash:
EAX = 073E3208 EBX = 073892E0 ECX = 00000082 EDX = 00000000
ESI = 073E3000 EDI = 0738C970
EIP = 77C46FA3 ESP = 0012DF04 EBP = 0012DF0C EFL = 00200206
MM0 = 0000000000000000 MM1 = 0000000000000000 MM2 = 0000000000000000
MM3 = 00A1C3B000000021 MM4 = A224400000000000 MM5 = 9F20000000000000
MM6 = B4FD62BD6F9C4000 MM7 = E180000000000000
XMM0 = 7C9106EB7C91159600000FA0FFFFFFFF
XMM1 = 1030F75800000000000000886D3E2B27
XMM2 = 7C910732FFFFFFFF0F0A4BA800000024
XMM3 = 00000018000000007C9106EB7C9106AB
XMM4 = 00000006000000001030F7580F0A4BA8
XMM5 = 003501787C809C38000000000F041690
XMM6 = 00000150000000010ACAFC400F041690
XMM7 = 6D3DE8381030F4D8000000006D34207C
CS = 001B DS = 0023 ES = 0023 SS = 0023 FS = 003B GS = 0000 OV=0 UP=0
EI=1 PL=0 ZR=0 AC=0 PE=1 CY=0
XMM0DL = +8,49010515965156E-311 XMM0DH = +1,06197607196717E+292
XMM1DL = +2,89496946552934E-312 XMM1DH = +1,09281731450195E-230
XMM2DL = +3,23054189771701E-236 XMM2DH = +1,06204413062421E+292
XMM3DL = +1,06197607196632E+292 XMM3DH = +5,09278989831665E-313
XMM4DL = +1,09281737224471E-230 XMM4DH = +1,27319747457916E-313
XMM5DL = +1,24468060944705E-315 XMM5DH = +1,16848333668564E-307
XMM6DL = +1,12326390140348E-256 XMM6DH = +7,12990585764826E-312
XMM7DL = +9,05193841502467E-315 XMM7DH = +1,64957193898168E+218
XMM00 = -1,#QNANE+000 XMM01 = +5,60519E-042 XMM02 = +6,02657E+036
XMM03 = +6,02419E+036
XMM10 = +3,67839E+027 XMM11 = +1,90577E-043 XMM12 = +0,00000E+000
XMM13 = +3,49004E-029
XMM20 = +5,04467E-044 XMM21 = +6,81850E-030 XMM22 = -1,#QNANE+000
XMM23 = +6,02423E+036
XMM30 = +6,02415E+036 XMM31 = +6,02419E+036 XMM32 = +0,00000E+000
XMM33 = +3,36312E-044
XMM40 = +6,81850E-030 XMM41 = +3,49004E-029 XMM42 = +0,00000E+000
XMM43 = +8,40779E-045
XMM50 = +6,51245E-030 XMM51 = +0,00000E+000 XMM52 = +5,34226E+036
XMM53 = +4,86781E-039
XMM60 = +6,51245E-030 XMM61 = +1,95468E-032 XMM62 = +1,40130E-045
XMM63 = +4,70836E-043
XMM70 = +3,48416E+027 XMM71 = +0,00000E+000 XMM72 = +3,48985E-029
XMM73 = +3,67334E+027 MXCSR = 00001F80
ST0 = +0.00000000000000000e+0000 ST1 = +0.00000000000000000e+0000
ST2 = +0.00000000000000000e+0000 ST3 = +0.00000000000000000e+0000
ST4 = +1.32826400000000000e+0006 ST5 = +1.27300000000000000e+0003
ST6 = +1.76747839748625291e-0001 ST7 = +2.25500000000000000e+0002
CTRL = 027F STAT = 0120 TAGS = FFFF EIP = 0115BA59
CS = 001B DS = 0023 EDO = 01CFAB70
The crash in memcpy (MSVCRT.dll ) was detected at 77C46FA3 (as can be seen in the registers above). 
77C46F70   push        ebp
77C46F71   mov         ebp,esp
77C46F73   push        edi
77C46F74   push        esi
77C46F75   mov         esi,dword ptr [ebp+0Ch]
77C46F78   mov         ecx,dword ptr [ebp+10h]
77C46F7B   mov         edi,dword ptr [ebp+8]
77C46F7E   mov         eax,ecx
77C46F80   mov         edx,ecx
77C46F82   add         eax,esi
77C46F84   cmp         edi,esi
77C46F86   jbe         77C46F90
77C46F88   cmp         edi,eax
77C46F8A   jb          77C47108
77C46F90   test        edi,3
77C46F96   jne         77C46FAC
77C46F98   shr         ecx,2
77C46F9B   and         edx,3
77C46F9E   cmp         ecx,8
77C46FA1   jb          77C46FCC
77C46FA3   rep movs    dword ptr [edi],dword ptr [esi]
The source in question where the crash has been a fact (same location every time and same size was about to be copied) are lines 728-730: 
           if( fd_i->offset+fd_i->len > dfpos )
               memcpy(fd_head->data+dfpos, fd_i->data+(dfpos-fd_i->offset),
                   fd_i->len-(dfpos-fd_i->offset));

fd_i = 0x0738a400
fd_i->offset = 1460
fd_i->len = 1460
fd_i->data = 0x073e2c54
dfpos = 1460
fd_head = 0x0738a3c0
fd_head->data = 0x0738c010

hence:
           if( 1460+1460  > 1460 )
               memcpy(0x0738c5c4, 0x073e2c54, 1460);

I dont really know what to do with this.

/ Peter