Wireshark-bugs: [Wireshark-bugs] [Bug 1077] New: Bad array initialisation leads to a crash
Date: Tue, 29 Aug 2006 12:01:51 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1077

           Summary: Bad array initialisation leads to a crash
           Product: Wireshark
           Version: SVN
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: florent.drouin@xxxxxxxxxx


Wireshark (SVN19047) did crash loading a file with Camel messages
Here is the core-dump

<<
GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library
"/lib/tls/i686/cmov/libthread_db.so.1".

(gdb) run
Starting program: /home/etherdev/wireshark_TCAP_SVN19047/.libs/lt-wireshark 
[Thread debugging using libthread_db enabled]
[New Thread -1238153536 (LWP 7388)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1238153536 (LWP 7388)]
0xb64995b0 in strncpy () from /lib/tls/i686/cmov/libc.so.6
(gdb) where
#0  0xb64995b0 in strncpy () from /lib/tls/i686/cmov/libc.so.6
#1  0xb6fe627f in col_do_append_sep_va_fstr (cinfo=0x8182bd8, el=<value
optimized out>, separator=0x0, 
    format=0xb795b0af " %s", ap=0xbfeff3dc "#@h#L") at column-utils.c:291
#2  0xb6fe6352 in col_append_fstr (cinfo=0x87389d8, el=141789655, format=0x0)
at column-utils.c:317
#3  0xb706bbdf in dissect_alcap (tvb=0x88cc678, pinfo=0xbf27308, tree=0x0) at
packet-alcap.c:1430
#4  0xb6ff5aae in call_dissector_through_handle (handle=0x86c4780,
tvb=0x88cc678, pinfo=0xbf27308, tree=0x0)
    at packet.c:387
#5  0xb6ff5c02 in call_dissector_work (handle=0x86c4780, tvb=0x88cc678,
pinfo_arg=<value optimized out>, tree=0x0)
    at packet.c:562
#6  0xb6ff689f in dissector_try_port (sub_dissectors=0x87389d8, port=12,
tvb=0x88cc678, pinfo=0xbf27308, tree=0x87389d8)
    at packet.c:837
#7  0xb73757fb in dissect_mtp3 (tvb=0x8890ab8, pinfo=0xbf27308, tree=0x0) at
packet-mtp3.c:588
#8  0xb6ff5aae in call_dissector_through_handle (handle=0x84cf0e8,
tvb=0x8890ab8, pinfo=0xbf27308, tree=0x0)
    at packet.c:387
#9  0xb6ff5c02 in call_dissector_work (handle=0x84cf0e8, tvb=0x8890ab8,
pinfo_arg=<value optimized out>, tree=0x0)
    at packet.c:562
#10 0xb6ff6050 in call_dissector (handle=0x87389d8, tvb=0x8890ab8,
pinfo=0xbf27308, tree=0x0) at packet.c:1706
#11 0xb7374711 in dissect_mtp2 (tvb=0x88a1da0, pinfo=0xbf27308, tree=0x0) at
packet-mtp2.c:186
#12 0xb6ff5aae in call_dissector_through_handle (handle=0x84cf0d0,
tvb=0x88a1da0, pinfo=0xbf27308, tree=0x0)
    at packet.c:387
#13 0xb6ff5c02 in call_dissector_work (handle=0x84cf0d0, tvb=0x88a1da0,
pinfo_arg=<value optimized out>, tree=0x0)
    at packet.c:562
#14 0xb6ff6050 in call_dissector (handle=0x87389d8, tvb=0x88a1da0,
pinfo=0xbf27308, tree=0x0) at packet.c:1706
#15 0xb7322d02 in dissect_k12 (tvb=0x88a1da0, pinfo=0xbf27308, tree=0x0) at
packet-k12.c:125
#16 0xb6ff5aae in call_dissector_through_handle (handle=0x84a94f0,
tvb=0x88a1da0, pinfo=0xbf27308, tree=0x0)
    at packet.c:387
#17 0xb6ff5c02 in call_dissector_work (handle=0x84a94f0, tvb=0x88a1da0,
pinfo_arg=<value optimized out>, tree=0x0)
    at packet.c:562
#18 0xb6ff689f in dissector_try_port (sub_dissectors=0x87389d8, port=80,
tvb=0x88a1da0, pinfo=0xbf27308, tree=0x87389d8)
    at packet.c:837
#19 0xb722f7c1 in dissect_frame (tvb=0x88a1da0, pinfo=0xbf27308,
parent_tree=0x0) at packet-frame.c:286
#20 0xb6ff5aae in call_dissector_through_handle (handle=0x8444570,
tvb=0x88a1da0, pinfo=0xbf27308, tree=0x0)
    at packet.c:387
#21 0xb6ff5c02 in call_dissector_work (handle=0x8444570, tvb=0x88a1da0,
pinfo_arg=<value optimized out>, tree=0x0)
---Type <return> to continue, or q <return> to quit---q
 at pacQuit
(gdb) quit
The program is running.  Exit anyway? (y or n) y
etherdev@baobab:~/wireshark_TCAP_SVN19047$ gdb ./.libs/lt-wireshark 
GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library
"/lib/tls/i686/cmov/libthread_db.so.1".

(gdb) run
Starting program: /home/etherdev/wireshark_TCAP_SVN19047/.libs/lt-wireshark 
[Thread debugging using libthread_db enabled]
[New Thread -1237236032 (LWP 7394)]


Program received signal SIGINT, Interrupt.
[Switching to Thread -1237236032 (LWP 7394)]
0xb65716b0 in malloc_usable_size () from /lib/tls/i686/cmov/libc.so.6
(gdb) 
etherdev@baobab:~/wireshark_TCAP_SVN19047$ 
>>


After analyze, it seems that the trace file contains corrupted frames.
These frames are decoded as "Alcap", and the display of the COL_INFO corrupt
the  
column buffer.
So, at next message display, a crash occured.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.