Wireshark-bugs: [Wireshark-bugs] [Bug 1133] New: Crash in packet-xot.c: 126
Date: Fri, 29 Sep 2006 11:51:00 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1133

           Summary: Crash in packet-xot.c: 126
           Product: Wireshark
           Version: SVN
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Major
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: florent.drouin@xxxxxxxxxx


Build Information:
--
--
We are using a monitoring tool using the port 1998 on our server, to analyze
the performance, and are capturing the IP trafic with wireshark.

During the capture, there was the following crash: 

<<
GNU DDD 3.3.11 (i486-pc-linux-gnu), by Dorothea Lütkehaus and Andreas Zeller.
Copyright © 1995-1999 Technische Universität Braunschweig, Germany.
Copyright © 1999-2001 Universität Passau, Germany.
Copyright © 2001 Universität des Saarlandes, Germany.
Copyright © 2001-2004 Free Software Foundation, Inc.
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) run
[Thread debugging using libthread_db enabled]
[New Thread -1238042944 (LWP 22429)]

GLib-ERROR **: gmem.c:135: failed to allocate 3081262428 bytes
aborting...

Program received signal SIGABRT, Aborted.
[Switching to Thread -1238042944 (LWP 22429)]
0xffffe410 in __kernel_vsyscall ()
(gdb) where
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb64729a1 in raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xb64742b9 in abort () from /lib/tls/i686/cmov/libc.so.6
#3  0xb6696006 in g_logv () from /usr/lib/libglib-2.0.so.0
#4  0xb669603a in g_log () from /usr/lib/libglib-2.0.so.0
#5  0xb6695080 in g_malloc () from /usr/lib/libglib-2.0.so.0
#6  0xb66a3ba5 in g_slice_alloc () from /usr/lib/libglib-2.0.so.0
#7  0xb66949d9 in g_mem_chunk_alloc () from /usr/lib/libglib-2.0.so.0
#8  0xb70470af in tvb_new (type=TVBUFF_SUBSET) at tvbuff.c:127
#9  0xb7047da4 in tvb_new_subset (backing=0x8888058, backing_offset=0,
backing_length=0, reported_length=0) at tvbuff.c:491
#10 0xb75820dd in tcp_dissect_pdus (tvb=0x8888058, pinfo=0x88a4498, tree=0x0,
proto_desegment=1, fixed_len=4, get_pdu_len=0xb7652fc0 <get_xot_pdu_len>,
dissect_pdu=0xb7652ff3 <dissect_xot_pdu>) at packet-tcp.c:1530
#11 0xb7653278 in dissect_xot (tvb=0x8888058, pinfo=0x0, tree=0x0) at
packet-xot.c:126
#12 0xb7021ac2 in call_dissector_through_handle (handle=0x8715938,
tvb=0x8888058, pinfo=0x88a4498, tree=0x0) at packet.c:389
#13 0xb7021c37 in call_dissector_work (handle=0x8715938, tvb=0x8888058,
pinfo_arg=<value optimized out>, tree=0x0) at packet.c:566
#14 0xb70228d2 in dissector_try_port (sub_dissectors=0x0, port=1998,
tvb=0x8888058, pinfo=0x88a4498, tree=0x0) at packet.c:841
#15 0xb7582daa in decode_tcp_ports (tvb=0x0, offset=0, pinfo=0x88a4498,
tree=0x0, src_port=9502, dst_port=1998, tcpd=0xb4229878) at packet-tcp.c:1901
#16 0xb7583036 in process_tcp_payload (tvb=0x8888020, offset=20,
pinfo=0x88a4498, tree=0x0, tcp_tree=0x0, src_port=9502, dst_port=1998,
seq=1461, nxtseq=2921, is_tcp_segment=1, tcpd=0xb4229878) at packet-tcp.c:1960
#17 0xb75835da in dissect_tcp_payload (tvb=0x8888020, pinfo=0x88a4498,
offset=<value optimized out>, seq=1461, nxtseq=2921, sport=9502, dport=1998,
tree=0x0, tcp_tree=0x0, tcpd=0xb4229878) at packet-tcp.c:2036
#18 0xb7584ce1 in dissect_tcp (tvb=0x8888020, pinfo=0x88a4498, tree=0x0) at
packet-tcp.c:2555
#19 0xb7021ae3 in call_dissector_through_handle (handle=0x8709e30,
tvb=0x8888020, pinfo=0x88a4498, tree=0x0) at packet.c:391
#20 0xb7021c37 in call_dissector_work (handle=0x8709e30, tvb=0x8888020,
pinfo_arg=<value optimized out>, tree=0x0) at packet.c:566
#21 0xb70228d2 in dissector_try_port (sub_dissectors=0x0, port=6,
tvb=0x8888020, pinfo=0x88a4498, tree=0x0) at packet.c:841
#22 0xb7321ead in dissect_ip (tvb=0x88459a8, pinfo=0x88a4498, parent_tree=0x0)
at packet-ip.c:1187
#23 0xb7021ae3 in call_dissector_through_handle (handle=0x848edc0,
tvb=0x88459a8, pinfo=0x88a4498, tree=0x0) at packet.c:391
#24 0xb7021c37 in call_dissector_work (handle=0x848edc0, tvb=0x88459a8,
pinfo_arg=<value optimized out>, tree=0x0) at packet.c:566
#25 0xb70228d2 in dissector_try_port (sub_dissectors=0x0, port=2048,
tvb=0x88459a8, pinfo=0x88a4498, tree=0x0) at packet.c:841
#26 0xb7244a86 in ethertype (etype=2048, tvb=0x8845970, offset_after_etype=14,
pinfo=0x88a4498, tree=0x0, fh_tree=0x0, etype_id=0, trailer_id=9697,
fcs_len=-1) at packet-ethertype.c:197
#27 0xb724191b in dissect_eth_common (tvb=0x8845970, pinfo=0x88a4498,
parent_tree=0x0, fcs_len=-1) at packet-eth.c:344
#28 0xb7021ae3 in call_dissector_through_handle (handle=0x86f40b8,
tvb=0x8845970, pinfo=0x88a4498, tree=0x0) at packet.c:391
#29 0xb7021c37 in call_dissector_work (handle=0x86f40b8, tvb=0x8845970,
pinfo_arg=<value optimized out>, tree=0x0) at packet.c:566
#30 0xb70228d2 in dissector_try_port (sub_dissectors=0x0, port=1,
tvb=0x8845970, pinfo=0x88a4498, tree=0x0) at packet.c:841
#31 0xb726cba1 in dissect_frame (tvb=0x8845970, pinfo=0x88a4498,
parent_tree=0x0) at packet-frame.c:286
#32 0xb7021ae3 in call_dissector_through_handle (handle=0x844f6c8,
tvb=0x8845970, pinfo=0x88a4498, tree=0x0) at packet.c:391
#33 0xb7021c37 in call_dissector_work (handle=0x844f6c8, tvb=0x8845970,
pinfo_arg=<value optimized out>, tree=0x0) at packet.c:566
#34 0xb7022083 in call_dissector (handle=0x0, tvb=0x8845970, pinfo=0x88a4498,
tree=0x0) at packet.c:1710
#35 0xb702251f in dissect_packet (edt=0x88a4490, pseudo_header=0x0,
pd=0x88f17a0 "", fd=0x886c778, cinfo=0x8183c98) at packet.c:330
#36 0xb701d5ec in epan_dissect_run (edt=0x0, pseudo_header=0x0, data=0x0,
fd=0x0, cinfo=0x0) at epan.c:187
#37 0x08069b02 in add_packet_to_packet_list (fdata=0x886c778, cf=0x8173b80,
pseudo_header=0x887aadc, buf=0x0, refilter=1) at file.c:825
#38 0x08069e37 in read_packet (cf=0x8173b80, offset=5134) at file.c:949
#39 0x0806a1b4 in cf_read (cf=0x8173b80) at file.c:457
#40 0x08082278 in menu_open_recent_file_cmd (w=0x88210e0) at menu.c:1315
#41 0xb670e423 in g_cclosure_marshal_VOID__VOID () from
/usr/lib/libgobject-2.0.so.0
#42 0xb670279f in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#43 0xb67112ea in g_signal_stop_emission () from /usr/lib/libgobject-2.0.so.0
#44 0xb6712b19 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#45 0xb6712e89 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#46 0xb6bcdbed in gtk_widget_activate () from /usr/lib/libgtk-x11-2.0.so.0
#47 0xb6afa54f in gtk_menu_shell_activate_item () from
/usr/lib/libgtk-x11-2.0.so.0
#48 0xb6afa821 in gtk_menu_shell_activate_item () from
/usr/lib/libgtk-x11-2.0.so.0
#49 0xb6af0fd4 in gtk_menu_reorder_child () from /usr/lib/libgtk-x11-2.0.so.0
#50 0xb6aeb8e0 in _gtk_marshal_BOOLEAN__BOXED () from
/usr/lib/libgtk-x11-2.0.so.0
#51 0xb670216f in g_cclosure_new_swap () from /usr/lib/libgobject-2.0.so.0
#52 0xb670279f in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#53 0xb67119ce in g_signal_stop_emission () from /usr/lib/libgobject-2.0.so.0
#54 0xb6712886 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#55 0xb6712e89 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#56 0xb6bcddcf in gtk_widget_activate () from /usr/lib/libgtk-x11-2.0.so.0
#57 0xb6aea05d in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0
#58 0xb6aea46b in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#59 0xb698ddec in _gdk_events_queue () from /usr/lib/libgdk-x11-2.0.so.0
#60 0xb668d8d6 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#61 0xb6690996 in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#62 0xb6690cb8 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#63 0xb6ae9765 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#64 0x0808109b in main (argc=0, argv=0xbf976908) at main.c:2913
(gdb) 
>>

The monitoring tool's trafic is decoded by Wireshark as X25 over TCP, this lead
to a crash, due to a lack of defense.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.