Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 1416] New: crash (stack smashing) on single DHCP packet

Wireshark-bugs: [Wireshark-bugs] [Bug 1416] New: crash (stack smashing) on single DHCP packet

Date: Mon, 5 Mar 2007 09:38:24 +0000 (GMT)

http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1416

           Summary: crash (stack smashing) on single DHCP packet
           Product: Wireshark
           Version: SVN
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Critical
          Priority: High
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: thomas.anders@xxxxxxxxxxxxx


Build Information:
TShark 0.99.6 (SVN Rev 20973)

Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.12.4, with libpcap 0.9.4, with libz 1.2.3, with libpcre
6.7, with Net-SNMP 5.4, without ADNS, without Lua, with GnuTLS 1.4.4, with
Gcrypt 1.2.3, without Kerberos.

Running on Linux 2.6.18.2-34-default, with libpcap version 0.9.4.

Built using gcc 4.1.2 20061115 (prerelease) (SUSE Linux).

--
The attached DHCP-over-DOCSIS capture file (isolated single frame) crashes both
latest SVN as well as earlier versions (0.99.4 at least).

In order to reproduce, enable the DOCSIS plugin and run "wireshark -o
frame.force_docsis_encap:TRUE ...".

Here's the gdb backtrace:

#0  0xb7f1f410 in ?? ()
#1  0xbf843ae4 in ?? ()
#2  0x00000006 in ?? ()
#3  0x00000c6f in ?? ()
#4  0xb5e22060 in raise () from /lib/libc.so.6
#5  0xb5e23801 in abort () from /lib/libc.so.6
#6  0xb5e57abb in __libc_message () from /lib/libc.so.6
#7  0xb5ecbd11 in __stack_chk_fail () from /lib/libc.so.6
#8  0xb75d7114 in __stack_chk_fail_local ()
   from /bc/wireshark-svn/lib/libwireshark.so.0
#9  0xb6f2ba3b in bootp_option (tvb=0x887d570, bp_tree=0x89078f0, voff=254,
    eoff=485, first_pass=0, at_end=0xbf844404, dhcp_type_p=0xbf844400,
    vendor_class_id_p=0xbf8443fc) at packet-bootp.c:1454
#10 0xb6f2ed21 in dissect_bootp (tvb=0x887d570, pinfo=0x88d8590,
    tree=0x89079c8) at packet-bootp.c:3226
#11 0xb6e22496 in call_dissector_through_handle (handle=0x85f2fc8,
    tvb=0x887d570, pinfo=0x88d8590, tree=0x89079c8) at packet.c:392
#12 0xb6e227f5 in call_dissector_work (handle=0x85f2fc8, tvb=0x887d570,
    pinfo_arg=<value optimized out>, tree=0x89079c8) at packet.c:570
#13 0xb6e232da in dissector_try_port (sub_dissectors=0x8589a70, port=67,
    tvb=0x887d570, pinfo=0x88d8590, tree=0x89079c8) at packet.c:845
#14 0xb74de46a in decode_udp_ports (tvb=0x887d600, offset=8, pinfo=0x88d8590,
    tree=0x89079c8, uh_sport=68, uh_dport=67, uh_ulen=493) at packet-udp.c:152
#15 0xb74deaa8 in dissect (tvb=0x887d600, pinfo=0x88d8590, tree=0x89079c8,
    ip_proto=1114112) at packet-udp.c:415
#16 0xb6e22496 in call_dissector_through_handle (handle=0x86b72d0,
    tvb=0x887d600, pinfo=0x88d8590, tree=0x89079c8) at packet.c:392
#17 0xb6e227f5 in call_dissector_work (handle=0x86b72d0, tvb=0x887d600,
    pinfo_arg=<value optimized out>, tree=0x89079c8) at packet.c:570
#18 0xb6e232da in dissector_try_port (sub_dissectors=0x83a4ff8, port=17,
    tvb=0x887d600, pinfo=0x88d8590, tree=0x89079c8) at packet.c:845
#19 0xb71ef557 in dissect_ip (tvb=0x887d670, pinfo=0x88d8590,
    parent_tree=0x89079c8) at packet-ip.c:1463
#20 0xb6e22496 in call_dissector_through_handle (handle=0x83adae8,
    tvb=0x887d670, pinfo=0x88d8590, tree=0x89079c8) at packet.c:392
#21 0xb6e227f5 in call_dissector_work (handle=0x83adae8, tvb=0x887d670,
    pinfo_arg=<value optimized out>, tree=0x89079c8) at packet.c:570
#22 0xb6e232da in dissector_try_port (sub_dissectors=0x83459a0, port=2048,
    tvb=0x887d670, pinfo=0x88d8590, tree=0x89079c8) at packet.c:845
#23 0xb70cea69 in ethertype (etype=2048, tvb=0x887d6e0, offset_after_etype=14,
    pinfo=0x88d8590, tree=0x89079c8, fh_tree=0x8907968, etype_id=11044,
    trailer_id=11046, fcs_len=0) at packet-ethertype.c:199
#24 0xb70cb424 in dissect_eth_common (tvb=0x887d6e0, pinfo=0x88d8590,
    parent_tree=0x89079c8, fcs_len=0) at packet-eth.c:344
#25 0xb6e22496 in call_dissector_through_handle (handle=0x8345558,
    tvb=0x887d6e0, pinfo=0x88d8590, tree=0x89079c8) at packet.c:392
#26 0xb6e227f5 in call_dissector_work (handle=0x8345558, tvb=0x887d6e0,
    pinfo_arg=<value optimized out>, tree=0x89079c8) at packet.c:570
#27 0xb6e22e46 in call_dissector (handle=0x0, tvb=0x887d6e0, pinfo=0x88d8590,
    tree=0x89079c8) at packet.c:1714
#28 0xb4b217e1 in dissect_docsis (tvb=0x887d718, pinfo=0x88d8590,
    tree=0x89079c8) at packet-docsis.c:505
#29 0xb6e22496 in call_dissector_through_handle (handle=0x85d6b08,
    tvb=0x887d718, pinfo=0x88d8590, tree=0x89079c8) at packet.c:392
#30 0xb6e227f5 in call_dissector_work (handle=0x85d6b08, tvb=0x887d718,
    pinfo_arg=<value optimized out>, tree=0x89079c8) at packet.c:570
#31 0xb6e22e46 in call_dissector (handle=0x0, tvb=0x887d718, pinfo=0x88d8590,
    tree=0x89079c8) at packet.c:1714
#32 0xb70ff3ab in dissect_frame (tvb=0x887d718, pinfo=0x88d8590,
    parent_tree=0x89079c8) at packet-frame.c:291
#33 0xb6e22496 in call_dissector_through_handle (handle=0x834f6d0,
    tvb=0x887d718, pinfo=0x88d8590, tree=0x89079c8) at packet.c:392
#34 0xb6e227f5 in call_dissector_work (handle=0x834f6d0, tvb=0x887d718,
    pinfo_arg=<value optimized out>, tree=0x89079c8) at packet.c:570
#35 0xb6e22e46 in call_dissector (handle=0x0, tvb=0x887d718, pinfo=0x88d8590,
    tree=0x89079c8) at packet.c:1714
#36 0xb6e24eb8 in dissect_packet (edt=0x88d8588, pseudo_header=0x88daa2c,
    pd=0x88e7928 "\001\004\002\027\023", fd=0x8869d00, cinfo=0x81b121c)
    at packet.c:328
#37 0xb6e1d383 in epan_dissect_run (edt=0x88d8588, pseudo_header=0x88daa2c,
    data=0x88e7928 "\001\004\002\027\023", fd=0x8869d00, cinfo=0x81b121c)
    at epan.c:198
#38 0x080702ed in add_packet_to_packet_list (fdata=0x8869d00, cf=0x81a1100,
    dfcode=0x0, pseudo_header=0x88daa2c, buf=0x88e7928 "\001\004\002\027\023",
    refilter=1) at file.c:955
#39 0x0807185b in read_packet (cf=0x81a1100, dfcode=0x0, offset=577)
    at file.c:1082
#40 0x080721e1 in cf_read (cf=0x81a1100) at file.c:493
#41 0x0808799c in main (argc=0, argv=0xbf846644) at main.c:2940


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Follow-Ups:
- [Wireshark-bugs] [Bug 1416] crash (stack smashing) on single DHCP packet
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 1416] crash (stack smashing) on single DHCP packet
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 1416] crash (stack smashing) on single DHCP packet
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 1415] New: SIGTRAP while opening capture file
Next by Date: [Wireshark-bugs] [Bug 1416] crash (stack smashing) on single DHCP packet
Previous by thread: [Wireshark-bugs] [Bug 1415] SIGTRAP while opening capture file
Next by thread: [Wireshark-bugs] [Bug 1416] crash (stack smashing) on single DHCP packet
Index(es):
- Date
- Thread