Wireshark-bugs: [Wireshark-bugs] [Bug 6031] New: Crashes on playing with bootp filter and when v
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Fri, 17 Jun 2011 08:48:45 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6031

           Summary: Crashes on playing with bootp filter and when viewing
                    some bootp packet while still capturing... :/
           Product: Wireshark
           Version: 1.6.0
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: db.pub.mail@xxxxxxxxx


Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
Crashes on playing with bootp filter and when viewing some bootp packet while
still capturing... :/


So I was running the following python code (on linux)[0].
Wireshark crashed when I applied 'bootp' as a filter and then cleared it (after
moving around some of the packets).
I was able to reproduce the crash on windows 7 using wireshark 1.6 as well as
on ubuntu 11.04 - wireshark 1.4.6-1.

[0]
import socket
from struct import unpack, pack
from random import SystemRandom 
import os
x = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
x.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
data = chr(01) + chr(00) * 10  + """NI""" + chr(00) + "(" + chr(12)  * 10 +
chr(00) *100 + """c.Sc5..2.......herp-laptop7.......w.,/.y*y..*"""

random = SystemRandom()
while (True):
    OMG = [i for i in data]
    OMG += os.urandom(120)
    random.shuffle(OMG)
    x.sendto(str(OMG), ('255.255.255.255', 67))






(gdb) bt
#0  ensure_contiguous_no_exception (tvb=0x7f0038342e30, offset=0, length=-1,
exception=0x7fffffffb26c) at tvbuff.c:885
#1  0x00007ffff55db2fe in ensure_contiguous (tvb=<value optimised out>,
offset=<value optimised out>, 
    length=<value optimised out>) at tvbuff.c:920
#2  0x00007ffff7ed8a89 in get_byte_view_data_and_length (byte_view=<value
optimised out>, data_len=0x7fffffffb2ac)
    at main_proto_draw.c:130
#3  0x00007ffff7ed9732 in byte_view_realize_cb (bv=0x7ffff9311c60, data=<value
optimised out>) at main_proto_draw.c:651
#4  0x00007ffff331481c in g_closure_invoke () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#5  0x00007ffff3326019 in ?? () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#6  0x00007ffff332f258 in g_signal_emit_valist () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#7  0x00007ffff332f41f in g_signal_emit () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#8  0x00007ffff3ed0256 in gtk_widget_show () from /usr/lib/libgtk-x11-2.0.so.0
#9  0x00007ffff7ed71fc in add_byte_tab (byte_nb=0x7ffff9331260, name=<value
optimised out>, tvb=0x7f0038342e30, 
    tree=0x7ffff964d4e0, tree_view=0x7ffff9322600) at main_proto_draw.c:705
#10 0x00007ffff7ed8cea in add_byte_views (edt=0x7ffff9930c60,
tree_view=0x7ffff9322600, byte_nb_ptr=0x7ffff9331260)
    at main_proto_draw.c:745
#11 0x00007ffff7ecfa4c in main_cf_cb_packet_selected (event=<value optimised
out>, data=0x7ffff822f3c0, 
    user_data=<value optimised out>) at main.c:1687
#12 main_cf_callback (event=<value optimised out>, data=0x7ffff822f3c0,
user_data=<value optimised out>) at main.c:1746
#13 0x00007ffff7eb6aaf in cf_callback_invoke (event=4, data=0x7ffff822f3c0) at
file.c:162
#14 0x00007ffff7edf23a in new_packet_list_select_cb (tree_view=<value optimised
out>, data=<value optimised out>)
    at new_packet_list.c:1040
#15 0x00007ffff331481c in g_closure_invoke () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#16 0x00007ffff3326019 in ?? () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#17 0x00007ffff332f258 in g_signal_emit_valist () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#18 0x00007ffff332f41f in g_signal_emit () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#19 0x00007ffff3eabde5 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#20 0x00007ffff3eafa7c in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#21 0x00007ffff3daca5c in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#22 0x00007ffff331481c in g_closure_invoke () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#23 0x00007ffff3325e1f in ?? () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#24 0x00007ffff332e800 in g_signal_emitv () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#25 0x00007ffff3cf68d3 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#26 0x00007ffff3cf6e58 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#27 0x00007ffff3cf70b2 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#28 0x00007ffff3cf7fca in gtk_bindings_activate_event () from
/usr/lib/libgtk-x11-2.0.so.0
#29 0x00007ffff3eb0b49 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#30 0x00007ffff3dac578 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#31 0x00007ffff3314765 in g_closure_invoke () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#32 0x00007ffff3325e1f in ?? () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#33 0x00007ffff332efa9 in g_signal_emit_valist () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#34 0x00007ffff332f41f in g_signal_emit () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#35 0x00007ffff3ec84d1 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#36 0x00007ffff3eddf5b in gtk_window_propagate_key_event () from
/usr/lib/libgtk-x11-2.0.so.0
#37 0x00007ffff3ee0a8b in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#38 0x00007ffff3dac578 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#39 0x00007ffff331481c in g_closure_invoke () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#40 0x00007ffff3325e1f in ?? () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#41 0x00007ffff332efa9 in g_signal_emit_valist () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#42 0x00007ffff332f41f in g_signal_emit () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#43 0x00007ffff3ec84d1 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#44 0x00007ffff3daa834 in gtk_propagate_event () from
/usr/lib/libgtk-x11-2.0.so.0
#45 0x00007ffff3daaa5b in gtk_main_do_event () from
/usr/lib/libgtk-x11-2.0.so.0
#46 0x00007ffff3a1d5cc in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#47 0x00007ffff3059bcd in g_main_context_dispatch () from
/lib/x86_64-linux-gnu/libglib-2.0.so.0
#48 0x00007ffff305a3a8 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#49 0x00007ffff305a639 in g_main_context_iteration () from
/lib/x86_64-linux-gnu/libglib-2.0.so.0
#50 0x00007ffff3da9d01 in gtk_main_iteration () from
/usr/lib/libgtk-x11-2.0.so.0
#51 0x00007ffff7ecadc5 in main_window_update () at gui_utils.c:603
#52 0x00007ffff7eb1c3c in capture_input_new_packets
(capture_opts=0x7ffff823f5c0, to_read=323) at capture.c:409
#53 0x00007ffff7eb5298 in sync_pipe_input_cb (source=<value optimised out>,
user_data=0x7ffff823f5c0) at capture_sync.c:1593
#54 0x00007ffff7eca2f5 in pipe_input_cb (source=<value optimised out>,
condition=<value optimised out>, 
    data=<value optimised out>) at gui_utils.c:729
#55 0x00007ffff3059bcd in g_main_context_dispatch () from
/lib/x86_64-linux-gnu/libglib-2.0.so.0
#56 0x00007ffff305a3a8 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#57 0x00007ffff305a9f2 in g_main_loop_run () from
/lib/x86_64-linux-gnu/libglib-2.0.so.0
#58 0x00007ffff3da9af7 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#59 0x00007ffff7ed0a37 in main (argc=0, argv=0x7fffffffe1a0) at main.c:3022


(gdb) i r 
rax            0x0      0
rbx            0x7f0038342e30   139638919671344
rcx            0x7fffffffb26c   140737488335468
rdx            0xffffffff       4294967295
rsi            0x0      0
rdi            0x7f0038342e30   139638919671344
rbp            0x7fffffffb2ac   0x7fffffffb2ac
rsp            0x7fffffffb210   0x7fffffffb210
r8             0x7ffff33049e8   140737273416168
r9             0x163f   5695
r10            0x7ffff241b430   140737257780272
r11            0x7ffff2429462   140737257837666
r12            0x0      0
r13            0x1      1
r14            0x7fffffffb3f0   140737488335856
r15            0x0      0
rip            0x7ffff55db0b2   0x7ffff55db0b2
<ensure_contiguous_no_exception+34>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0


(gdb) info locals
abs_offset = <value optimised out>
abs_length = <value optimised out>


==6230== Invalid read of size 4
==6230==    at 0x5F700B2: ensure_contiguous_no_exception (tvbuff.c:885)
==6230==    by 0x5F702FD: ensure_contiguous (tvbuff.c:920)
==6230==    by 0x1B7A88: get_byte_view_data_and_length (main_proto_draw.c:130)
==6230==    by 0x1B8731: byte_view_realize_cb (main_proto_draw.c:651)
==6230==    by 0x94EC81B: g_closure_invoke (in
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.2800.6)
==6230==    by 0x94FE018: ??? (in
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.2800.6)
==6230==    by 0x9507257: g_signal_emit_valist (in
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.2800.6)
==6230==    by 0x950741E: g_signal_emit (in
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.2800.6)
==6230==    by 0x89DA255: gtk_widget_show (in
/usr/lib/libgtk-x11-2.0.so.0.2400.4)
==6230==    by 0x1B61FB: add_byte_tab (main_proto_draw.c:705)
==6230==    by 0x1B7CE9: add_byte_views (main_proto_draw.c:745)
==6230==    by 0x1AEA4B: main_cf_callback (main.c:1687)
==6230==  Address 0x383372 is not stack'd, malloc'd or (recently) free'd
==6230== 
==6230== 
==6230== Process terminating with default action of signal 11 (SIGSEGV)
==6230==  Access not within mapped region at address 0x383372
==6230==    at 0x5F700B2: ensure_contiguous_no_exception (tvbuff.c:885)
==6230==    by 0x5F702FD: ensure_contiguous (tvbuff.c:920)
==6230==    by 0x1B7A88: get_byte_view_data_and_length (main_proto_draw.c:130)
==6230==    by 0x1B8731: byte_view_realize_cb (main_proto_draw.c:651)
==6230==    by 0x94EC81B: g_closure_invoke (in
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.2800.6)
==6230==    by 0x94FE018: ??? (in
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.2800.6)
==6230==    by 0x9507257: g_signal_emit_valist (in
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.2800.6)
==6230==    by 0x950741E: g_signal_emit (in
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.2800.6)
==6230==    by 0x89DA255: gtk_widget_show (in
/usr/lib/libgtk-x11-2.0.so.0.2400.4)
==6230==    by 0x1B61FB: add_byte_tab (main_proto_draw.c:705)
==6230==    by 0x1B7CE9: add_byte_views (main_proto_draw.c:745)
==6230==    by 0x1AEA4B: main_cf_callback (main.c:1687)
==6230==  If you believe this happened as a result of a stack
==6230==  overflow in your program's main thread (unlikely but
==6230==  possible), you can try to increase the size of the
==6230==  main thread stack using the --main-stacksize= flag.
==6230==  The main thread stack size used in this run was 8388608.
==6230== 
==6230== HEAP SUMMARY:
==6230==     in use at exit: 24,194,057 bytes in 169,000 blocks
==6230==   total heap usage: 932,855 allocs, 763,855 frees, 302,756,202 bytes
allocated
==6230== 
==6230== LEAK SUMMARY:
==6230==    definitely lost: 25,089 bytes in 346 blocks
==6230==    indirectly lost: 38,320 bytes in 1,320 blocks
==6230==      possibly lost: 10,750,048 bytes in 38,796 blocks
==6230==    still reachable: 13,380,600 bytes in 128,538 blocks
==6230==         suppressed: 0 bytes in 0 blocks
==6230== Rerun with --leak-check=full to see details of leaked memory
==6230== 
==6230== For counts of detected and suppressed errors, rerun with: -v
==6230== ERROR SUMMARY: 521 errors from 30 contexts (suppressed: 56 from 8)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.