Wireshark-bugs: [Wireshark-bugs] [Bug 6139] Buildbot crash output: fuzz-2011-07-19-1747.pcap
Date: Tue, 9 Aug 2011 08:44:28 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6139

Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |jeff.morriss.ws@xxxxxxxxx
         Resolution|                            |FIXED

--- Comment #4 from Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> 2011-08-09 08:44:27 PDT ---
Still crashes for me on Linux.  Backtrace is:

#0  0x00000031a0a80e50 in strlen () from /lib64/libc.so.6
#1  0x00000031a0a4961e in vfprintf () from /lib64/libc.so.6
#2  0x00000031a0afc928 in __vsnprintf_chk () from /lib64/libc.so.6
#3  0x00007ff1d23b54bf in proto_tree_set_representation (pi=<value optimized
out>, 
    format=0x7ff1d2e33fa0 "ERROR %s %s (%s)", ap=0x7fff72c886d0) at
../../epan/proto.c:3668
#4  0x00007ff1d23b6be8 in proto_tree_add_text (tree=0x7ff1d11b20e0, tvb=<value
optimized out>, 
    start=<value optimized out>, length=<value optimized out>,
format=0x7ff1d2e33fa0 "ERROR %s %s (%s)")
    at ../../epan/proto.c:1051
#5  0x00007ff1d25098a6 in ProcessError (tree=0x5, tvb=0x7ff1d2e33fab,
bit_offset=16843008, 
    sz=<value optimized out>, err=-5, pDescr=<value optimized out>)
    at ../../../epan/dissectors/packet-csn1.c:105
#6  0x00007ff1d2509b1a in csnStreamDissector (tree=0x7ff1d11b2020,
ar=0x7fff72c88a90, 
    pDescr=0x7fff72c88a68, tvb=0x2f2c5e0, data=0x7ff1d0494660, ett_csn1=7852)
    at ../../../epan/dissectors/packet-csn1.c:1476
#7  0x00007ff1d250a437 in csnStreamDissector (tree=0x7ff1d11b1fc0,
ar=0x7fff72c88c10, 
    pDescr=0x7ff1d38d2720, tvb=0x2f2c5e0, data=0x7ff1d0494660, ett_csn1=7852)
    at ../../../epan/dissectors/packet-csn1.c:548
#8  0x00007ff1d250ab9e in csnStreamDissector (tree=0x7ff1d11b1ba0,
ar=0x7fff72c88d90, 
    pDescr=0x7ff1d38ce300, tvb=0x2f2c5e0, data=0x7ff1d049465c, ett_csn1=7852)
    at ../../../epan/dissectors/packet-csn1.c:1376
#9  0x00007ff1d250a27e in csnStreamDissector (tree=0x7ff1d11b1210,
ar=0x7fff72c88de0, 
    pDescr=0x7ff1d38c8d00, tvb=0x2f2c5e0, data=0x7ff1d0494648, ett_csn1=7852)
    at ../../../epan/dissectors/packet-csn1.c:496
#10 0x00007ff1d2648def in dissect_gsm_rlcmac_uplink (tvb=0x2f2c5e0,
pinfo=0x7fff72c89a80, 
    tree=0x7ff1d11b1000) at ../../../epan/dissectors/packet-gsm_rlcmac.c:5475
#11 0x00007ff1d23a6cd1 in call_dissector_through_handle (handle=0x1ed6cf0,
tvb=0x2f2c5e0, 
    pinfo=0x7fff72c89a80, tree=0x7ff1d11b1000) at ../../epan/packet.c:384


Unfortunately all the variables in frame 5 are optimized out and weirdly if I
turn off optimization the crash doesn't happen.

But, digging further, I think the problem is in frame 7 with this code:

~~~
    525           if (value == pChoice->value)
    526           {
    527             CSN_DESCR   descr[2];
    528             gint16      Status;
    529             csnStream_t arT = *ar;
    530             proto_item   *ti;
    531             proto_tree   *test_tree;
    532 
    533             descr[0]      = pChoice->descr;
    534             descr[1].type = CSN_END;  <<< why are we initializing the
2nd entry in the array?
[...]
    548             Status = csnStreamDissector(test_tree, &arT, descr, tvb,
data, ett_csn1);
~~~

The (recursive) csnStreamDissector() call immediately does a switch on the
pDescr->type, so I'm pretty sure the initialization of 'type' is supposed to be
done on entry 0 instead of 1.  Changing it eliminates the uninitialized
variable read and fixes the crash.

(BTW, CSN_END is 0; this may explain why turning optimization off prevented the
crash: uninitialized memory is frequently--but certainly not always--0.)

Fixed in rev 38430.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.