Wireshark-bugs: [Wireshark-bugs] [Bug 7221] New: wireshark crashes with bus error on Sun Sparc p
Date: Wed, 2 May 2012 07:41:02 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7221

           Summary: wireshark crashes with bus error on Sun Sparc platform
                    if capture contains an ICMP echo request
           Product: Wireshark
           Version: 1.6.7
          Platform: SPARC
        OS/Version: Solaris
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: klaus.heckelmann@xxxxxxxxxxxx


Created attachment 8361
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=8361
crash capture file and suggested bug fix

Build Information:
wireshark 1.6.7 (SVN Rev Unknown from unknown)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.12.0, with GLib 2.25.13, with libpcap (version
unknown), with libz 1.2.3, without POSIX capabilities, without libpcre, without
SMI, without c-ares, without ADNS, without Lua, without Python, without GnuTLS,
without Gcrypt, with MIT Kerberos, without GeoIP, without PortAudio, without
AirPcap.

Running on SunOS 5.10, with libpcap version 1.2.0, with libz 1.2.3.

Built using gcc 3.4.6.

--
Bus errors are happening on Sun SPARC Solaris10 if the capture contains either
an ICMP echo request or an ICMPv6 echo request.
A capture file is attached that immediately leads to the crash.
The issue happens both in tshark and in wireshark.
It happens in a self-compiled wireshark 1.6.7 as well as in the binary
wireshark-1.6.4 available at www.sunfreeware.com.

The location of the crash is in packet_icmp.c, function transaction_start(), at
line:
        icmp_trans->resp_time = 0.0;
or in the corresponding line in packet-icmpv6.c
The icmp_trans structure is allocated 3 lines before in
        icmp_trans = se_alloc(sizeof(icmp_transaction_t));

The apparent root cause for the crash is the improper alignment of the
resp_time struct member.
The resp_time is type double which needs an 8 byte alignment on Sun Sparc.
The allocation in emem_alloc_chunk() cares for alignment in units of
G_MEM_ALLOC which is sufficient for type long and type void* but not
necessarily for doubles.

There would be multiple options to work around the issue:
1) Use a float instead of double for storing the resp_time.
   Disadvantage:  Float precision too low if resp_time is larger than 1000 or
so.
2) On Solaris align according to _DOUBLE_ALIGN instead of G_MEM_ALIGN in
emem_alloc_chunk().
   Disadvantage:  Waste of memory for all other allocs.
3) Store the resp_time as a nstime_t rather than a double.
   Disadvantage:  The ns_time_t needs to be converted to double in
tap-icmpstat.c:icmpstat_packet() and in tap-icmpv6stat.c:icmpv6stat_packet()

For option 3) a patch file is attached based on the 1.6.7 source code.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.