Wireshark-bugs: [Wireshark-bugs] [Bug 7634] New: tshark, wireshark SEGV at start: derefs NULL po
Date: Tue, 14 Aug 2012 10:42:20 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7634

           Summary: tshark, wireshark SEGV at start: derefs NULL pointer
                    interface_opts.cfilter
           Product: Wireshark
           Version: 1.8.1
          Platform: SPARC
        OS/Version: Solaris
            Status: NEW
          Severity: Major
          Priority: Low
         Component: TShark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: irwin@xxxxxxxxxxxxx


Build Information:
new-heymon% tshark -v
TShark 1.8.1 (SVN Rev Unknown from unknown)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GLib 2.32.3, with libpcap, with libz 1.2.7, without
POSIX
capabilities, without SMI, without c-ares, without ADNS, without Lua, without
Python, without GnuTLS, without Gcrypt, without Kerberos, without GeoIP.

Running on SunOS 5.10, without locale, with libpcap version 1.3.0, with libz
1.2.7.

Built using gcc 4.4.7.


--
On Solaris 10 SPARC with gcc 4.2.4, 4.3.6, 4.4.7 (but not Solaris 9 SPARC with
gcc 4.1.2):

Whenever I start tshark in such a way that it wants to capture from an
interface, it SEGVs immediately after printing the "Capturing on interfacename"
message.

It doesn't matter whether call tshark with no arguments and options, specify an
interface, and/or specify a capture filter.

The same SEGV happens in wireshark when I click the "Start" capture.

backtrace on the core is always the same:

Reading symbols from /var/local/bin/tshark...done.
[New LWP 1]
[Thread debugging using libthread_db enabled]
[New Thread 1 (LWP 1)]
Core was generated by `/var/local/bin/tshark -f ip host plaid'.
Program terminated with signal 11, Segmentation fault.
#0  0xfb932cb0 in strlen () from /lib/libc.so.1
(gdb) bt
#0  0xfb932cb0 in strlen () from /lib/libc.so.1
#1  0xfb99f0e4 in _ndoprnt () from /lib/libc.so.1
#2  0xfb9a1888 in vsnprintf () from /lib/libc.so.1
#3  0xfb99d18c in vasprintf () from /lib/libc.so.1
#4  0xfbb22d88 in g_vasprintf (string=0xffbfec04, format=0x57ad0 "Interface
name[df]  : %s", args=0xffbff150) at gprintf.c:314
#5  0xfbafcdd8 in g_strdup_vprintf (format=0x57ad0 "Interface name[df]  : %s",
args=0xffbff150) at gstrfuncs.c:509
#6  0xfbae1bd8 in g_logv (log_domain=<optimized out>,
log_level=G_LOG_LEVEL_DEBUG, format=0x57ad0 "Interface name[df]  : %s",
args1=0xffbff150) at gmessages.c:730
#7  0xfbae1d6c in g_log (log_domain=0x57178 "Capture",
log_level=G_LOG_LEVEL_DEBUG, format=0x57ad0 "Interface name[df]  : %s") at
gmessages.c:792
#8  0x0002818c in capture_opts_log (log_domain=0x57178 "Capture",
log_level=G_LOG_LEVEL_DEBUG, capture_opts=0x73904) at capture_opts.c:181
#9  0x00024424 in sync_pipe_start (capture_opts=0x73904) at capture_sync.c:372
#10 0x0002ee0c in capture () at tshark.c:2116
#11 0x0002e7ac in main (argc=3, argv=0xffbffa2c) at tshark.c:1851


In capture_opts_log() at:

 g_log(log_domain, log_level, "Capture filter[%02d]  : %s", i,
interface_opts.cfilter);

...the debugger is showing interface_opts.cfilter == 0x0.
The SEGV appears to be when this null pointer is dereferenced by strlen().

(I found that to debug this, build with gcc -O0.  With the gcc -O2, the
debugger claims that 'interface_opts' was optimized out.)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.