Wireshark-bugs: [Wireshark-bugs] [Bug 7945] Buildbot crash output: fuzz-2012-10-31-25737.pcap
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sun, 11 Nov 2012 06:35:40 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7945

Evan Huus <eapache@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |eapache@xxxxxxxxx

--- Comment #1 from Evan Huus <eapache@xxxxxxxxx> 2012-11-11 06:35:38 PST ---
No regular crashes, but valgrind gives the following:

==5653== Invalid read of size 1
==5653==    at 0x9B293B1: vfprintf (vfprintf.c:1630)
==5653==    by 0x9BE6D7F: __vsnprintf_chk (vsnprintf_chk.c:65)
==5653==    by 0x98367B2: g_printf_string_upper_bound (stdio2.h:78)
==5653==    by 0x6090F97: emem_strdup_vprintf (emem.c:1038)
==5653==    by 0x6091F8B: ep_strdup_printf (emem.c:1066)
==5653==    by 0x62D160A: dissect_primary_header (packet-dtn.c:1039)
==5653==    by 0x62D29A6: dissect_complete_bundle (packet-dtn.c:658)
==5653==    by 0x648B8C8: dissect_ltp (packet-ltp.c:359)
==5653==    by 0x609D50E: call_dissector_through_handle (packet.c:450)
==5653==    by 0x609DD6C: call_dissector_work (packet.c:545)
==5653==    by 0x609E5AF: dissector_try_uint_new (packet.c:965)
==5653==    by 0x609E606: dissector_try_uint (packet.c:991)
==5653==  Address 0x103d438a is 0 bytes after a block of size 1,530 alloc'd
==5653==    at 0x4C2B3F8: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5653==    by 0x98346E0: g_malloc (gmem.c:159)
==5653==    by 0x60B88B6: fragment_add_work.isra.5 (reassemble.c:834)
==5653==    by 0x60B93FB: fragment_add_check (reassemble.c:1104)
==5653==    by 0x648B7F4: dissect_ltp (packet-ltp.c:319)
==5653==    by 0x609D50E: call_dissector_through_handle (packet.c:450)
==5653==    by 0x609DD6C: call_dissector_work (packet.c:545)
==5653==    by 0x609E5AF: dissector_try_uint_new (packet.c:965)
==5653==    by 0x609E606: dissector_try_uint (packet.c:991)
==5653==    by 0x6707974: decode_udp_ports (packet-udp.c:271)
==5653==    by 0x6707F7F: dissect (packet-udp.c:593)
==5653==    by 0x609D4C7: call_dissector_through_handle (packet.c:454)


It looks like we're somehow (despite comments to the contrary in the code)
ending up with a not-quite-validly-terminated string.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.