Created attachment 10836 [details]
A simple pcap file, for demonstration
Build Information:
TShark 1.11.0 (SVN Rev 49552 from /trunk)
Copyright 1998-2013 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.34.1, with libpcap, with libz 1.2.7, without
POSIX
capabilities, without libnl, without SMI, without c-ares, without ADNS, without
Lua, without Python, without GnuTLS, without Gcrypt, without Kerberos, without
GeoIP.
Running on Linux 3.5.0-30-generic, with locale en_US.UTF-8, with libpcap
version
1.3.0, with libz 1.2.7.
AMD Phenom(tm) 9550 Quad-Core Processor
Built using gcc 4.7.2.
--
Running the following command causes tshark to crash:
tshark -2 -q -r anypcap.pcap
This is independent of the contents of the pcap, as long as there is at least
one packet within it.
This is caused by a null pointer dereference on tshark.c:2716
g_slist_foreach(edt.pi.dependent_frames, find_and_mark_frame_depended_upon,
cf->frames);
It is caused by the following code in tshark.c
// Begin at line 2657
process_packet_first_pass(capture_file *cf,
gint64 offset, struct wtap_pkthdr *whdr,
const guchar *pd)
{
// ...
epan_dissect_t edt;
gboolean passed;
// ...
passed = TRUE;
// ...
/* If we're going to print packet information, or we're going to
run a read filter, or display filter, or we're going to process taps, set
up to
do a dissection and do so. */
if (do_dissection) {
// ....
}
if (passed) {
frame_data_set_after_dissect(&fdlocal, &cum_bytes);
prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
g_slist_foreach(edt.pi.dependent_frames, find_and_mark_frame_depended_upon,
cf->frames);
In short, if do_dissection is false, the variable edt.pi.dependent_frames is
passed into g_slist_foreach, which attempts to dereference it, causing a
SEGFAULT.
Here is the call stack:
#0 find_and_mark_frame_depended_upon (data="" out>,
user_data=<optimized out>) at frame_data_sequence.c:323
#1 0x00007ffff3671cfd in g_slist_foreach () from
/lib/x86_64-linux-gnu/libglib-2.0.so.0
#2 0x000000000040b8d4 in process_packet_first_pass (pd=0x17401e0 "E",
whdr=<optimized out>, offset=<optimized out>, cf=<optimized out>) at
tshark.c:2716
#3 load_cap_file (max_byte_count=0x0, max_packet_count=0x0,
out_file_name_res=<optimized out>, out_file_type=0x2, save_file=0x0,
cf=<optimized out>) at tshark.c:2957
#4 main (argc=<optimized out>, argv=<optimized out>) at tshark.c:1918
Therefore, triggering this requires:
1) load_cap_file to be called, therefore requiring -r (specifies a file to load
from)
2) process_packet_first_pass to be called, therefore requiring -2 (two passes)
3) do_dissection is false, which can be caused by passing in -q (quiet mode)
