Wireshark-bugs: [Wireshark-bugs] [Bug 9920] Buildbot crash output: fuzz-2014-03-22-14025.pcap
Date: Mon, 31 Mar 2014 20:09:03 +0000
What | Removed | Added |
---|---|---|
CC | eapache@gmail.com | |
Version | unspecified | Git |
Comment # 1
on bug 9920
from Evan Huus
Valgrind (with tree) gives the following on master: ==9547== Invalid read of size 8 ==9547== at 0x9766564: g_hash_table_lookup (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0) ==9547== by 0x6B1383F: dissect_rtp (packet-rtp.c:1837) ==9547== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==9547== by 0x655F134: call_dissector_work (packet.c:682) ==9547== by 0x6551FE6: try_conversation_dissector (conversation.c:1307) ==9547== by 0x6C2919B: decode_udp_ports (packet-udp.c:368) ==9547== by 0x6C29BB9: dissect (packet-udp.c:750) ==9547== by 0x655E843: call_dissector_through_handle (packet.c:595) ==9547== by 0x655F134: call_dissector_work (packet.c:682) ==9547== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==9547== by 0x68F5E52: dissect_ip (packet-ip.c:2400) ==9547== by 0x655E843: call_dissector_through_handle (packet.c:595) ==9547== Address 0x137d08a0 is 48 bytes inside a block of size 88 free'd ==9547== at 0x4C2B68C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==9547== by 0x9765C66: g_hash_table_remove_all_nodes (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0) ==9547== by 0x97669A0: g_hash_table_remove_all (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0) ==9547== by 0x6554AD6: epan_dissect_reset (epan.c:298) ==9547== by 0x413979: process_packet (tshark.c:3587) ==9547== by 0x40BBD5: main (tshark.c:3323) ==9547== ==9547== ==9547== Process terminating with default action of signal 11 (SIGSEGV) ==9547== Bad permissions for mapped region at address 0x85864C0 ==9547== at 0x85864C0: ??? (in /home/eapache/src/wireshark.org/wireshark/epan/.libs/libwireshark.so.0.0.3) ==9547== by 0x9766568: g_hash_table_lookup (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0) ==9547== by 0x6B1383F: dissect_rtp (packet-rtp.c:1837) ==9547== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==9547== by 0x655F134: call_dissector_work (packet.c:682) ==9547== by 0x6551FE6: try_conversation_dissector (conversation.c:1307) ==9547== by 0x6C2919B: decode_udp_ports (packet-udp.c:368) ==9547== by 0x6C29BB9: dissect (packet-udp.c:750) ==9547== by 0x655E843: call_dissector_through_handle (packet.c:595) ==9547== by 0x655F134: call_dissector_work (packet.c:682) ==9547== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==9547== by 0x68F5E52: dissect_ip (packet-ip.c:2400) ==9547== without tree gives even more: ==31012== Invalid read of size 8 ==31012== at 0x9766564: g_hash_table_lookup (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0) ==31012== by 0x6B1383F: dissect_rtp (packet-rtp.c:1837) ==31012== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x6551FE6: try_conversation_dissector (conversation.c:1307) ==31012== by 0x6C2919B: decode_udp_ports (packet-udp.c:368) ==31012== by 0x6C29BB9: dissect (packet-udp.c:750) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==31012== by 0x68F5E52: dissect_ip (packet-ip.c:2400) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== Address 0x14848960 is 48 bytes inside a block of size 88 free'd ==31012== at 0x4C2B68C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31012== by 0x6B15183: srtp_add_address (packet-rtp.c:1026) ==31012== by 0x6B53026: setup_sdp_transport (packet-sdp.c:2096) ==31012== by 0x6B6AA85: dissect_sip_common (packet-sip.c:3527) ==31012== by 0x6B6B710: dissect_sip (packet-sip.c:2253) ==31012== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==31012== by 0x655F846: dissector_try_uint (packet.c:1139) ==31012== by 0x6C292E7: decode_udp_ports (packet-udp.c:411) ==31012== by 0x6C29BB9: dissect (packet-udp.c:750) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== ==31012== Invalid read of size 8 ==31012== at 0x976657A: g_hash_table_lookup (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0) ==31012== by 0x6B1383F: dissect_rtp (packet-rtp.c:1837) ==31012== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x6551FE6: try_conversation_dissector (conversation.c:1307) ==31012== by 0x6C2919B: decode_udp_ports (packet-udp.c:368) ==31012== by 0x6C29BB9: dissect (packet-udp.c:750) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==31012== by 0x68F5E52: dissect_ip (packet-ip.c:2400) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== Address 0x14848950 is 32 bytes inside a block of size 88 free'd ==31012== at 0x4C2B68C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31012== by 0x6B15183: srtp_add_address (packet-rtp.c:1026) ==31012== by 0x6B53026: setup_sdp_transport (packet-sdp.c:2096) ==31012== by 0x6B6AA85: dissect_sip_common (packet-sip.c:3527) ==31012== by 0x6B6B710: dissect_sip (packet-sip.c:2253) ==31012== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==31012== by 0x655F846: dissector_try_uint (packet.c:1139) ==31012== by 0x6C292E7: decode_udp_ports (packet-udp.c:411) ==31012== by 0x6C29BB9: dissect (packet-udp.c:750) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== ==31012== Invalid read of size 4 ==31012== at 0x9766587: g_hash_table_lookup (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0) ==31012== by 0x6B1383F: dissect_rtp (packet-rtp.c:1837) ==31012== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x6551FE6: try_conversation_dissector (conversation.c:1307) ==31012== by 0x6C2919B: decode_udp_ports (packet-udp.c:368) ==31012== by 0x6C29BB9: dissect (packet-udp.c:750) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==31012== by 0x68F5E52: dissect_ip (packet-ip.c:2400) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== Address 0x14848934 is 4 bytes inside a block of size 88 free'd ==31012== at 0x4C2B68C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31012== by 0x6B15183: srtp_add_address (packet-rtp.c:1026) ==31012== by 0x6B53026: setup_sdp_transport (packet-sdp.c:2096) ==31012== by 0x6B6AA85: dissect_sip_common (packet-sip.c:3527) ==31012== by 0x6B6B710: dissect_sip (packet-sip.c:2253) ==31012== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==31012== by 0x655F846: dissector_try_uint (packet.c:1139) ==31012== by 0x6C292E7: decode_udp_ports (packet-udp.c:411) ==31012== by 0x6C29BB9: dissect (packet-udp.c:750) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== ==31012== Invalid read of size 4 ==31012== at 0x9766593: g_hash_table_lookup (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0) ==31012== by 0x6B1383F: dissect_rtp (packet-rtp.c:1837) ==31012== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x6551FE6: try_conversation_dissector (conversation.c:1307) ==31012== by 0x6C2919B: decode_udp_ports (packet-udp.c:368) ==31012== by 0x6C29BB9: dissect (packet-udp.c:750) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==31012== by 0x68F5E52: dissect_ip (packet-ip.c:2400) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== Address 0x14848a64 is 20 bytes inside a block of size 32 free'd ==31012== at 0x4C2B68C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31012== by 0x976650B: g_hash_table_unref (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0) ==31012== by 0x6B15183: srtp_add_address (packet-rtp.c:1026) ==31012== by 0x6B53026: setup_sdp_transport (packet-sdp.c:2096) ==31012== by 0x6B6AA85: dissect_sip_common (packet-sip.c:3527) ==31012== by 0x6B6B710: dissect_sip (packet-sip.c:2253) ==31012== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==31012== by 0x655F846: dissector_try_uint (packet.c:1139) ==31012== by 0x6C292E7: decode_udp_ports (packet-udp.c:411) ==31012== by 0x6C29BB9: dissect (packet-udp.c:750) ==31012== ==31012== Invalid read of size 8 ==31012== at 0x9766564: g_hash_table_lookup (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0) ==31012== by 0x6B1229E: process_rtp_payload (packet-rtp.c:1168) ==31012== by 0x6B1252C: dissect_rtp_data (packet-rtp.c:1355) ==31012== by 0x6B144C3: dissect_rtp (packet-rtp.c:2102) ==31012== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x6551FE6: try_conversation_dissector (conversation.c:1307) ==31012== by 0x6C2919B: decode_udp_ports (packet-udp.c:368) ==31012== by 0x6C29BB9: dissect (packet-udp.c:750) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==31012== Address 0x14848960 is 48 bytes inside a block of size 88 free'd ==31012== at 0x4C2B68C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31012== by 0x6B15183: srtp_add_address (packet-rtp.c:1026) ==31012== by 0x6B53026: setup_sdp_transport (packet-sdp.c:2096) ==31012== by 0x6B6AA85: dissect_sip_common (packet-sip.c:3527) ==31012== by 0x6B6B710: dissect_sip (packet-sip.c:2253) ==31012== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==31012== by 0x655F846: dissector_try_uint (packet.c:1139) ==31012== by 0x6C292E7: decode_udp_ports (packet-udp.c:411) ==31012== by 0x6C29BB9: dissect (packet-udp.c:750) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== ==31012== Invalid read of size 8 ==31012== at 0x976657A: g_hash_table_lookup (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0) ==31012== by 0x6B1229E: process_rtp_payload (packet-rtp.c:1168) ==31012== by 0x6B1252C: dissect_rtp_data (packet-rtp.c:1355) ==31012== by 0x6B144C3: dissect_rtp (packet-rtp.c:2102) ==31012== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x6551FE6: try_conversation_dissector (conversation.c:1307) ==31012== by 0x6C2919B: decode_udp_ports (packet-udp.c:368) ==31012== by 0x6C29BB9: dissect (packet-udp.c:750) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==31012== Address 0x14848950 is 32 bytes inside a block of size 88 free'd ==31012== at 0x4C2B68C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31012== by 0x6B15183: srtp_add_address (packet-rtp.c:1026) ==31012== by 0x6B53026: setup_sdp_transport (packet-sdp.c:2096) ==31012== by 0x6B6AA85: dissect_sip_common (packet-sip.c:3527) ==31012== by 0x6B6B710: dissect_sip (packet-sip.c:2253) ==31012== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==31012== by 0x655F846: dissector_try_uint (packet.c:1139) ==31012== by 0x6C292E7: decode_udp_ports (packet-udp.c:411) ==31012== by 0x6C29BB9: dissect (packet-udp.c:750) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== ==31012== Invalid read of size 4 ==31012== at 0x9766587: g_hash_table_lookup (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0) ==31012== by 0x6B1229E: process_rtp_payload (packet-rtp.c:1168) ==31012== by 0x6B1252C: dissect_rtp_data (packet-rtp.c:1355) ==31012== by 0x6B144C3: dissect_rtp (packet-rtp.c:2102) ==31012== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x6551FE6: try_conversation_dissector (conversation.c:1307) ==31012== by 0x6C2919B: decode_udp_ports (packet-udp.c:368) ==31012== by 0x6C29BB9: dissect (packet-udp.c:750) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==31012== Address 0x14848934 is 4 bytes inside a block of size 88 free'd ==31012== at 0x4C2B68C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31012== by 0x6B15183: srtp_add_address (packet-rtp.c:1026) ==31012== by 0x6B53026: setup_sdp_transport (packet-sdp.c:2096) ==31012== by 0x6B6AA85: dissect_sip_common (packet-sip.c:3527) ==31012== by 0x6B6B710: dissect_sip (packet-sip.c:2253) ==31012== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==31012== by 0x655F846: dissector_try_uint (packet.c:1139) ==31012== by 0x6C292E7: decode_udp_ports (packet-udp.c:411) ==31012== by 0x6C29BB9: dissect (packet-udp.c:750) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== ==31012== Invalid read of size 4 ==31012== at 0x9766593: g_hash_table_lookup (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0) ==31012== by 0x6B1229E: process_rtp_payload (packet-rtp.c:1168) ==31012== by 0x6B1252C: dissect_rtp_data (packet-rtp.c:1355) ==31012== by 0x6B144C3: dissect_rtp (packet-rtp.c:2102) ==31012== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x6551FE6: try_conversation_dissector (conversation.c:1307) ==31012== by 0x6C2919B: decode_udp_ports (packet-udp.c:368) ==31012== by 0x6C29BB9: dissect (packet-udp.c:750) ==31012== by 0x655E843: call_dissector_through_handle (packet.c:595) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==31012== Address 0x14848a64 is 20 bytes inside a block of size 32 free'd ==31012== at 0x4C2B68C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31012== by 0x976650B: g_hash_table_unref (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0) ==31012== by 0x6B15183: srtp_add_address (packet-rtp.c:1026) ==31012== by 0x6B53026: setup_sdp_transport (packet-sdp.c:2096) ==31012== by 0x6B6AA85: dissect_sip_common (packet-sip.c:3527) ==31012== by 0x6B6B710: dissect_sip (packet-sip.c:2253) ==31012== by 0x655E87E: call_dissector_through_handle (packet.c:591) ==31012== by 0x655F134: call_dissector_work (packet.c:682) ==31012== by 0x655F7EB: dissector_try_uint_new (packet.c:1113) ==31012== by 0x655F846: dissector_try_uint (packet.c:1139) ==31012== by 0x6C292E7: decode_udp_ports (packet-udp.c:411) ==31012== by 0x6C29BB9: dissect (packet-udp.c:750) More problems with the RTP hash tables... we should really just get rid of those, they have caused a lot of problems. Maybe a wmem-backed hash table would simplify things? I haven't even bothered running this against 1.10 where the fuzz-bot actually failed...
You are receiving this mail because:
- You are watching all bug changes.
- References:
- [Wireshark-bugs] [Bug 9920] New: Buildbot crash output: fuzz-2014-03-22-14025.pcap
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 9920] New: Buildbot crash output: fuzz-2014-03-22-14025.pcap
- Prev by Date: [Wireshark-bugs] [Bug 9940] Accept pure Lua dissector in Wireshark mainstream
- Next by Date: [Wireshark-bugs] [Bug 9920] Buildbot crash output: fuzz-2014-03-22-14025.pcap
- Previous by thread: [Wireshark-bugs] [Bug 9920] New: Buildbot crash output: fuzz-2014-03-22-14025.pcap
- Next by thread: [Wireshark-bugs] [Bug 9920] Buildbot crash output: fuzz-2014-03-22-14025.pcap
- Index(es):