Wireshark-bugs: [Wireshark-bugs] [Bug 9920] Buildbot crash output: fuzz-2014-03-22-14025.pcap
Date: Mon, 31 Mar 2014 20:09:03 +0000

changed bug 9920

What Removed Added
CC   eapache@gmail.com
Version unspecified Git

Comment # 1 on bug 9920 from
Valgrind (with tree) gives the following on master:

==9547== Invalid read of size 8
==9547==    at 0x9766564: g_hash_table_lookup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==9547==    by 0x6B1383F: dissect_rtp (packet-rtp.c:1837)
==9547==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==9547==    by 0x655F134: call_dissector_work (packet.c:682)
==9547==    by 0x6551FE6: try_conversation_dissector (conversation.c:1307)
==9547==    by 0x6C2919B: decode_udp_ports (packet-udp.c:368)
==9547==    by 0x6C29BB9: dissect (packet-udp.c:750)
==9547==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==9547==    by 0x655F134: call_dissector_work (packet.c:682)
==9547==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==9547==    by 0x68F5E52: dissect_ip (packet-ip.c:2400)
==9547==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==9547==  Address 0x137d08a0 is 48 bytes inside a block of size 88 free'd
==9547==    at 0x4C2B68C: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==9547==    by 0x9765C66: g_hash_table_remove_all_nodes (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==9547==    by 0x97669A0: g_hash_table_remove_all (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==9547==    by 0x6554AD6: epan_dissect_reset (epan.c:298)
==9547==    by 0x413979: process_packet (tshark.c:3587)
==9547==    by 0x40BBD5: main (tshark.c:3323)
==9547== 
==9547== 
==9547== Process terminating with default action of signal 11 (SIGSEGV)
==9547==  Bad permissions for mapped region at address 0x85864C0
==9547==    at 0x85864C0: ??? (in
/home/eapache/src/wireshark.org/wireshark/epan/.libs/libwireshark.so.0.0.3)
==9547==    by 0x9766568: g_hash_table_lookup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==9547==    by 0x6B1383F: dissect_rtp (packet-rtp.c:1837)
==9547==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==9547==    by 0x655F134: call_dissector_work (packet.c:682)
==9547==    by 0x6551FE6: try_conversation_dissector (conversation.c:1307)
==9547==    by 0x6C2919B: decode_udp_ports (packet-udp.c:368)
==9547==    by 0x6C29BB9: dissect (packet-udp.c:750)
==9547==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==9547==    by 0x655F134: call_dissector_work (packet.c:682)
==9547==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==9547==    by 0x68F5E52: dissect_ip (packet-ip.c:2400)
==9547== 

without tree gives even more:

==31012== Invalid read of size 8
==31012==    at 0x9766564: g_hash_table_lookup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==31012==    by 0x6B1383F: dissect_rtp (packet-rtp.c:1837)
==31012==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x6551FE6: try_conversation_dissector (conversation.c:1307)
==31012==    by 0x6C2919B: decode_udp_ports (packet-udp.c:368)
==31012==    by 0x6C29BB9: dissect (packet-udp.c:750)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==31012==    by 0x68F5E52: dissect_ip (packet-ip.c:2400)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012==  Address 0x14848960 is 48 bytes inside a block of size 88 free'd
==31012==    at 0x4C2B68C: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31012==    by 0x6B15183: srtp_add_address (packet-rtp.c:1026)
==31012==    by 0x6B53026: setup_sdp_transport (packet-sdp.c:2096)
==31012==    by 0x6B6AA85: dissect_sip_common (packet-sip.c:3527)
==31012==    by 0x6B6B710: dissect_sip (packet-sip.c:2253)
==31012==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==31012==    by 0x655F846: dissector_try_uint (packet.c:1139)
==31012==    by 0x6C292E7: decode_udp_ports (packet-udp.c:411)
==31012==    by 0x6C29BB9: dissect (packet-udp.c:750)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012== 
==31012== Invalid read of size 8
==31012==    at 0x976657A: g_hash_table_lookup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==31012==    by 0x6B1383F: dissect_rtp (packet-rtp.c:1837)
==31012==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x6551FE6: try_conversation_dissector (conversation.c:1307)
==31012==    by 0x6C2919B: decode_udp_ports (packet-udp.c:368)
==31012==    by 0x6C29BB9: dissect (packet-udp.c:750)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==31012==    by 0x68F5E52: dissect_ip (packet-ip.c:2400)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012==  Address 0x14848950 is 32 bytes inside a block of size 88 free'd
==31012==    at 0x4C2B68C: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31012==    by 0x6B15183: srtp_add_address (packet-rtp.c:1026)
==31012==    by 0x6B53026: setup_sdp_transport (packet-sdp.c:2096)
==31012==    by 0x6B6AA85: dissect_sip_common (packet-sip.c:3527)
==31012==    by 0x6B6B710: dissect_sip (packet-sip.c:2253)
==31012==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==31012==    by 0x655F846: dissector_try_uint (packet.c:1139)
==31012==    by 0x6C292E7: decode_udp_ports (packet-udp.c:411)
==31012==    by 0x6C29BB9: dissect (packet-udp.c:750)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012== 
==31012== Invalid read of size 4
==31012==    at 0x9766587: g_hash_table_lookup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==31012==    by 0x6B1383F: dissect_rtp (packet-rtp.c:1837)
==31012==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x6551FE6: try_conversation_dissector (conversation.c:1307)
==31012==    by 0x6C2919B: decode_udp_ports (packet-udp.c:368)
==31012==    by 0x6C29BB9: dissect (packet-udp.c:750)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==31012==    by 0x68F5E52: dissect_ip (packet-ip.c:2400)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012==  Address 0x14848934 is 4 bytes inside a block of size 88 free'd
==31012==    at 0x4C2B68C: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31012==    by 0x6B15183: srtp_add_address (packet-rtp.c:1026)
==31012==    by 0x6B53026: setup_sdp_transport (packet-sdp.c:2096)
==31012==    by 0x6B6AA85: dissect_sip_common (packet-sip.c:3527)
==31012==    by 0x6B6B710: dissect_sip (packet-sip.c:2253)
==31012==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==31012==    by 0x655F846: dissector_try_uint (packet.c:1139)
==31012==    by 0x6C292E7: decode_udp_ports (packet-udp.c:411)
==31012==    by 0x6C29BB9: dissect (packet-udp.c:750)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012== 
==31012== Invalid read of size 4
==31012==    at 0x9766593: g_hash_table_lookup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==31012==    by 0x6B1383F: dissect_rtp (packet-rtp.c:1837)
==31012==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x6551FE6: try_conversation_dissector (conversation.c:1307)
==31012==    by 0x6C2919B: decode_udp_ports (packet-udp.c:368)
==31012==    by 0x6C29BB9: dissect (packet-udp.c:750)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==31012==    by 0x68F5E52: dissect_ip (packet-ip.c:2400)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012==  Address 0x14848a64 is 20 bytes inside a block of size 32 free'd
==31012==    at 0x4C2B68C: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31012==    by 0x976650B: g_hash_table_unref (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==31012==    by 0x6B15183: srtp_add_address (packet-rtp.c:1026)
==31012==    by 0x6B53026: setup_sdp_transport (packet-sdp.c:2096)
==31012==    by 0x6B6AA85: dissect_sip_common (packet-sip.c:3527)
==31012==    by 0x6B6B710: dissect_sip (packet-sip.c:2253)
==31012==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==31012==    by 0x655F846: dissector_try_uint (packet.c:1139)
==31012==    by 0x6C292E7: decode_udp_ports (packet-udp.c:411)
==31012==    by 0x6C29BB9: dissect (packet-udp.c:750)
==31012== 
==31012== Invalid read of size 8
==31012==    at 0x9766564: g_hash_table_lookup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==31012==    by 0x6B1229E: process_rtp_payload (packet-rtp.c:1168)
==31012==    by 0x6B1252C: dissect_rtp_data (packet-rtp.c:1355)
==31012==    by 0x6B144C3: dissect_rtp (packet-rtp.c:2102)
==31012==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x6551FE6: try_conversation_dissector (conversation.c:1307)
==31012==    by 0x6C2919B: decode_udp_ports (packet-udp.c:368)
==31012==    by 0x6C29BB9: dissect (packet-udp.c:750)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==31012==  Address 0x14848960 is 48 bytes inside a block of size 88 free'd
==31012==    at 0x4C2B68C: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31012==    by 0x6B15183: srtp_add_address (packet-rtp.c:1026)
==31012==    by 0x6B53026: setup_sdp_transport (packet-sdp.c:2096)
==31012==    by 0x6B6AA85: dissect_sip_common (packet-sip.c:3527)
==31012==    by 0x6B6B710: dissect_sip (packet-sip.c:2253)
==31012==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==31012==    by 0x655F846: dissector_try_uint (packet.c:1139)
==31012==    by 0x6C292E7: decode_udp_ports (packet-udp.c:411)
==31012==    by 0x6C29BB9: dissect (packet-udp.c:750)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012== 
==31012== Invalid read of size 8
==31012==    at 0x976657A: g_hash_table_lookup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==31012==    by 0x6B1229E: process_rtp_payload (packet-rtp.c:1168)
==31012==    by 0x6B1252C: dissect_rtp_data (packet-rtp.c:1355)
==31012==    by 0x6B144C3: dissect_rtp (packet-rtp.c:2102)
==31012==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x6551FE6: try_conversation_dissector (conversation.c:1307)
==31012==    by 0x6C2919B: decode_udp_ports (packet-udp.c:368)
==31012==    by 0x6C29BB9: dissect (packet-udp.c:750)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==31012==  Address 0x14848950 is 32 bytes inside a block of size 88 free'd
==31012==    at 0x4C2B68C: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31012==    by 0x6B15183: srtp_add_address (packet-rtp.c:1026)
==31012==    by 0x6B53026: setup_sdp_transport (packet-sdp.c:2096)
==31012==    by 0x6B6AA85: dissect_sip_common (packet-sip.c:3527)
==31012==    by 0x6B6B710: dissect_sip (packet-sip.c:2253)
==31012==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==31012==    by 0x655F846: dissector_try_uint (packet.c:1139)
==31012==    by 0x6C292E7: decode_udp_ports (packet-udp.c:411)
==31012==    by 0x6C29BB9: dissect (packet-udp.c:750)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012== 
==31012== Invalid read of size 4
==31012==    at 0x9766587: g_hash_table_lookup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==31012==    by 0x6B1229E: process_rtp_payload (packet-rtp.c:1168)
==31012==    by 0x6B1252C: dissect_rtp_data (packet-rtp.c:1355)
==31012==    by 0x6B144C3: dissect_rtp (packet-rtp.c:2102)
==31012==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x6551FE6: try_conversation_dissector (conversation.c:1307)
==31012==    by 0x6C2919B: decode_udp_ports (packet-udp.c:368)
==31012==    by 0x6C29BB9: dissect (packet-udp.c:750)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==31012==  Address 0x14848934 is 4 bytes inside a block of size 88 free'd
==31012==    at 0x4C2B68C: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31012==    by 0x6B15183: srtp_add_address (packet-rtp.c:1026)
==31012==    by 0x6B53026: setup_sdp_transport (packet-sdp.c:2096)
==31012==    by 0x6B6AA85: dissect_sip_common (packet-sip.c:3527)
==31012==    by 0x6B6B710: dissect_sip (packet-sip.c:2253)
==31012==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==31012==    by 0x655F846: dissector_try_uint (packet.c:1139)
==31012==    by 0x6C292E7: decode_udp_ports (packet-udp.c:411)
==31012==    by 0x6C29BB9: dissect (packet-udp.c:750)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012== 
==31012== Invalid read of size 4
==31012==    at 0x9766593: g_hash_table_lookup (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==31012==    by 0x6B1229E: process_rtp_payload (packet-rtp.c:1168)
==31012==    by 0x6B1252C: dissect_rtp_data (packet-rtp.c:1355)
==31012==    by 0x6B144C3: dissect_rtp (packet-rtp.c:2102)
==31012==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x6551FE6: try_conversation_dissector (conversation.c:1307)
==31012==    by 0x6C2919B: decode_udp_ports (packet-udp.c:368)
==31012==    by 0x6C29BB9: dissect (packet-udp.c:750)
==31012==    by 0x655E843: call_dissector_through_handle (packet.c:595)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==31012==  Address 0x14848a64 is 20 bytes inside a block of size 32 free'd
==31012==    at 0x4C2B68C: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31012==    by 0x976650B: g_hash_table_unref (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==31012==    by 0x6B15183: srtp_add_address (packet-rtp.c:1026)
==31012==    by 0x6B53026: setup_sdp_transport (packet-sdp.c:2096)
==31012==    by 0x6B6AA85: dissect_sip_common (packet-sip.c:3527)
==31012==    by 0x6B6B710: dissect_sip (packet-sip.c:2253)
==31012==    by 0x655E87E: call_dissector_through_handle (packet.c:591)
==31012==    by 0x655F134: call_dissector_work (packet.c:682)
==31012==    by 0x655F7EB: dissector_try_uint_new (packet.c:1113)
==31012==    by 0x655F846: dissector_try_uint (packet.c:1139)
==31012==    by 0x6C292E7: decode_udp_ports (packet-udp.c:411)
==31012==    by 0x6C29BB9: dissect (packet-udp.c:750)

More problems with the RTP hash tables... we should really just get rid of
those, they have caused a lot of problems. Maybe a wmem-backed hash table would
simplify things? I haven't even bothered running this against 1.10 where the
fuzz-bot actually failed...


You are receiving this mail because:
  • You are watching all bug changes.