Wireshark-bugs: [Wireshark-bugs] [Bug 10316] New: Buildbot crash output: fuzz-2014-07-28-10756.p
Date: Mon, 28 Jul 2014 10:10:03 +0000
Bug ID 10316
Summary Buildbot crash output: fuzz-2014-07-28-10756.pcap
Classification Unclassified
Product Wireshark
Version unspecified
Hardware x86-64
URL http://www.wireshark.org/download/automated/captures/fuzz-2014-07-28-10756.pcap
OS Ubuntu
Status CONFIRMED
Severity Major
Priority High
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter buildbot-do-not-reply@wireshark.org

Problems have been found with the following capture file:

http://www.wireshark.org/download/automated/captures/fuzz-2014-07-28-10756.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/1432-hcilog_H4.log

Build host information:
Linux wsbb04 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:    Ubuntu
Description:    Ubuntu 14.04.1 LTS
Release:    14.04
Codename:    trusty

Buildbot information:
BUILDBOT_REPOSITORY=ssh://wireshark-buildbot@code.wireshark.org:29418/wireshark
BUILDBOT_BUILDNUMBER=2884
BUILDBOT_URL=http://buildbot.wireshark.org/trunk/
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_SLAVENAME=clang-code-analysis
BUILDBOT_GOT_REVISION=507d07eda6ad562d4567cf0ee83aa9b03997beca

Return value:  0

Dissector bug:  0

Valgrind error count:  3044



Git commit
commit 507d07eda6ad562d4567cf0ee83aa9b03997beca
Author: Michael Mann <mmann78@netscape.net>
Date:   Tue Jul 15 23:04:41 2014 -0400

    Allow severity levels of expert info items to be configured by the user.

    UAT was the easiest way to do this and I like the "file format" of the
data, but the presentation doesn't seem that great.

    Bug:10180
    Change-Id: I7e6bc9e148bc47585a0a7eb8f96900a5c374e673
    Reviewed-on: https://code.wireshark.org/review/3082
    Petri-Dish: Michael Mann <mmann78@netscape.net>
    Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
    Reviewed-by: Michael Mann <mmann78@netscape.net>


Command and args: ./tools/valgrind-wireshark.sh 

==1548== Memcheck, a memory error detector
==1548== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==1548== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==1548== Command:
/home/wireshark/builders/trunk-clang-ca/clangcodeanalysis/install/bin/tshark
-nr /fuzz/buildbot/clangcodeanalysis/valgrind-fuzz/fuzz-2014-07-28-10756.pcap
==1548== 
==1548== Invalid read of size 2
==1548==    at 0x6771CD4: dissect_btobex (packet-btobex.c:1433)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x6775487: dissect_btrfcomm (packet-btrfcomm.c:885)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x676E84B: dissect_btl2cap (packet-btl2cap.c:1670)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661C751: call_dissector_with_data (packet.c:2297)
==1548==  Address 0x1194dfa0 is 20 bytes after a block of size 28 alloc'd
==1548==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1548==    by 0x998F610: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==1548==    by 0x712311B: wmem_simple_alloc (wmem_allocator_simple.c:55)
==1548==    by 0x67753B5: dissect_btrfcomm (packet-btrfcomm.c:864)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x676E84B: dissect_btl2cap (packet-btl2cap.c:1670)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661C751: call_dissector_with_data (packet.c:2297)
==1548==    by 0x67554E4: dissect_bthci_acl (packet-bthci_acl.c:360)
==1548== 
==1548== Invalid read of size 2
==1548==    at 0x6772B19: dissect_btobex (packet-btobex.c:1567)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x6775487: dissect_btrfcomm (packet-btrfcomm.c:885)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x676E84B: dissect_btl2cap (packet-btl2cap.c:1670)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661C751: call_dissector_with_data (packet.c:2297)
==1548==  Address 0x1194dfa0 is 20 bytes after a block of size 28 alloc'd
==1548==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1548==    by 0x998F610: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==1548==    by 0x712311B: wmem_simple_alloc (wmem_allocator_simple.c:55)
==1548==    by 0x67753B5: dissect_btrfcomm (packet-btrfcomm.c:864)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x676E84B: dissect_btl2cap (packet-btl2cap.c:1670)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661C751: call_dissector_with_data (packet.c:2297)
==1548==    by 0x67554E4: dissect_bthci_acl (packet-bthci_acl.c:360)
==1548== 
==1548== Invalid read of size 2
==1548==    at 0x677255B: dissect_btobex (packet-btobex.c:1668)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x6775487: dissect_btrfcomm (packet-btrfcomm.c:885)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x676E84B: dissect_btl2cap (packet-btl2cap.c:1670)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661C751: call_dissector_with_data (packet.c:2297)
==1548==  Address 0x11950ff0 is 20 bytes after a block of size 28 alloc'd
==1548==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1548==    by 0x998F610: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==1548==    by 0x712311B: wmem_simple_alloc (wmem_allocator_simple.c:55)
==1548==    by 0x67753B5: dissect_btrfcomm (packet-btrfcomm.c:864)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x676E84B: dissect_btl2cap (packet-btl2cap.c:1670)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661C751: call_dissector_with_data (packet.c:2297)
==1548==    by 0x67554E4: dissect_bthci_acl (packet-bthci_acl.c:360)
==1548== 
==1548== Conditional jump or move depends on uninitialised value(s)
==1548==    at 0x7124D75: wmem_tree_lookup32_le (wmem_tree.c:399)
==1548==    by 0x7124F72: wmem_tree_lookup32_array_helper (wmem_tree.c:596)
==1548==    by 0x677265B: dissect_btobex (packet-btobex.c:1701)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x6775487: dissect_btrfcomm (packet-btrfcomm.c:885)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x676E84B: dissect_btl2cap (packet-btl2cap.c:1670)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548== 
==1548== Conditional jump or move depends on uninitialised value(s)
==1548==    at 0x6772684: dissect_btobex (packet-btobex.c:1703)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x6775487: dissect_btrfcomm (packet-btrfcomm.c:885)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x676E84B: dissect_btl2cap (packet-btl2cap.c:1670)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661C751: call_dissector_with_data (packet.c:2297)
==1548== 
==1548== Invalid read of size 2
==1548==    at 0x6772102: dissect_btobex (packet-btobex.c:1312)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x6775487: dissect_btrfcomm (packet-btrfcomm.c:885)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x676E84B: dissect_btl2cap (packet-btl2cap.c:1670)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661C751: call_dissector_with_data (packet.c:2297)
==1548==  Address 0x11950ff0 is 20 bytes after a block of size 28 alloc'd
==1548==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1548==    by 0x998F610: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4000.0)
==1548==    by 0x712311B: wmem_simple_alloc (wmem_allocator_simple.c:55)
==1548==    by 0x67753B5: dissect_btrfcomm (packet-btrfcomm.c:864)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x676E84B: dissect_btl2cap (packet-btl2cap.c:1670)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661C751: call_dissector_with_data (packet.c:2297)
==1548==    by 0x67554E4: dissect_bthci_acl (packet-bthci_acl.c:360)
==1548== 
==1548== Conditional jump or move depends on uninitialised value(s)
==1548==    at 0x7124D75: wmem_tree_lookup32_le (wmem_tree.c:399)
==1548==    by 0x7124F72: wmem_tree_lookup32_array_helper (wmem_tree.c:596)
==1548==    by 0x6771892: dissect_btobex (packet-btobex.c:1464)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x6775487: dissect_btrfcomm (packet-btrfcomm.c:885)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x676E84B: dissect_btl2cap (packet-btl2cap.c:1670)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548== 
==1548== Conditional jump or move depends on uninitialised value(s)
==1548==    at 0x67723B0: dissect_btobex (packet-btobex.c:1466)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x6775487: dissect_btrfcomm (packet-btrfcomm.c:885)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x676E84B: dissect_btl2cap (packet-btl2cap.c:1670)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661C751: call_dissector_with_data (packet.c:2297)
==1548== 
==1548== Conditional jump or move depends on uninitialised value(s)
==1548==    at 0x7125405: lookup_or_insert32 (wmem_tree.c:329)
==1548==    by 0x7125707: wmem_tree_insert32_array (wmem_tree.c:565)
==1548==    by 0x6772C54: dissect_btobex (packet-btobex.c:1608)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x6775487: dissect_btrfcomm (packet-btrfcomm.c:885)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x676E84B: dissect_btl2cap (packet-btl2cap.c:1670)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548== 
==1548== Conditional jump or move depends on uninitialised value(s)
==1548==    at 0x7124D79: wmem_tree_lookup32_le (wmem_tree.c:402)
==1548==    by 0x7124F72: wmem_tree_lookup32_array_helper (wmem_tree.c:596)
==1548==    by 0x6771892: dissect_btobex (packet-btobex.c:1464)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x6775487: dissect_btrfcomm (packet-btrfcomm.c:885)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x676E84B: dissect_btl2cap (packet-btl2cap.c:1670)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548== 
==1548== Conditional jump or move depends on uninitialised value(s)
==1548==    at 0x7124D98: wmem_tree_lookup32_le (wmem_tree.c:408)
==1548==    by 0x7124F72: wmem_tree_lookup32_array_helper (wmem_tree.c:596)
==1548==    by 0x6771892: dissect_btobex (packet-btobex.c:1464)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x6775487: dissect_btrfcomm (packet-btrfcomm.c:885)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x676E84B: dissect_btl2cap (packet-btl2cap.c:1670)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548== 
==1548== Conditional jump or move depends on uninitialised value(s)
==1548==    at 0x7124DD5: wmem_tree_lookup32_le (wmem_tree.c:426)
==1548==    by 0x7124F72: wmem_tree_lookup32_array_helper (wmem_tree.c:596)
==1548==    by 0x6771892: dissect_btobex (packet-btobex.c:1464)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x6775487: dissect_btrfcomm (packet-btrfcomm.c:885)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548==    by 0x661ABE4: call_dissector_work (packet.c:713)
==1548==    by 0x661B29B: dissector_try_uint_new (packet.c:1145)
==1548==    by 0x676E84B: dissect_btl2cap (packet-btl2cap.c:1670)
==1548==    by 0x661A2FE: call_dissector_through_handle (packet.c:622)
==1548== 
==1548== 
==1548== HEAP SUMMARY:
==1548==     in use at exit: 1,208,031 bytes in 29,330 blocks
==1548==   total heap usage: 291,982 allocs, 262,652 frees, 33,647,029 bytes
allocated
==1548== 
==1548== LEAK SUMMARY:
==1548==    definitely lost: 5,384 bytes in 165 blocks
==1548==    indirectly lost: 36,648 bytes in 49 blocks
==1548==      possibly lost: 0 bytes in 0 blocks
==1548==    still reachable: 1,165,999 bytes in 29,116 blocks
==1548==         suppressed: 0 bytes in 0 blocks
==1548== Rerun with --leak-check=full to see details of leaked memory
==1548== 
==1548== For counts of detected and suppressed errors, rerun with: -v
==1548== Use --track-origins=yes to see where uninitialised values come from
==1548== ERROR SUMMARY: 3044 errors from 12 contexts (suppressed: 0 from 0)

[ no debug trace ]


You are receiving this mail because:
  • You are watching all bug changes.