Wireshark-bugs: [Wireshark-bugs] [Bug 10714] Crash while analyze rtp streams
Date: Fri, 06 Feb 2015 23:30:21 +0000
What | Removed | Added |
---|---|---|
CC | peter@lekensteyn.nl |
Comment # 6
on bug 10714
from Peter Wu
I have also encountered a crash when trying to perform RTP analysis. ASAN backtrace is below. The problem is that ti_ptr is of type GList* while rtpstream_dlg_update assumes rtpstream_tapinfo_t* instead. ==27243==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603001922490 at pc 0x5bd0dd bp 0x7fffffffce20 sp 0x7fffffffce10 READ of size 8 at 0x603001922490 thread T0 #0 0x5bd0dc in rtpstream_dlg_update /tmp/wireshark/ui/gtk/rtp_stream_dlg.c:1097 #1 0x5bd270 in rtpstream_dlg_show /tmp/wireshark/ui/gtk/rtp_stream_dlg.c:1143 #2 0x5bd2b3 in rtpstream_launch /tmp/wireshark/ui/gtk/rtp_stream_dlg.c:1159 #3 0x7ffff579e431 in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x10431) #4 0x7ffff57b0afb (/usr/lib/libgobject-2.0.so.0+0x22afb) #5 0x7ffff57b9787 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x2b787) #6 0x7ffff57b99ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee) #7 0x7ffff66e8520 (/usr/lib/libgtk-3.so.0+0xa0520) #8 0x7ffff579e431 in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x10431) #9 0x7ffff57b0403 (/usr/lib/libgobject-2.0.so.0+0x22403) #10 0x7ffff57b9787 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x2b787) #11 0x7ffff57b99ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee) #12 0x7ffff697da5f in gtk_widget_activate (/usr/lib/libgtk-3.so.0+0x335a5f) #13 0x7ffff68628c5 in gtk_menu_shell_activate_item (/usr/lib/libgtk-3.so.0+0x21a8c5) #14 0x7ffff6862c7e (/usr/lib/libgtk-3.so.0+0x21ac7e) #15 0x7ffff68433c0 (/usr/lib/libgtk-3.so.0+0x1fb3c0) #16 0x7ffff579e431 in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x10431) #17 0x7ffff57b09ef (/usr/lib/libgobject-2.0.so.0+0x229ef) #18 0x7ffff57b9294 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x2b294) #19 0x7ffff57b99ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee) #20 0x7ffff697ebab (/usr/lib/libgtk-3.so.0+0x336bab) #21 0x7ffff6840c7e (/usr/lib/libgtk-3.so.0+0x1f8c7e) #22 0x7ffff684293d in gtk_main_do_event (/usr/lib/libgtk-3.so.0+0x1fa93d) #23 0x7ffff63df5a9 (/usr/lib/libgdk-3.so.0+0x515a9) #24 0x7ffff54cae2b in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x4ae2b) #25 0x7ffff54cb127 (/usr/lib/libglib-2.0.so.0+0x4b127) #26 0x7ffff54cb471 in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x4b471) #27 0x7ffff6841b8c in gtk_main (/usr/lib/libgtk-3.so.0+0x1f9b8c) #28 0x48aa64 in main /tmp/wireshark/ui/gtk/main.c:3247 #29 0x7fffe224c03f in __libc_start_main (/usr/lib/libc.so.6+0x2003f) #30 0x424078 (/tmp/wsbuild/run/wireshark-gtk+0x424078) 0x603001922490 is located 8 bytes to the right of 24-byte region [0x603001922470,0x603001922488) allocated by thread T0 here: #0 0x7ffff6f57797 in malloc (/usr/lib/libasan.so.1+0x57797) #1 0x7ffff54d0cf1 in g_malloc (/usr/lib/libglib-2.0.so.0+0x50cf1) #2 0x7ffff54e821f in g_slice_alloc (/usr/lib/libglib-2.0.so.0+0x6821f) #3 0x7ffff54c6f8c in g_list_append (/usr/lib/libglib-2.0.so.0+0x46f8c) #4 0x783863 in rtpstream_packet /tmp/wireshark/ui/tap-rtp-common.c:237 #5 0x7fffea668d04 in tap_push_tapped_queue /tmp/wireshark/epan/tap.c:331 #6 0x7fffea594a02 in epan_dissect_run_with_taps /tmp/wireshark/epan/epan.c:344 #7 0x43dfab in retap_packet /tmp/wireshark/file.c:2338 #8 0x43dccd in process_specified_records /tmp/wireshark/file.c:2308 #9 0x43e1ac in cf_retap_packets /tmp/wireshark/file.c:2382 #10 0x77d416 in rtpstream_scan /tmp/wireshark/ui/rtp_stream.c:80 #11 0x5bd2a4 in rtpstream_launch /tmp/wireshark/ui/gtk/rtp_stream_dlg.c:1156 #12 0x7ffff579e431 in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x10431) #13 0x7ffff57b0afb (/usr/lib/libgobject-2.0.so.0+0x22afb) #14 0x7ffff57b9787 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x2b787) #15 0x7ffff57b99ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee) #16 0x7ffff66e8520 (/usr/lib/libgtk-3.so.0+0xa0520) #17 0x7ffff579e431 in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x10431) #18 0x7ffff57b0403 (/usr/lib/libgobject-2.0.so.0+0x22403) #19 0x7ffff57b9787 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x2b787) #20 0x7ffff57b99ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee) #21 0x7ffff697da5f in gtk_widget_activate (/usr/lib/libgtk-3.so.0+0x335a5f) #22 0x7ffff68628c5 in gtk_menu_shell_activate_item (/usr/lib/libgtk-3.so.0+0x21a8c5) #23 0x7ffff6862c7e (/usr/lib/libgtk-3.so.0+0x21ac7e) #24 0x7ffff68433c0 (/usr/lib/libgtk-3.so.0+0x1fb3c0) #25 0x7ffff579e431 in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x10431) #26 0x7ffff57b09ef (/usr/lib/libgobject-2.0.so.0+0x229ef) #27 0x7ffff57b9294 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x2b294) #28 0x7ffff57b99ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee) #29 0x7ffff697ebab (/usr/lib/libgtk-3.so.0+0x336bab) SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/wireshark/ui/gtk/rtp_stream_dlg.c:1097 rtpstream_dlg_update Shadow bytes around the buggy address: 0x0c068031c440: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c068031c450: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x0c068031c460: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c068031c470: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c068031c480: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00 =>0x0c068031c490: 00 fa[fa]fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c068031c4a0: fd fd fd fd fa fa 00 00 00 07 fa fa 00 00 00 00 0x0c068031c4b0: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa fd fd 0x0c068031c4c0: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa 0x0c068031c4d0: 00 00 00 07 fa fa 00 00 00 00 fa fa 00 00 00 00 0x0c068031c4e0: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==27243==ABORTING
You are receiving this mail because:
- You are watching all bug changes.
- Prev by Date: [Wireshark-bugs] [Bug 10879] "ServiceChangeReasonStr" messages are not shown in txt generated by tshark
- Next by Date: [Wireshark-bugs] [Bug 10714] Crash while analyze rtp streams
- Previous by thread: [Wireshark-bugs] [Bug 10879] "ServiceChangeReasonStr" messages are not shown in txt generated by tshark
- Next by thread: [Wireshark-bugs] [Bug 10714] Crash while analyze rtp streams
- Index(es):