Wireshark-bugs: [Wireshark-bugs] [Bug 10714] Crash while analyze rtp streams
Date: Fri, 06 Feb 2015 23:30:21 +0000

changed bug 10714


What Removed Added
CC   peter@lekensteyn.nl

Comment # 6 on bug 10714 from
I have also encountered a crash when trying to perform RTP analysis. ASAN
backtrace is below.

The problem is that ti_ptr is of type GList* while rtpstream_dlg_update assumes
rtpstream_tapinfo_t* instead.

==27243==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x603001922490 at pc 0x5bd0dd bp 0x7fffffffce20 sp 0x7fffffffce10
READ of size 8 at 0x603001922490 thread T0
    #0 0x5bd0dc in rtpstream_dlg_update
/tmp/wireshark/ui/gtk/rtp_stream_dlg.c:1097
    #1 0x5bd270 in rtpstream_dlg_show
/tmp/wireshark/ui/gtk/rtp_stream_dlg.c:1143
    #2 0x5bd2b3 in rtpstream_launch /tmp/wireshark/ui/gtk/rtp_stream_dlg.c:1159
    #3 0x7ffff579e431 in g_closure_invoke
(/usr/lib/libgobject-2.0.so.0+0x10431)
    #4 0x7ffff57b0afb (/usr/lib/libgobject-2.0.so.0+0x22afb)
    #5 0x7ffff57b9787 in g_signal_emit_valist
(/usr/lib/libgobject-2.0.so.0+0x2b787)
    #6 0x7ffff57b99ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee)
    #7 0x7ffff66e8520 (/usr/lib/libgtk-3.so.0+0xa0520)
    #8 0x7ffff579e431 in g_closure_invoke
(/usr/lib/libgobject-2.0.so.0+0x10431)
    #9 0x7ffff57b0403 (/usr/lib/libgobject-2.0.so.0+0x22403)
    #10 0x7ffff57b9787 in g_signal_emit_valist
(/usr/lib/libgobject-2.0.so.0+0x2b787)
    #11 0x7ffff57b99ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee)
    #12 0x7ffff697da5f in gtk_widget_activate (/usr/lib/libgtk-3.so.0+0x335a5f)
    #13 0x7ffff68628c5 in gtk_menu_shell_activate_item
(/usr/lib/libgtk-3.so.0+0x21a8c5)
    #14 0x7ffff6862c7e (/usr/lib/libgtk-3.so.0+0x21ac7e)
    #15 0x7ffff68433c0 (/usr/lib/libgtk-3.so.0+0x1fb3c0)
    #16 0x7ffff579e431 in g_closure_invoke
(/usr/lib/libgobject-2.0.so.0+0x10431)
    #17 0x7ffff57b09ef (/usr/lib/libgobject-2.0.so.0+0x229ef)
    #18 0x7ffff57b9294 in g_signal_emit_valist
(/usr/lib/libgobject-2.0.so.0+0x2b294)
    #19 0x7ffff57b99ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee)
    #20 0x7ffff697ebab (/usr/lib/libgtk-3.so.0+0x336bab)
    #21 0x7ffff6840c7e (/usr/lib/libgtk-3.so.0+0x1f8c7e)
    #22 0x7ffff684293d in gtk_main_do_event (/usr/lib/libgtk-3.so.0+0x1fa93d)
    #23 0x7ffff63df5a9 (/usr/lib/libgdk-3.so.0+0x515a9)
    #24 0x7ffff54cae2b in g_main_context_dispatch
(/usr/lib/libglib-2.0.so.0+0x4ae2b)
    #25 0x7ffff54cb127 (/usr/lib/libglib-2.0.so.0+0x4b127)
    #26 0x7ffff54cb471 in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x4b471)
    #27 0x7ffff6841b8c in gtk_main (/usr/lib/libgtk-3.so.0+0x1f9b8c)
    #28 0x48aa64 in main /tmp/wireshark/ui/gtk/main.c:3247
    #29 0x7fffe224c03f in __libc_start_main (/usr/lib/libc.so.6+0x2003f)
    #30 0x424078 (/tmp/wsbuild/run/wireshark-gtk+0x424078)

0x603001922490 is located 8 bytes to the right of 24-byte region
[0x603001922470,0x603001922488)
allocated by thread T0 here:
    #0 0x7ffff6f57797 in malloc (/usr/lib/libasan.so.1+0x57797)
    #1 0x7ffff54d0cf1 in g_malloc (/usr/lib/libglib-2.0.so.0+0x50cf1)
    #2 0x7ffff54e821f in g_slice_alloc (/usr/lib/libglib-2.0.so.0+0x6821f)
    #3 0x7ffff54c6f8c in g_list_append (/usr/lib/libglib-2.0.so.0+0x46f8c)
    #4 0x783863 in rtpstream_packet /tmp/wireshark/ui/tap-rtp-common.c:237
    #5 0x7fffea668d04 in tap_push_tapped_queue /tmp/wireshark/epan/tap.c:331
    #6 0x7fffea594a02 in epan_dissect_run_with_taps
/tmp/wireshark/epan/epan.c:344
    #7 0x43dfab in retap_packet /tmp/wireshark/file.c:2338
    #8 0x43dccd in process_specified_records /tmp/wireshark/file.c:2308
    #9 0x43e1ac in cf_retap_packets /tmp/wireshark/file.c:2382
    #10 0x77d416 in rtpstream_scan /tmp/wireshark/ui/rtp_stream.c:80
    #11 0x5bd2a4 in rtpstream_launch
/tmp/wireshark/ui/gtk/rtp_stream_dlg.c:1156
    #12 0x7ffff579e431 in g_closure_invoke
(/usr/lib/libgobject-2.0.so.0+0x10431)
    #13 0x7ffff57b0afb (/usr/lib/libgobject-2.0.so.0+0x22afb)
    #14 0x7ffff57b9787 in g_signal_emit_valist
(/usr/lib/libgobject-2.0.so.0+0x2b787)
    #15 0x7ffff57b99ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee)
    #16 0x7ffff66e8520 (/usr/lib/libgtk-3.so.0+0xa0520)
    #17 0x7ffff579e431 in g_closure_invoke
(/usr/lib/libgobject-2.0.so.0+0x10431)
    #18 0x7ffff57b0403 (/usr/lib/libgobject-2.0.so.0+0x22403)
    #19 0x7ffff57b9787 in g_signal_emit_valist
(/usr/lib/libgobject-2.0.so.0+0x2b787)
    #20 0x7ffff57b99ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee)
    #21 0x7ffff697da5f in gtk_widget_activate (/usr/lib/libgtk-3.so.0+0x335a5f)
    #22 0x7ffff68628c5 in gtk_menu_shell_activate_item
(/usr/lib/libgtk-3.so.0+0x21a8c5)
    #23 0x7ffff6862c7e (/usr/lib/libgtk-3.so.0+0x21ac7e)
    #24 0x7ffff68433c0 (/usr/lib/libgtk-3.so.0+0x1fb3c0)
    #25 0x7ffff579e431 in g_closure_invoke
(/usr/lib/libgobject-2.0.so.0+0x10431)
    #26 0x7ffff57b09ef (/usr/lib/libgobject-2.0.so.0+0x229ef)
    #27 0x7ffff57b9294 in g_signal_emit_valist
(/usr/lib/libgobject-2.0.so.0+0x2b294)
    #28 0x7ffff57b99ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee)
    #29 0x7ffff697ebab (/usr/lib/libgtk-3.so.0+0x336bab)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/tmp/wireshark/ui/gtk/rtp_stream_dlg.c:1097 rtpstream_dlg_update
Shadow bytes around the buggy address:
  0x0c068031c440: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c068031c450: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c068031c460: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c068031c470: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c068031c480: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00
=>0x0c068031c490: 00 fa[fa]fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c068031c4a0: fd fd fd fd fa fa 00 00 00 07 fa fa 00 00 00 00
  0x0c068031c4b0: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa fd fd
  0x0c068031c4c0: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x0c068031c4d0: 00 00 00 07 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c068031c4e0: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==27243==ABORTING


You are receiving this mail because:
  • You are watching all bug changes.