Wireshark-bugs: [Wireshark-bugs] [Bug 11043] New: "Decode As..." crashes when a packet dialog is
Date: Mon, 09 Mar 2015 14:28:00 +0000
Bug ID 11043
Summary "Decode As..." crashes when a packet dialog is open
Product Wireshark
Version 1.99.x (Experimental)
Hardware x86
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component GTK+ UI
Assignee bugzilla-admin@wireshark.org
Reporter peter@lekensteyn.nl

Build Information:
v1.99.4rc0-34-g6bc138c
--
Wireshark GTK crashes when using the Decode As option while a packet dialog is
open.

Steps to reproduce:
 1. Use any capture, double-click the packet to open it in a new window.
 2. Right-click on the main packet tree, select Decode As..
 3. Select 9P (for example) and press OK (or double-click the protocol).
 3. ASAN violation.

I tried to reproduce it with Qt, but that dialog seems broken (the protocol
does not seem to get saved).

trace with wireshark-gtk:
==12667==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000e43980
at pc 0x7fffea4ad3e0 bp 0x7fffffffcb60 sp 0x7fffffffcb50
READ of size 8 at 0x603000e43980 thread T0
    #0 0x7fffea4ad3df in epan_get_interface_name epan/epan.c:175
    #1 0x7fffeac74d02 in dissect_frame epan/dissectors/packet-frame.c:313
    #2 0x7fffea4e4569 in call_dissector_through_handle epan/packet.c:612
    #3 0x7fffea4e4b91 in call_dissector_work epan/packet.c:700
    #4 0x7fffea4ebd8b in call_dissector_only epan/packet.c:2373
    #5 0x7fffea4ebdcf in call_dissector_with_data epan/packet.c:2386
    #6 0x7fffea4e2d7c in dissect_record epan/packet.c:492
    #7 0x7fffea4ade13 in epan_dissect_run epan/epan.c:330
    #8 0x4bd65f in redissect_packet_window ui/gtk/packet_win.c:193
    #9 0x7ffff54bf10c in g_list_foreach (/usr/lib/libglib-2.0.so.0+0x4710c)
    #10 0x4c78da in redissect_all_packet_windows ui/gtk/packet_win.c:1043
    #11 0x659ca1 in decode_ok_cb ui/gtk/decode_as_dlg.c:735
    #12 0x65ab54 in decode_list_button_press_cb ui/gtk/decode_as_dlg.c:1058
    #13 0x7ffff682e84c (/usr/lib/libgtk-3.so.0+0x1ed84c)
    #14 0x7ffff5796431 in g_closure_invoke
(/usr/lib/libgobject-2.0.so.0+0x10431)
    #15 0x7ffff57a8afb (/usr/lib/libgobject-2.0.so.0+0x22afb)
    #16 0x7ffff57b1294 in g_signal_emit_valist
(/usr/lib/libgobject-2.0.so.0+0x2b294)
    #17 0x7ffff57b19ee in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x2b9ee)
    #18 0x7ffff695f293 (/usr/lib/libgtk-3.so.0+0x31e293)
    #19 0x7ffff682c2ad (/usr/lib/libgtk-3.so.0+0x1eb2ad)
    #20 0x7ffff682de6d in gtk_main_do_event (/usr/lib/libgtk-3.so.0+0x1ece6d)
    #21 0x7ffff63d6bf1 (/usr/lib/libgdk-3.so.0+0x4fbf1)
    #22 0x7ffff54c2e2b in g_main_context_dispatch
(/usr/lib/libglib-2.0.so.0+0x4ae2b)
    #23 0x7ffff54c3127 (/usr/lib/libglib-2.0.so.0+0x4b127)
    #24 0x7ffff54c3471 in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x4b471)
    #25 0x7ffff682d174 in gtk_main (/usr/lib/libgtk-3.so.0+0x1ec174)
    #26 0x48ab58 in main ui/gtk/main.c:3250
    #27 0x7fffe20c47ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
    #28 0x424348 in _start (/tmp/wsbuild/run/wireshark-gtk+0x424348)

0x603000e43980 is located 16 bytes inside of 32-byte region
[0x603000e43970,0x603000e43990)
freed by thread T0 here:
    #0 0x7ffff6f5752f in __interceptor_free (/usr/lib/libasan.so.1+0x5752f)
    #1 0x7fffea4ad5e1 in epan_free epan/epan.c:202
    #2 0x43b6c6 in rescan_packets file.c:1858
    #3 0x43aaa4 in cf_redissect_packets file.c:1724
    #4 0x48cf6c in redissect_packets ui/gtk/main.c:3890
    #5 0x659c9c in decode_ok_cb ui/gtk/decode_as_dlg.c:734
    #6 0x65ab54 in decode_list_button_press_cb ui/gtk/decode_as_dlg.c:1058
    #7 0x7ffff682e84c (/usr/lib/libgtk-3.so.0+0x1ed84c)

previously allocated by thread T0 here:
    #0 0x7ffff6f577a7 in malloc (/usr/lib/libasan.so.1+0x577a7)
    #1 0x7ffff54c8cf1 in g_malloc (/usr/lib/libglib-2.0.so.0+0x50cf1)
    #2 0x7ffff54e021f in g_slice_alloc (/usr/lib/libglib-2.0.so.0+0x6821f)
    #3 0x7fffea4ad285 in epan_new epan/epan.c:155
    #4 0x43223f in ws_epan_new file.c:288
    #5 0x4324b2 in cf_open file.c:322
    #6 0x48a731 in main ui/gtk/main.c:3098
    #7 0x7fffe20c47ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)

SUMMARY: AddressSanitizer: heap-use-after-free epan/epan.c:175
epan_get_interface_name


You are receiving this mail because:
  • You are watching all bug changes.