Wireshark-bugs: [Wireshark-bugs] [Bug 11573] New: Heap-use-after-free in Flow Graph after a capt
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Wed, 07 Oct 2015 11:14:19 +0000
Bug ID 11573
Summary Heap-use-after-free in Flow Graph after a capture file is closed/reloaded
Product Wireshark
Version Git
Hardware All
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component Qt UI
Assignee bugzilla-admin@wireshark.org
Reporter peter@lekensteyn.nl
CC gerald@wireshark.org 

Build Information:
Wireshark 2.1.0 (v2.1.0rc0-20-g8695303 from master)

Copyright 1998-2015 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.5.0, with libpcap, with POSIX capabilities (Linux),
with libnl 3, with libz 1.2.8, with GLib 2.46.0, without SMI, without c-ares,
without ADNS, with Lua 5.2, with GnuTLS 3.4.5, with Gcrypt 1.6.4, with MIT
Kerberos, with GeoIP, with QtMultimedia, without AirPcap.

Running on Linux 4.2.1-1-ARCH, with locale C, with libpcap version 1.7.4, with
libz 1.2.8, with GnuTLS 3.4.5, with Gcrypt 1.6.4.
Intel(R) Core(TM) i5 CPU       M 560  @ 2.67GHz (with SSE4.2)

Built using clang 4.2.1 Compatible Clang 3.7.0 (tags/RELEASE_370/final).
--
After reloading a capture file, activity in the Flow Graph will try to access
data from the old capture file and then crash with heap-use-after-free.

Steps to reproduce:
 1. Open capture file.
 2. Go to Statistics -> Flow Graph.
 3. Reload capture file (Ctrl+R).
 4. Hover over/click/drag the flow graph.
 5. Crash.

The hover action can be "fixed" by checking for the file_closed_ flag in
mouseMoved (or by avoiding access to sai->fd as shown below). Clicking/dragging
the view however still crashes in SequenceDiagram::draw. The LBM statistics
also seem to use SequenceDiagram and is possibly affected by this bug as well.

This hack avoids the crash:

diff --git a/ui/qt/sequence_diagram.cpp b/ui/qt/sequence_diagram.cpp
index 6ba46b5..d181f6f 100644
--- a/ui/qt/sequence_diagram.cpp
+++ b/ui/qt/sequence_diagram.cpp
@@ -203,7 +203,7 @@ void SequenceDiagram::draw(QCPPainter *painter)
         seq_analysis_item_t *sai = it.value().value;
         QPen fg_pen(mainPen());

-        if (sai->fd->num == selected_packet_) {
+        if (false && sai->fd->num == selected_packet_) {
             // Highlighted background
             painter->save();
             QRect bg_rect(
diff --git a/ui/qt/sequence_dialog.cpp b/ui/qt/sequence_dialog.cpp
index e30fcc6..d9e4a5a 100644
--- a/ui/qt/sequence_dialog.cpp
+++ b/ui/qt/sequence_dialog.cpp
@@ -249,6 +249,7 @@ void SequenceDialog::diagramClicked(QMouseEvent *event)

 void SequenceDialog::mouseMoved(QMouseEvent *event)
 {
+    //if (file_closed_) return;
     QCustomPlot *sp = ui->sequencePlot;
     Qt::CursorShape shape = Qt::ArrowCursor;
     if (event) {
@@ -266,7 +267,7 @@ void SequenceDialog::mouseMoved(QMouseEvent *event)
     QString hint;
     if (event) {
         seq_analysis_item_t *sai =
seq_diagram_->itemForPosY(event->pos().y());
-        if (sai) {
+        if (sai && false) {
             packet_num_ = sai->fd->num;
             hint = QString("Packet %1:
%2").arg(packet_num_).arg(sai->comment);
         }

You are receiving this mail because:
  • You are watching all bug changes.