Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 5448] Buildbot crash output: fuzz-2010-11-28-11164.pcap

Wireshark-bugs: [Wireshark-bugs] [Bug 5448] Buildbot crash output: fuzz-2010-11-28-11164.pcap

Date: Sun, 28 Nov 2010 12:20:19 -0800 (PST)

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5448

--- Comment #1 from Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx> 2010-11-28 13:20:16 MST ---
The tree pointer is invalid (0x78) as shown in gdb session below.  The
backtrace isn't very helpful though (further down) presumably due to the "stack
smashing" corrupted stack.

sfisher@shadow:/usr/local/src/wireshark>libtool --mode=execute gdb ./tshark
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
(gdb) r -V -r ./fuzz-2010-11-28-11164.pcap 
Starting program: /usr/local/src/wireshark/.libs/tshark -V -r
./fuzz-2010-11-28-11164.pcap
[New LWP 100245]
[New Thread 2aa01140 (LWP 100245)]
Frame 1: 166 bytes on wire (1328 bits), 166 bytes captured (1328 bits)
    Arrival Time: Jun 26, 2009 12:56:02.762306000 MDT
    Epoch Time: 1246042562.762306000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 166 bytes (1328 bits)
    Capture Length: 166 bytes (1328 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ipv6:icmpv6]
Ethernet II, Src: Vmware_f7:26:33 (00:0c:29:f7:26:33), Dst:
IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
    Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
        Address: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
        .... ...1 .... .... .... .... = IG bit: Group address
(multicast/broadcast)
        .... ..1. .... .... .... .... = LG bit: Locally administered address
(this is NOT the factory default)
    Source: Vmware_f7:26:33 (00:0c:29:f7:26:33)
        Address: Vmware_f7:26:33 (00:0c:29:f7:26:33)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)
    Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: fe80::20c:29ff:fef7:2633
(fe80::20c:29ff:fef7:2633), Dst: ff02::1 (ff02::1)
    0110 .... = Version: 6
        [0110 .... = This field makes the filter "ip.version == 6" possible: 6]
    .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
        .... 0000 00.. .... .... .... .... .... = Differentiated Services
Field: Default (0x00000000)
        .... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT):
Not set
        .... .... ...0 .... .... .... .... .... = ECN-CE: Not set
    .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
    Payload length: 112
    Next header: ICMPv6 (0x3a)
    Hop limit: 255
    Source: fe80::20c:29ff:fef7:2633 (fe80::20c:29ff:fef7:2633)
    [Source SA MAC: Vmware_f7:26:33 (00:0c:29:f7:26:33)]
    Destination: ff02::1 (ff02::1)
Internet Control Message Protocol v6
    Type: 134 (Router advertisement)
    Code: 0
    Checksum: 0x8096 [incorrect, should be 0x8116]
    Cur hop limit: 64
    Flags: 0x00
        0... .... = Not managed
        .0.. .... = Not other
        ..0. .... = Not Home Agent
        ...0 0... = Router preference: Medium
        .... .0.. = Not Proxied
    Router lifetime: 0
    Reachable time: 0
    Retrans timer: 0
    ICMPv6 Option (Prefix information : fd0b:7cdb:ae7d:beef::/64)
        Type: Prefix information (3)
        Length: 4 (32 bytes)
        Prefix Length: 64
        Flags: 0xc0
            1... .... = On-link flag(L): Set
            .1.. .... = Autonomous address-configuration flag(A): Set
            ..00 0000 = Reserved: 0
        Valid Lifetime: 86400
        Preferred Lifetime: 14400
        Reserved
        Prefix: fd0b:7cdb:ae7d:beef:: (fd0b:7cdb:ae7d:beef::)
    ICMPv6 Option (Recursive DNS Server)
        Type: Recursive DNS Server (25)
        Length: 7 (56 bytes)
        Reserved
        Lifetime: 10
        Recursive DNS Servers: 2610:8:6800:1::4 (2610:8:6800:1::4)
        Recursive DNS Servers: 2610:8:7800:9::4 (2610:8:7800:9::4)
        Recursive DNS Servers: 2610:8:7800::4 (2610:8:7800::4)
    ICMPv6 Option (Source link-layer address : 00:0c:29:f7:26:33)
        Type: Source link-layer address (1)
        Length: 1 (8 bytes)
        Link-layer address: Vmware_f7:26:33 (00:0c:29:f7:26:33)


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 2aa01140 (LWP 100245)]
0x28672644 in proto_tree_add_item (tree=0x78, hfindex=29590, tvb=0x2bb64950,
start=104, length=8, encoding=0) at proto.c:1577
1577            TRY_TO_FAKE_THIS_ITEM(tree, hfindex, hfinfo);
(gdb) (gdb) bt
#0  0x28672644 in proto_tree_add_item (tree=0x78, hfindex=29590,
tvb=0x2bb64950, start=104, length=8, encoding=0) at proto.c:1577
#1  0x2899b0b1 in dissect_icmpv6ndopt (tvb=0x2bb64950, offset=104,
pinfo=0xbfbfe588, tree=0x78) at packet-icmpv6.c:546
#2  0x08001026 in ?? ()
#3  0x00000078 in ?? ()
#4  0x00000000 in ?? ()
#5  0x04000000 in ?? ()
#6  0x0000000c in ?? ()
#7  0x00000004 in ?? ()
#8  0x00000000 in ?? ()
#9  0x294ac738 in broadcast_addr_bytes.12962 () from
/usr/local/src/wireshark/epan/.libs/libwireshark.so.0
#10 0x00008096 in ?? ()
#11 0x00000fd4 in ?? ()
#12 0xbfbfd91c in ?? ()
#13 0xbfbfdad4 in ?? ()
#14 0x2a528b78 in ?? () from /lib/libc.so.7
#15 0x2a528b78 in ?? () from /lib/libc.so.7
#16 0x00000001 in ?? ()
#17 0xbfbfdaf8 in ?? ()
#18 0x2a506f1f in open () from /lib/libc.so.7
#19 0x00000000 in ?? ()
#20 0x2a523448 in __uppercase_hex () from /lib/libc.so.7
#21 0x00000000 in ?? ()
#22 0x00000004 in ?? ()
#23 0x00000000 in ?? ()
#24 0x2bc1e50c in ?? ()
#25 0x292a4de8 in dtmf_digits () from
/usr/local/src/wireshark/epan/.libs/libwireshark.so.0
#26 0x2965e2aa in catch_spec.12122 () from
/usr/local/src/wireshark/epan/.libs/libwireshark.so.0
#27 0x2c098ed9 in ?? ()
#28 0x2927e9c4 in attrs () from
/usr/local/src/wireshark/epan/.libs/libwireshark.so.0
#29 0x00000000 in ?? ()
#30 0x00002633 in ?? ()
#31 0x2a523438 in __uppercase_hex () from /lib/libc.so.7
#32 0xbfbfd8b8 in ?? ()
#33 0x2927e9c4 in attrs () from
/usr/local/src/wireshark/epan/.libs/libwireshark.so.0
#34 0xffffffff in ?? ()
#35 0x00000004 in ?? ()
#36 0x00000001 in ?? ()
#37 0x0000007b in ?? ()
#38 0x2a512b55 in fwrite () from /lib/libc.so.7
Previous frame inner to this frame (corrupt stack?)
(gdb)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

References:
- [Wireshark-bugs] [Bug 5448] New: Buildbot crash output: fuzz-2010-11-28-11164.pcap
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 5448] New: Buildbot crash output: fuzz-2010-11-28-11164.pcap
Next by Date: [Wireshark-bugs] [Bug 5436] gsm_a_rr: System Information Type 4 / CBCH mobile allocation dissected incorrectly
Previous by thread: [Wireshark-bugs] [Bug 5448] New: Buildbot crash output: fuzz-2010-11-28-11164.pcap
Next by thread: [Wireshark-bugs] [Bug 5448] Buildbot crash output: fuzz-2010-11-28-11164.pcap
Index(es):
- Date
- Thread