Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 1001] free() invalid pointer in dissect_802_3 at packet-ie

Date: Tue, 25 Jul 2006 03:11:51 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1001





------- Comment #1 from jmayer@xxxxxxxxx  2006-07-25 03:11 GMT -------
The following is an attempt to summarize from:
http://bugs.gentoo.org/show_bug.cgi?id=133092

I don't understand our exception code (and C's setjmp etc) sufficiently to
further help with this problem. 

The gentoo users running into this problem seem to have built their
system with the '"hardened" use flag' (see below).

The stacktrace is interesting:

#0  0xffffe410 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb67255e1 in raise () from /lib/libc.so.6
No symbol table info available.
#2  0xb6726d99 in abort () from /lib/libc.so.6
No symbol table info available.
#3  0xb6759f20 in __fsetlocking () from /lib/libc.so.6
No symbol table info available.
#4  0xb675fe9e in malloc_usable_size () from /lib/libc.so.6
No symbol table info available.
#5  0xb67608ab in free () from /lib/libc.so.6
No symbol table info available.
#6  0xb6e3d904 in except_free (ptr=0x0) at except.c:371
No locals.
#7  0xb726ee4d in dissect_802_3 (length=38, is_802_2=1, tvb=0x8364680,
offset_aft
er_length=14, pinfo=0x8403400, tree=0x0, fh_tree=0x0, length_id=0,
trailer_id=842
6,
    fcs_len=44) at packet-ieee8023.c:71
        except_sn = {except_down = 0xbfc78180, except_type = XCEPT_CATCHER,
excep
t_info = {except_catcher = 0xbfc77c30, except_cleanup = 0xbfc77c30}}
        except_ch = {except_id = 0xb794953c, except_size = 1, except_obj =
{excep
t_id = {except_group = 3217521884, except_code = 3217521820},
    except_message = 0x75c9b5a6 <Address 0x75c9b5a6 out of bounds>,
except_dyndat
a = 0x0}, except_jmp = {{__jmpbuf = {137774832, 0, -1233022680, -1077445336,
-107
7445648,
        -1222185614}, __mask_was_saved = 0, __saved_mask = {__val =
{3061944616,
3217521848, 1976153510, 137774720, 14, 2, 3064114536, 3217521980, 4096,
321752186
4,
          3063851180, 138129248, 4096, 3079224510, 3217521980, 1976153510,
321752
3376, 3061025561, 3217523420, 3083712260, 3061944616, 3217521912, 3083712260,
5,
          134760792, 3217521960, 3068448450, 138129248, 4096, 3079224510,
3217521
980, 3061188654}}}}}
        exc = (except_t *) 0x0
        except_state = 0
        catch_spec = {{except_group = 1, except_code = 0}}
        next_tvb = (tvbuff_t * volatile) 0x0
        trailer_tvb = (tvbuff_t * volatile) 0x83646f0
        saved_proto = 0x0
        captured_length = 0
        __PRETTY_FUNCTION__ = "dissect_802_3"

packet-ieee8023.c:71 is just an ENDTRY;
and except.c:371 is     get_dealloc()(ptr);

So it looks like there is some interaction of the hardened flag and our
exception code.

This is what the Gentoo hardened FAQ seems to say:
(http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml)

There seem to be several techniques to harden a system (select one),
but basically one of the things it does is to protect datasegements from
execution and in some cases prevent stack smashing.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.