Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 1956] New: Wireshark crashes on certain filters while capt

Date: Tue, 30 Oct 2007 17:59:29 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1956

           Summary: Wireshark crashes on certain filters while capturing
           Product: Wireshark
           Version: 0.99.6
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Major
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: drlisandroalvarez@xxxxxxxxxxx


Build Information:
Version 0.99.6a (SVN Rev 22276)

Copyright 1998-2007 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.10.12, with GLib 2.12.12, with WinPcap (version unknown),
with libz 1.2.3, with libpcre 6.4, with Net-SNMP 5.4, with ADNS, with Lua 5.1,
with GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT Kerberos, with PortAudio
PortAudio V19-devel, with AirPcap.

Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0.1
(packet.dll version 4.0.0.901), based on libpcap version 0.9.5, without
AirPcap.

Built using Microsoft Visual C++ 6.0 build 8804

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
By just setting at the filter box "ip.addr & 1.1.1.1" (without quotes),
Wireshark crashes when there is an IP packet in the packet list area.

The procedure is the following:

1. Start a capure without any filters set
2. Wait until at least an IP packet is on the list
3. Write in the Filter box "ip.addr & 1.1.1.1" (without quotes), and press
enter
4. Enjoy the crash message ;)

Note that 1.1.1.1 is an example, you can crash Wireshark with any IP.

The faulting proc is at 006D8C0E (sometimes faults at 006D8C33 and other times
at 006D8C36). Patching 006D8C0E with a RET instruction prevents the crashes but
obviously it is not a decent patch...

According to the call stack the faulting proc seems to belong to libwires.

PS: Steps 2 and 3 order can be swapped actually but in the descripted way you
get the crash as soon as you press enter.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.