Wireshark-bugs: [Wireshark-bugs] [Bug 1956] New: Wireshark crashes on certain filters while capt
Date: Tue, 30 Oct 2007 17:59:29 +0000 (GMT)

           Summary: Wireshark crashes on certain filters while capturing
           Product: Wireshark
           Version: 0.99.6
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Major
          Priority: Medium
         Component: Wireshark
        AssignedTo: [email protected]
        ReportedBy: [email protected]

Build Information:
Version 0.99.6a (SVN Rev 22276)

Copyright 1998-2007 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO

Compiled with GTK+ 2.10.12, with GLib 2.12.12, with WinPcap (version unknown),
with libz 1.2.3, with libpcre 6.4, with Net-SNMP 5.4, with ADNS, with Lua 5.1,
with GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT Kerberos, with PortAudio
PortAudio V19-devel, with AirPcap.

Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0.1
(packet.dll version, based on libpcap version 0.9.5, without

Built using Microsoft Visual C++ 6.0 build 8804

Wireshark is Open Source Software released under the GNU General Public

Check the man page and http://www.wireshark.org for more information.
By just setting at the filter box "ip.addr &" (without quotes),
Wireshark crashes when there is an IP packet in the packet list area.

The procedure is the following:

1. Start a capure without any filters set
2. Wait until at least an IP packet is on the list
3. Write in the Filter box "ip.addr &" (without quotes), and press
4. Enjoy the crash message ;)

Note that is an example, you can crash Wireshark with any IP.

The faulting proc is at 006D8C0E (sometimes faults at 006D8C33 and other times
at 006D8C36). Patching 006D8C0E with a RET instruction prevents the crashes but
obviously it is not a decent patch...

According to the call stack the faulting proc seems to belong to libwires.

PS: Steps 2 and 3 order can be swapped actually but in the descripted way you
get the crash as soon as you press enter.

Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.