Wireshark-bugs: [Wireshark-bugs] [Bug 6351] Buildbot crash output: fuzz-2011-09-16-19550.pcap
Date: Tue, 20 Sep 2011 06:28:36 -0700 (PDT)

Jeff Morriss <[email protected]> changed:

           What    |Removed                     |Added
                 CC|                            |[email protected]

--- Comment #2 from Jeff Morriss <[email protected]> 2011-09-20 06:28:35 PDT ---
It crashes for me, here's the bt:

(gdb) bt
#0  0x00000031a0a80e70 in strlen () from /lib64/libc.so.6
#1  0x00000031a0a4961e in vfprintf () from /lib64/libc.so.6
#2  0x00000031a0afc928 in __vsnprintf_chk () from /lib64/libc.so.6
#3  0x00007f905eebb84f in proto_tree_set_representation (
    pi=<value optimized out>, format=0x7f905f9482f0 "ERROR %s %s (%s)", 
    ap=0x7fffc1f06cb0) at ../../epan/proto.c:3668
#4  0x00007f905eebcf78 in proto_tree_add_text (tree=0x7f905dc9d2c0, 
    tvb=<value optimized out>, start=<value optimized out>, 
    length=<value optimized out>, format=0x7f905f9482f0 "ERROR %s %s (%s)")
    at ../../epan/proto.c:1051
#5  0x00007f905f00f5b6 in ProcessError (tree=0x8, tvb=0x7f905f9482fb, 
    bit_offset=16843008, sz=<value optimized out>, err=-5, 
    pDescr=<value optimized out>) at ../../../epan/dissectors/packet-csn1.c:105
#6  0x00007f905f00f82a in csnStreamDissector (tree=0x7f905dc9d4a0, 
    ar=0x7fffc1f07070, pDescr=0x7fffc1f07048, tvb=0x34b48c0, 
    data=0x7f905cf7f660, ett_csn1=7869)
    at ../../../epan/dissectors/packet-csn1.c:1490
#7  0x00007f905f010157 in csnStreamDissector (tree=0x7f905dc9d590, 
    ar=0x7fffc1f071f0, pDescr=0x7f90603f7d20, tvb=0x34b48c0, 
    data=0x7f905cf7f660, ett_csn1=7869)
    at ../../../epan/dissectors/packet-csn1.c:548
#8  0x00007f905f0108be in csnStreamDissector (tree=0x7f905dc9d680, 
    ar=0x7fffc1f07370, pDescr=0x7f90603f34e0, tvb=0x34b48c0, 
    data=0x7f905cf7f65c, ett_csn1=7869)
    at ../../../epan/dissectors/packet-csn1.c:1390
#9  0x00007f905f00ff9e in csnStreamDissector (tree=0x7f905dc9d3e0, 
    ar=0x7fffc1f073c0, pDescr=0x7f90603edda0, tvb=0x34b48c0, 
    data=0x7f905cf7f648, ett_csn1=7869)
    at ../../../epan/dissectors/packet-csn1.c:496
#10 0x00007f905f15428f in dissect_gsm_rlcmac_uplink (tvb=0x34b48c0, 
    pinfo=0x7fffc1f08060, tree=0x7f905dc9c000)
    at ../../../epan/dissectors/packet-gsm_rlcmac.c:5953
#11 0x00007f905eeacb21 in call_dissector_through_handle (handle=0x2709f80, 
    tvb=0x34b48c0, pinfo=0x7fffc1f08060, tree=0x7f905dc9c000)
    at ../../epan/packet.c:384
#12 0x00007f905eead280 in call_dissector_work (handle=0x2709f80, 
    tvb=0x34b48c0, pinfo_arg=0x7fffc1f08060, tree=0x7f905dc9c000, 
    add_proto_name=1) at ../../epan/packet.c:475
#13 0x00007f905eead3e1 in call_dissector (handle=0x8, tvb=0x7f905f9482fb, 
    pinfo=0x7fffc1f06da8, tree=0x0) at ../../epan/packet.c:1905
#14 0x00007f905eeacb21 in call_dissector_through_handle (handle=0x32e3d60, 
    tvb=0x34b4860, pinfo=0x7fffc1f08060, tree=0x7f905dc9c000)
    at ../../epan/packet.c:384
#15 0x00007f905eead280 in call_dissector_work (handle=0x32e3d60, 
    tvb=0x34b4860, pinfo_arg=0x7fffc1f08060, tree=0x7f905dc9c000, 
    add_proto_name=1) at ../../epan/packet.c:475

The problem is that pDescr is not initialized:

(gdb) print *pDescr
$15 = {
  type = 0, 
  i = 0, 
  descr = {
    ptr = 0x1, 
    value = 1
  offset = 140258044422794, 
  sz = 0x8 <Address 0x8 out of bounds>, 
  serialize = {
    fcn = 0, 
    value = 0, 
    hf_ptr = 0x0

(Frame 5 is trying to use 'sz' as a pointer to a string.)

This feels very, very similar to something I fixed before.  Sure 'nough, r38430
"fixed" another fuzz failure (bug 6139).

BUT, bug 6328 said that broke something and reversed the change in r38951. 
Maybe the reporter of that bug will know how to fix it without breaking other
things (I don't really have time to investigate).

Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.