https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7892
Jakub Zawadzki <darkjames-ws@xxxxxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |darkjames-ws@xxxxxxxxxxxx
--- Comment #1 from Jakub Zawadzki <darkjames-ws@xxxxxxxxxxxx> 2012-10-21 23:36:26 PDT ---
>From packet-ieee802154 dissector:
SET_ADDRESS(&pinfo->dl_dst, AT_STRINGZ, (int)strlen(dst_addr)+1, dst_addr);
SET_ADDRESS(&pinfo->dst, AT_STRINGZ, (int)strlen(dst_addr)+1, dst_addr);
where dst_addr is allocated from ep_ pool.
Later pinfo->dst is accessed by col_fill_in() => col_set_addr() but it's after
dissection, so ep_ pool was freed (and scrubbed).
#FAIL, we need either to do col_fill_in() before ep_free_all() or revert
r45673.
*Probably* all recent fuzz testing report is dup of this one.
Bug catched thanks to se_solve_address_to_name(), which for AT_STRINGZ assume
NUL-terminated addr->data. and lot of memory is allocated in se_ pool.
backtrace:
#0 0x00007f0d32df227c in se_alloc (size=75033) at emem.c:884
#1 0x00007f0d32df266d in emem_strdup (
src=0x7f0d2f1c1200 "ďžŢďžŢďžŢďžŢďžŢďžŢďžŢďžŢďžŢďžŢďž...
allocator=0x7f0d32df2260 <se_alloc>) at emem.c:964
#2 0x00007f0d32df26cc in se_strdup (
src=0x7f0d2f1c1200 "ďžŢďžŢďžŢďžŢďžŢďžŢďžŢďžŢďžŢďžŢďž...
at emem.c:978
#3 0x00007f0d32ddf6bd in se_solve_address_to_name (addr=0x7fff9d24bf38) at
addr_resolv.c:995
#4 0x00007f0d32ddf595 in se_get_addr_name (addr=0x7fff9d24bf38) at
addr_resolv.c:2951
#5 0x00007f0d32dee288 in col_set_addr () from
/tmp/wireshark/epan/.libs/libwireshark.so.0
#6 0x00007f0d32dede3a in col_fill_in () from
/tmp/wireshark/epan/.libs/libwireshark.so.0
#7 0x00007f0d32df7c7b in epan_dissect_fill_in_columns () from
/tmp/wireshark/epan/.libs/libwiresha
#8 0x0000000000423390 in print_packet (cf=0x658a38, edt=0x7fff9d24be98) at
tshark.c:3483
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
