Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] strange crash

From: Robert Hogan <robert@xxxxxxxxxxxxxxx>
Date: Sat, 15 Aug 2009 12:11:53 +0100
Hi there,

I encountered a crash while writing my dissector that puzzled me at first:

#0  strlen () at ../sysdeps/i386/i486/strlen.S:40
#1  0xb548c6d8 in _IO_vfprintf_internal (s=0xbfa726ac, format=0xb6ff9494 
"%s: %s (%u)", ap=0xbfa72804 "1") at vfprintf.c:1581
#2  0xb5544772 in ___vsnprintf_chk (s=0xbfa729f0 "Attention Identification:  
or Get Operation (0x03)", maxlen=240, flags=1, slen=4294967295, 
format=0xb6ff9494 "%s: %s (%u)", args=0xbfa727fc "\264-E\2671") at 
vsnprintf_chk.c:65
#3  0xb582ca4f in IA__g_vsnprintf (string=0x1 <Address 0x1 out of bounds>, 
n=3215403012, format=0x31 <Address 0x31 out of bounds>, args=0xbfa727fc 
"\264-E\2671") at /usr/include/bits/stdio2.h:78
#4  0xb582cc36 in IA__g_snprintf (string=0xbfa729f0 "Attention 
Identification:  or Get Operation (0x03)", n=240, format=0xb6ff9494 "%s: %s 
(%u)") at /build/buildd/glib2.0-2.20.1/glib/gprintf.c:163
#5  0xb649e7b0 in fill_label_uint (fi=0x994c2f0, label_str=0xbfa729f0 
"Attention Identification:  or Get Operation (0x03)") at 
/home/robert/Development/wireshark-tn5250/epan/proto.c:4315
#6  0xb649db4e in proto_item_fill_label (fi=0x994c2f0, label_str=0xbfa729f0 
"Attention Identification:  or Get Operation (0x03)") at 
/home/robert/Development/wireshark-tn5250/epan/proto.c:4064

The calls from proto.c look innocent enough but it turned out I had:

    { &hf_tn5250_aid,
        {  "Attention Identification", "hf_tn5250_aid",
      FT_UINT8, BASE_HEX||BASE_RANGE_STRING, <----------- || 
RVALS(vals_tn5250_attention_identification_bytes), 0x0,
            "hf_tn5250_aid", HFILL }},

instead of

    { &hf_tn5250_aid,
        {  "Attention Identification", "hf_tn5250_aid",
      FT_UINT8, BASE_HEX|BASE_RANGE_STRING, 
RVALS(vals_tn5250_attention_identification_bytes), 0x0,
            "hf_tn5250_aid", HFILL }},

Any thoughts on where the violation should have been picked up?