Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] strange crash

From: Kovarththanan Rajaratnam <kovarththanan.rajaratnam@xxxxxxxxx>
Date: Sat, 15 Aug 2009 13:34:00 +0200
Hey,

Robert Hogan wrote:
Hi there,

I encountered a crash while writing my dissector that puzzled me at first:

#0  strlen () at ../sysdeps/i386/i486/strlen.S:40
#1 0xb548c6d8 in _IO_vfprintf_internal (s=0xbfa726ac, format=0xb6ff9494 "%s: %s (%u)", ap=0xbfa72804 "1") at vfprintf.c:1581 #2 0xb5544772 in ___vsnprintf_chk (s=0xbfa729f0 "Attention Identification: or Get Operation (0x03)", maxlen=240, flags=1, slen=4294967295, format=0xb6ff9494 "%s: %s (%u)", args=0xbfa727fc "\264-E\2671") at vsnprintf_chk.c:65 #3 0xb582ca4f in IA__g_vsnprintf (string=0x1 <Address 0x1 out of bounds>, n=3215403012, format=0x31 <Address 0x31 out of bounds>, args=0xbfa727fc "\264-E\2671") at /usr/include/bits/stdio2.h:78 #4 0xb582cc36 in IA__g_snprintf (string=0xbfa729f0 "Attention Identification: or Get Operation (0x03)", n=240, format=0xb6ff9494 "%s: %s (%u)") at /build/buildd/glib2.0-2.20.1/glib/gprintf.c:163 #5 0xb649e7b0 in fill_label_uint (fi=0x994c2f0, label_str=0xbfa729f0 "Attention Identification: or Get Operation (0x03)") at /home/robert/Development/wireshark-tn5250/epan/proto.c:4315 #6 0xb649db4e in proto_item_fill_label (fi=0x994c2f0, label_str=0xbfa729f0 "Attention Identification: or Get Operation (0x03)") at /home/robert/Development/wireshark-tn5250/epan/proto.c:4064

The calls from proto.c look innocent enough but it turned out I had:

    { &hf_tn5250_aid,
        {  "Attention Identification", "hf_tn5250_aid",
FT_UINT8, BASE_HEX||BASE_RANGE_STRING, <----------- || RVALS(vals_tn5250_attention_identification_bytes), 0x0,
            "hf_tn5250_aid", HFILL }},

instead of

    { &hf_tn5250_aid,
        {  "Attention Identification", "hf_tn5250_aid",
FT_UINT8, BASE_HEX|BASE_RANGE_STRING, RVALS(vals_tn5250_attention_identification_bytes), 0x0,
            "hf_tn5250_aid", HFILL }},

Any thoughts on where the violation should have been picked up?

Which version of Wireshark are you using? This issue sounds suspiciously like:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2893

Best regards,
Kovarththanan Rajaratnam