Buildbot crash output: fuzz-2007-12-17-25605.pcap

This issue was migrated from bug 2112 in our old bug tracker.

Original bug information:

Reporter: Buildbot Builder
Status: RESOLVED FIXED
Product: Wireshark
Component: TShark
OS: Linux
Platform: x86
Version: unspecified

Buildbot Builder said:

Build Information:

Problems have been found with the following capture file:

http://www.wireshark.org/download/automated/captures/fuzz-2007-12-17-25605.pcap

stderr:

** ERROR **: Per-packet memory corrupted.
aborting...

[ no debug trace ]

added clitshark crash oslinux labels

Bill Meier said:

Windows Wireshark (SVN 23898) gives error message:

13:25:19 Warn Dissector bug, protocol H.225.0, in packet 5011: STATUS_A CCESS_VIOLATION: dissector accessed an invalid memory address

Gerald Combs said:

After tweaking emem.c to use g_malloc(), Valgrind says:

==5705== Invalid write of size 8
==5705==    at 0x5FFDFA4: dissect_h245_T_mediaChannel (h245.cnf:719)
==5705==    by 0x5E50784: dissect_per_sequence (packet-per.c:1530)
==5705==    by 0x600062A: dissect_h245_H2250LogicalChannelParameters (h245.cnf:824)
==5705==    by 0x5E510CD: dissect_per_choice (packet-per.c:1388)
==5705==    by 0x5FFDE53: dissect_h245_OLC_forw_multiplexParameters (h245.cnf:851)
==5705==    by 0x5E50784: dissect_per_sequence (packet-per.c:1530)
==5705==    by 0x60005D5: dissect_h245_T_forwardLogicalChannelParameters (h245.cnf:143)
==5705==    by 0x5E50784: dissect_per_sequence (packet-per.c:1530)
==5705==    by 0x6004553: dissect_h245_OpenLogicalChannel (h245.cnf:118)
==5705==    by 0x6004C1F: dissect_h245_OpenLogicalChannelCodec (h245.cnf:410)
==5705==    by 0x5FFA9A7: dissect_h225_FastStart_item (h225.cnf:275)
==5705==    by 0x5E4E6D5: dissect_per_sequence_of_helper (packet-per.c:496)
==5705==  Address 0xFDAE7B0 is 0 bytes inside a block of size 96 free'd
==5705==    at 0x4C2182B: free (vg_replace_malloc.c:233)
==5705==    by 0x5B51FFE: ep_free_all (emem.c:732)
==5705==    by 0x5B531D0: epan_dissect_run (epan.c:159)
==5705==    by 0x41A565: process_packet (tshark.c:2406)
==5705==    by 0x41D0DA: main (tshark.c:2205)
==5705==

It looks like upcoming_channel->upcoming_addr isn't getting set back to NULL after dissecting a packet.

Tomas Kukosa said:

I am hunting for wrong code but without succeed. The upcoming_channel->upcoming_addr is set back to NULL at the end of mediaChannel and mediaControlChannel fields. The whole upcoming_channel is set back to NULL at the end of forwardMultiplexAckParameters and reverseLogicalChannelParameters (in the same functions where it is allocated) Unfortunately it does not crash on my Windows environment. Any additional hint is welcome.

Jeff Morriss said:

The problem with code like this (this is the generated code in epan/dissectors/packet-h245.c):

~~~
#line 718 "h245.cnf"
  if (upcoming_channel)
    upcoming_channel->upcoming_addr = &upcoming_channel->media_addr;

  offset = dissect_h245_TransportAddress(tvb, offset, actx, tree, hf_index);

#line 722 "h245.cnf"
  if (upcoming_channel)
    upcoming_channel->upcoming_addr = NULL;
~~~

is that we may take an exception in dissect_h245_TransportAddress() and never set upcoming_addr to NULL.

If that is really the problem then this patch should fix it:

Index: asn1/h245/packet-h245-template.c
===================================================================
--- asn1/h245/packet-h245-template.c    (revision 23898)
+++ asn1/h245/packet-h245-template.c    (working copy)
@@ -350,6 +350,10 @@
 static void
 dissect_h245(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
 {
+       /* Clean up from any previous packet dissection */
+       if(upcoming_channel)
+           upcoming_channel = NULL;
+
        /*
         * MultimediaSystemControlMessage_handle is the handle for
         * dissect_h245_h245, so we don't want to do any h245_pi or tap stuff here.
@@ -366,6 +370,10 @@
        guint32 offset=0;
        asn1_ctx_t asn1_ctx;

+       /* Clean up from any previous packet dissection */
+       if(upcoming_channel)
+           upcoming_channel = NULL;
+
        if (check_col(pinfo->cinfo, COL_PROTOCOL)){
                col_set_str(pinfo->cinfo, COL_PROTOCOL, PSNAME);
        }


I haven't checked that in because I haven't been able to reproduce the problem (yet--maybe tomorrow).

Stephen Fisher said:

Backtrace on OS X, FWIW:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xebfe5f86
0xffff07c7 in ___memcpy () at /System/Library/Frameworks/System.framework/PrivateHeaders/i386/cpu_capabilities.h:228
228     /System/Library/Frameworks/System.framework/PrivateHeaders/i386/cpu_capabilities.h: No such file or directory.
        in /System/Library/Frameworks/System.framework/PrivateHeaders/i386/cpu_capabilities.h
(gdb) bt
#0  0xffff07c7 in ___memcpy () at /System/Library/Frameworks/System.framework/PrivateHeaders/i386/cpu_capabilities.h:228
#1  0x00000004 in ?? ()
#2  0x03dabf3d in tvb_memcpy (tvb=0xadf0018, target=0xebfe5f86, offset=0, length=4) at tvbuff.c:1008
#3  0x04359ce7 in dissect_h245_Ipv4_network (tvb=0xaddcec8, offset=95, actx=0xbfffd3d8, tree=0x90db290, hf_index=19508) at h245.cnf:695
#4  0x041337b9 in dissect_per_sequence (tvb=0xaddcec8, offset=95, actx=0xbfffd3d8, parent_tree=0x90db290, hf_index=19507, ett_index=6036, sequence=0x4f04e00) at packet-per.c:1530
#5  0x04359dc8 in dissect_h245_T_iPAddress (tvb=0xaddcec8, offset=94, actx=0xbfffd3d8, tree=0x90db290, hf_index=19507) at h245.cnf:722
#6  0x041335ce in dissect_per_choice (tvb=0xaddcec8, offset=90, actx=0xbfffd3d8, tree=0x90db290, hf_index=19505, ett_index=6035, choice=0x4f04c60, value=0x0) at packet-per.c:1386
#7  0x0435a093 in dissect_h245_UnicastAddress (tvb=0xaddcec8, offset=90, actx=0xbfffd3d8, tree=0x90db290, hf_index=19505) at h245.cnf:866
#8  0x041335ce in dissect_per_choice (tvb=0xaddcec8, offset=88, actx=0xbfffd3d8, tree=0x90db290, hf_index=19470, ett_index=6034, choice=0x4f04b40, value=0x0) at packet-per.c:1386
#9  0x0435a1d7 in dissect_h245_TransportAddress (tvb=0xaddcec8, offset=88, actx=0xbfffd3d8, tree=0x90db290, hf_index=19470) at h245.cnf:944
#10 0x0435a21f in dissect_h245_T_mediaChannel (tvb=0xaddcec8, offset=88, actx=0xbfffd3d8, tree=0x90db290, hf_index=19470) at h245.cnf:721
#11 0x041337b9 in dissect_per_sequence (tvb=0xaddcec8, offset=88, actx=0xbfffd3d8, parent_tree=0x90db290, hf_index=19363, ett_index=6012, sequence=0x4f00240) at packet-per.c:1530
#12 0x0435a414 in dissect_h245_H2250LogicalChannelParameters (tvb=0xaddcec8, offset=64, actx=0xbfffd3d8, tree=0x90db290, hf_index=19363) at h245.cnf:824
#13 0x04133617 in dissect_per_choice (tvb=0xaddcec8, offset=48, actx=0xbfffd3d8, tree=0x90db290, hf_index=19359, ett_index=5975, choice=0x4f04ae0, value=0x0) at packet-per.c:1388
#14 0x0435a469 in dissect_h245_OLC_forw_multiplexParameters (tvb=0xaddcec8, offset=48, actx=0xbfffd3d8, tree=0x90db290, hf_index=19359) at h245.cnf:851
#15 0x041337b9 in dissect_per_sequence (tvb=0xaddcec8, offset=48, actx=0xbfffd3d8, parent_tree=0x90db290, hf_index=19356, ett_index=5974, sequence=0x4f04a80) at packet-per.c:1530
#16 0x0435a4c0 in dissect_h245_T_forwardLogicalChannelParameters (tvb=0xaddcec8, offset=24, actx=0xbfffd3d8, tree=0x90db290, hf_index=19356) at h245.cnf:143
#17 0x041337b9 in dissect_per_sequence (tvb=0xaddcec8, offset=24, actx=0xbfffd3d8, parent_tree=0x90db290, hf_index=18641, ett_index=5973, sequence=0x4f04760) at packet-per.c:1530
#18 0x0435aa57 in dissect_h245_OpenLogicalChannel (tvb=0xaddcec8, offset=0, actx=0xbfffd3d8, tree=0x90db290, hf_index=18641) at h245.cnf:118
#19 0x043610cd in dissect_h245_OpenLogicalChannelCodec (tvb=0xaddcec8, pinfo=0xc086488, tree=0x90db290, codec_str=0xbfffd4ba "???yx\004A") at h245.cnf:410
#20 0x0434c8d3 in dissect_h225_FastStart_item (tvb=0xaddce58, offset=520, actx=0xbfffd9d8, tree=0x90db290, hf_index=17883) at h225.cnf:275
#21 0x041306eb in dissect_per_sequence_of_helper (tvb=0xaddce58, offset=520, actx=0xbfffd9d8, tree=0x90e5008, func=0x434c7df <dissect_h225_FastStart_item>, hf_index=17883, length=8) at packet-per.c:496
#22 0x041310d9 in dissect_per_sequence_of (tvb=0xaddce58, offset=512, actx=0xbfffd9d8, parent_tree=0x90e5008, hf_index=17815, ett_index=5545, seq=0x4ef3360) at packet-per.c:527
#23 0x0434c927 in dissect_h225_FastStart (tvb=0xaddce58, offset=512, actx=0xbfffd9d8, tree=0x90e5008, hf_index=17815) at h225.cnf:295
#24 0x04133aa8 in dissect_per_sequence (tvb=0xaddce58, offset=496, actx=0xbfffd9d8, parent_tree=0x90e5008, hf_index=17772, ett_index=5541, sequence=0x4ef3f20) at packet-per.c:1616
#25 0x0434dc56 in dissect_h225_Setup_UUIE (tvb=0xaddce58, offset=8, actx=0xbfffd9d8, tree=0x90e5008, hf_index=17772) at h225.cnf:385
#26 0x041335ce in dissect_per_choice (tvb=0xaddce58, offset=4, actx=0xbfffd9d8, tree=0x90e5008, hf_index=17771, ett_index=5523, choice=0x4ef2fe0, value=0xbfffd7ac) at packet-per.c:1386
#27 0x0434e809 in dissect_h225_T_h323_message_body (tvb=0xaddce58, offset=4, actx=0xbfffd9d8, tree=0x90e5008, hf_index=17771) at h225.cnf:244
#28 0x041337b9 in dissect_per_sequence (tvb=0xaddce58, offset=4, actx=0xbfffd9d8, parent_tree=0x90e5008, hf_index=17767, ett_index=5522, sequence=0x4ef2e00) at packet-per.c:1530
#29 0x0434eda1 in dissect_h225_H323_UU_PDU (tvb=0xaddce58, offset=2, actx=0xbfffd9d8, tree=0x90e5008, hf_index=17767) at h225.cnf:616
#30 0x041337b9 in dissect_per_sequence (tvb=0xaddce58, offset=2, actx=0xbfffd9d8, parent_tree=0x90e5008, hf_index=17764, ett_index=5520, sequence=0x4ef2d80) at packet-per.c:1530
#31 0x04351789 in dissect_h225_H323UserInformation (tvb=0xaddce58, pinfo=0xc086488, tree=0x90db500) at h225.cnf:656
#32 0x03d854a7 in call_dissector_through_handle (handle=0xa343a20, tvb=0xaddce58, pinfo=0xc086488, tree=0x90db500) at packet.c:394
#33 0x03d85b1c in call_dissector_work (handle=0xa343a20, tvb=0xaddce58, pinfo_arg=0xc086488, tree=0x90db500) at packet.c:485
#34 0x03d870a8 in call_dissector (handle=0xa343a20, tvb=0xaddce58, pinfo=0xc086488, tree=0x90db500) at packet.c:1787
#35 0x0415a17d in dissect_q931_IEs (tvb=0xaddcf00, pinfo=0xc086488, root_tree=0x90db500, q931_tree=0x90dbab8, is_tpkt=1, offset=46, initial_codeset=0) at packet-q931.c:2692
#36 0x0415c08f in dissect_q931_pdu (tvb=0xaddcf00, pinfo=0xc086488, tree=0x90db500, is_tpkt=1) at packet-q931.c:2450
#37 0x03d854cb in call_dissector_through_handle (handle=0xa35fd30, tvb=0xaddcf00, pinfo=0xc086488, tree=0x90db500) at packet.c:396
#38 0x03d85b1c in call_dissector_work (handle=0xa35fd30, tvb=0xaddcf00, pinfo_arg=0xc086488, tree=0x90db500) at packet.c:485
#39 0x03d870a8 in call_dissector (handle=0xa35fd30, tvb=0xaddcf00, pinfo=0xc086488, tree=0x90db500) at packet.c:1787
#40 0x0425df9b in dissect_tpkt_encap (tvb=0xadf0398, pinfo=0xc086488, tree=0x90db500, desegment=1, subdissector_handle=0xa35fd30) at packet-tpkt.c:554
#41 0x0415c762 in dissect_q931_tpkt_heur (tvb=0xadf0398, pinfo=0xc086488, tree=0x90db500) at packet-q931.c:3080
#42 0x03d86bda in dissector_try_heuristic (sub_dissectors=0xa71b2a0, tvb=0xadf0398, pinfo=0xc086488, tree=0x90db500) at packet.c:1595
#43 0x042484ff in decode_tcp_ports (tvb=0xadf03d0, offset=20, pinfo=0xc086488, tree=0x90db500, src_port=36150, dst_port=1720, tcpd=0xb3bfd00) at packet-tcp.c:2383
#44 0x0424899a in process_tcp_payload (tvb=0xadf03d0, offset=20, pinfo=0xc086488, tree=0x90db500, tcp_tree=0x90e51d0, src_port=36150, dst_port=1720, seq=0, nxtseq=0, is_tcp_segment=0, tcpd=0xb3bfd00) at packet-tcp.c:2427
#45 0x04248e8a in dissect_tcp_payload (tvb=0xadf03d0, pinfo=0xc086488, offset=20, seq=1, nxtseq=448, sport=36150, dport=1720, tree=0x90db500, tcp_tree=0x90e51d0, tcpd=0xb3bfd00) at packet-tcp.c:1495
#46 0x0424ab2a in dissect_tcp (tvb=0xadf03d0, pinfo=0xc086488, tree=0x90db500) at packet-tcp.c:3154
#47 0x03d854cb in call_dissector_through_handle (handle=0xa8fe810, tvb=0xadf03d0, pinfo=0xc086488, tree=0x90db500) at packet.c:396
#48 0x03d85b1c in call_dissector_work (handle=0xa8fe810, tvb=0xadf03d0, pinfo_arg=0xc086488, tree=0x90db500) at packet.c:485
#49 0x03d85ebb in dissector_try_port (sub_dissectors=0xa3529c0, port=6, tvb=0xadf03d0, pinfo=0xc086488, tree=0x90db500) at packet.c:870
#50 0x04015c8b in dissect_ip (tvb=0xadf01d8, pinfo=0xc086488, parent_tree=0x90db500) at packet-ip.c:1564
#51 0x03d854cb in call_dissector_through_handle (handle=0xa352a10, tvb=0xadf01d8, pinfo=0xc086488, tree=0x90db500) at packet.c:396
#52 0x03d85b1c in call_dissector_work (handle=0xa352a10, tvb=0xadf01d8, pinfo_arg=0xc086488, tree=0x90db500) at packet.c:485
#53 0x03d85ebb in dissector_try_port (sub_dissectors=0xa3405b0, port=2048, tvb=0xadf01d8, pinfo=0xc086488, tree=0x90db500) at packet.c:870
#54 0x03f62400 in ethertype (etype=2048, tvb=0xaddcf38, offset_after_etype=14, pinfo=0xc086488, tree=0x90db500, fh_tree=0x90db6e0, etype_id=13464, trailer_id=13466, fcs_len=-1) at packet-ethertype.c:214
#55 0x03f5f15f in dissect_eth_common (tvb=0xaddcf38, pinfo=0xc086488, parent_tree=0x90db500, fcs_len=-1) at packet-eth.c:338
#56 0x03d854cb in call_dissector_through_handle (handle=0xa8d24a0, tvb=0xaddcf38, pinfo=0xc086488, tree=0x90db500) at packet.c:396
#57 0x03d85b1c in call_dissector_work (handle=0xa8d24a0, tvb=0xaddcf38, pinfo_arg=0xc086488, tree=0x90db500) at packet.c:485
#58 0x03d85ebb in dissector_try_port (sub_dissectors=0xa3417c0, port=1, tvb=0xaddcf38, pinfo=0xc086488, tree=0x90db500) at packet.c:870
#59 0x03f9144f in dissect_frame (tvb=0xaddcf38, pinfo=0xc086488, parent_tree=0x90db500) at packet-frame.c:300
#60 0x03d854cb in call_dissector_through_handle (handle=0xa341840, tvb=0xaddcf38, pinfo=0xc086488, tree=0x90db500) at packet.c:396
#61 0x03d85b1c in call_dissector_work (handle=0xa341840, tvb=0xaddcf38, pinfo_arg=0xc086488, tree=0x90db500) at packet.c:485
#62 0x03d870a8 in call_dissector (handle=0xa341840, tvb=0xaddcf38, pinfo=0xc086488, tree=0x90db500) at packet.c:1787
#63 0x03d87587 in dissect_packet (edt=0xc086480, pseudo_header=0xb289b4c, pd=0x90c5400 "", fd=0xadf3ce8, cinfo=0x1702ec) at packet.c:332
#64 0x0000d9aa in add_packet_to_packet_list (fdata=0xadf3ce8, cf=0x1601d0, dfcode=0x0, pseudo_header=0xb289b4c, buf=0x90c5400 "", refilter=1) at file.c:960
#65 0x0000dd39 in read_packet (cf=0x1601d0, dfcode=0x0, offset=660621) at file.c:1094
#66 0x0000e64b in cf_read (cf=0x1601d0) at file.c:496
#67 0x0001acd3 in main (argc=0, argv=0xbffff7e8) at main.c:3025

Stephen Fisher said:

Bug #‍2113 appears to be a duplicate of this one.

Stephen Fisher said:

Bug #‍2115 appears to be a duplicate of this one.

Stephen Fisher said:

Bug #‍2118 appears to be a duplicate of this one.

Tomas Kukosa said:

fixed with revision: 23915

Tomas Kukosa said:

*** Bug #2113 (closed) has been marked as a duplicate of this bug. ***

Tomas Kukosa said:

*** Bug #2114 (closed) has been marked as a duplicate of this bug. ***

Tomas Kukosa said:

*** Bug #2115 (closed) has been marked as a duplicate of this bug. ***

Tomas Kukosa said:

*** Bug #2118 (closed) has been marked as a duplicate of this bug. ***

Jeff Morriss said:

*** Bug #2119 (closed) has been marked as a duplicate of this bug. ***

Jeff Morriss said:

*** Bug #2120 (closed) has been marked as a duplicate of this bug. ***

Jeff Morriss said:

*** Bug #2121 (closed) has been marked as a duplicate of this bug. ***

Jeff Morriss said:

*** Bug #2122 (closed) has been marked as a duplicate of this bug. ***

Jeff Morriss said:

*** Bug #2123 (closed) has been marked as a duplicate of this bug. ***