Buildbot crash output: fuzz-2013-04-20-29140.pcap

This issue was migrated from bug 8599 in our old bug tracker.

Original bug information:

Reporter: Buildbot Builder
Status: RESOLVED FIXED
Product: Wireshark
Component: Dissection engine (libwireshark)
OS: Ubuntu
Platform: x86-64
Version: unspecified

Buildbot Builder said:

Problems have been found with the following capture file:

http://www.wireshark.org/download/automated/captures/fuzz-2013-04-20-29140.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/522-etherXXXXa02288

Build host information:
Linux wsbb04 3.2.0-40-generic #64-Ubuntu SMP Mon Mar 25 21:22:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
Distributor ID:	Ubuntu
Description:	Ubuntu 12.04.2 LTS
Release:	12.04
Codename:	precise

Buildbot information:
BUILDBOT_REPOSITORY=http://code.wireshark.org/git/wireshark
BUILDBOT_BUILDNUMBER=1876
BUILDBOT_URL=http://buildbot.wireshark.org/trunk/
BUILDBOT_BUILDERNAME=Clang-Code-Analysis
BUILDBOT_SLAVENAME=clang-code-analysis
BUILDBOT_GOT_REVISION=cf0a2c952e30fe6bf250fc04a76c423881e4b448

Return value:  139

Dissector bug:  0

Valgrind error count:  0



Git commit
commit cf0a2c952e30fe6bf250fc04a76c423881e4b448
Author: Alexis La Goutte <alexis.lagoutte@gmail.com>
Date:   Sat Apr 20 09:49:12 2013 +0000

    Remove expert info for bit AD in DNS query

    See Section 5.7 (Setting the AD Bit on Queries) of RFC 6840 (Clarifications and Implementation Notes for DNS Security (DNSSEC))

    The semantics of the Authentic Data (AD) bit in the query were
    previously undefined.  Section 4.6 of [RFC4035] instructed resolvers
    to always clear the AD bit when composing queries.

    This document defines setting the AD bit in a query as a signal
    indicating that the requester understands and is interested in the
    value of the AD bit in the response. This allows a requester to
    indicate that it understands the AD bit without also requesting
    DNSSEC data via the DO bit.

    svn path=/trunk/; revision=48942


Command and args: ./tshark -nr


[ no debug trace ]

added crash libwireshark osubuntu labels

Evan Huus said:

==11865== Conditional jump or move depends on uninitialised value(s)
==11865==    at 0x63C1FA9: fragment_add_seq_common (reassemble.c:1826)
==11865==    by 0x63C21E5: fragment_add_seq_check_work (reassemble.c:1969)
==11865==    by 0x63C2897: fragment_add_seq_next (reassemble.c:2037)
==11865==    by 0x687AC2A: dissect_ositp_internal (packet-ositp.c:1186)
==11865==    by 0x63A39CE: call_dissector_through_handle (packet.c:454)
==11865==    by 0x63A41BC: call_dissector_work (packet.c:549)
==11865==    by 0x63A5F40: call_dissector_with_data (packet.c:2073)
==11865==    by 0x6A27A58: dissect_tpkt_encap (packet-tpkt.c:554)
==11865==    by 0x63A3987: call_dissector_through_handle (packet.c:458)
==11865==    by 0x63A41BC: call_dissector_work (packet.c:549)
==11865==    by 0x63A4A0F: dissector_try_uint_new (packet.c:966)
==11865==    by 0x63A4A66: dissector_try_uint (packet.c:992)
==11865==
==11865== Conditional jump or move depends on uninitialised value(s)
==11865==    at 0x6B50F50: dissect_mms_MMSpdu (mms.cnf:46)
==11865==    by 0x6B5102F: dissect_mms (packet-mms-template.c:76)
==11865==    by 0x63A3987: call_dissector_through_handle (packet.c:458)
==11865==    by 0x63A41BC: call_dissector_work (packet.c:549)
==11865==    by 0x63A4CFE: dissector_try_string (packet.c:1225)
==11865==    by 0x64A3E01: call_ber_oid_callback (packet-ber.c:994)
==11865==    by 0x6BAA720: dissect_pres_T_single_ASN1_type (pres.cnf:44)
==11865==    by 0x649CE8B: dissect_ber_choice (packet-ber.c:3399)
==11865==    by 0x6BA976F: dissect_pres_T_presentation_data_values (pres.cnf:101)
==11865==    by 0x64A2986: dissect_ber_sequence (packet-ber.c:2222)
==11865==    by 0x6BA942F: dissect_pres_PDV_list (pres.cnf:118)
==11865==    by 0x649FD28: dissect_ber_sq_of (packet-ber.c:4187)
==11865==
==11865== Use of uninitialised value of size 8
==11865==    at 0x6B50F5D: dissect_mms_MMSpdu (mms.cnf:46)
==11865==    by 0x6B5102F: dissect_mms (packet-mms-template.c:76)
==11865==    by 0x63A3987: call_dissector_through_handle (packet.c:458)
==11865==    by 0x63A41BC: call_dissector_work (packet.c:549)
==11865==    by 0x63A4CFE: dissector_try_string (packet.c:1225)
==11865==    by 0x64A3E01: call_ber_oid_callback (packet-ber.c:994)
==11865==    by 0x6BAA720: dissect_pres_T_single_ASN1_type (pres.cnf:44)
==11865==    by 0x649CE8B: dissect_ber_choice (packet-ber.c:3399)
==11865==    by 0x6BA976F: dissect_pres_T_presentation_data_values (pres.cnf:101)
==11865==    by 0x64A2986: dissect_ber_sequence (packet-ber.c:2222)
==11865==    by 0x6BA942F: dissect_pres_PDV_list (pres.cnf:118)
==11865==    by 0x649FD28: dissect_ber_sq_of (packet-ber.c:4187)
==11865==
==11865== Conditional jump or move depends on uninitialised value(s)
==11865==    at 0x63C1FA9: fragment_add_seq_common (reassemble.c:1826)
==11865==    by 0x63C21E5: fragment_add_seq_check_work (reassemble.c:1969)
==11865==    by 0x63C2897: fragment_add_seq_next (reassemble.c:2037)
==11865==    by 0x68A15F8: dissect_pop (packet-pop.c:233)
==11865==    by 0x63A3987: call_dissector_through_handle (packet.c:458)
==11865==    by 0x63A41BC: call_dissector_work (packet.c:549)
==11865==    by 0x63A4A0F: dissector_try_uint_new (packet.c:966)
==11865==    by 0x63A4A66: dissector_try_uint (packet.c:992)
==11865==    by 0x6A070B6: decode_tcp_ports (packet-tcp.c:3950)
==11865==    by 0x6A074B1: process_tcp_payload (packet-tcp.c:4009)
==11865==    by 0x6A07A8C: dissect_tcp_payload (packet-tcp.c:1830)
==11865==    by 0x6A09459: dissect_tcp (packet-tcp.c:4869)

Evan Huus said:

The fragment_add_seq_common bug fixed in r48943.

The mms bug still exists.

Evan Huus said:

Other half of this fixed in r48944.

Evan Huus said:

r48944 scheduled for backport, the other was a recent trunk change and doesn't apply.

closed