DCOM-SYSACT dissector crash

This issue was migrated from bug 8828 in our old bug tracker.

Original bug information:

Reporter: Laurent Butti
Status: RESOLVED FIXED
Product: Wireshark
Component: GTK+ UI
OS: Ubuntu
Platform: x86-64
Version: 1.10.0

Attachments:

packet-dcom-sysact.pcap: capture
: This is a screen capture corresponding to comments #‍9.

See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4922
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4923
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4924
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4925

Laurent Butti said:

Created attachment 11029 capture

Build Information: TShark 1.10.0 (SVN Rev Unknown from unknown)

Copyright 1998-2013 Gerald Combs <gerald@‍wireshark.org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.32.3, with libpcap, with libz 1.2.3.4, without POSIX capabilities, without libnl, without SMI, without c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos, without GeoIP.

Running on Linux 3.2.0-43-generic, with locale en_US.UTF-8, with libpcap version 1.1.1, with libz 1.2.3.4. AMD Athlon(tm) Dual Core Processor 5000B

Built using gcc 4.6.3.

Hi,

Here is a PCAP file triggering a SIGABRT that could enable (at least) a remote
party to trigger a denial of service.

This file was generated thanks to a fuzz testing campaign.

Laurent Butti.

--

Program received signal SIGABRT, Aborted.
0x00007ffff297f425 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff297f425 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff2982b8b in __GI_abort () at abort.c:91
#2  0x00007ffff29bd39e in __libc_message (do_abort=2, fmt=0x7ffff2ac7008 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:201
#3  0x00007ffff29c7b96 in malloc_printerr (action=3, str=0x7ffff2ac7118 "double free or corruption (!prev)", ptr=<optimized out>) at malloc.c:5018
#4  0x00007ffff5028c2c in dissect_dcom_ActivationProperties (tvb=0x177d300, offset=<optimized out>, pinfo=0x7fffffffd650, tree=<optimized out>,
    drep=0x7fffffffc434 "", size=<optimized out>) at packet-dcom-sysact.c:419
#5  0x00007ffff502c06b in dissect_dcom_CUSTOBJREF (tvb=0x177d300, offset=96, pinfo=0x7fffffffd650, tree=<optimized out>, drep=0x7fffffffc434 "",
    hfindex=<optimized out>, clsid=0x7fffffffbf40, iid=0x7fffffffbf30) at packet-dcom.c:2014
#6  0x00007ffff502c32c in dissect_dcom_OBJREF (tvb=0x177d300, offset=72, pinfo=0x7fffffffd650, tree=<optimized out>, drep=0x7fffffffc434 "", hfindex=897,
    interf=0x0) at packet-dcom.c:2073
#7  0x00007ffff502c479 in dissect_dcom_MInterfacePointer (tvb=0x177d300, offset=<optimized out>, pinfo=0x7fffffffd650, tree=<optimized out>,
    drep=0x7fffffffc434 "", hfindex=897, interf=0x0) at packet-dcom.c:2123
#8  0x00007ffff502cb1a in dissect_dcom_PMInterfacePointer (tvb=0x177d300, offset=<optimized out>, pinfo=0x7fffffffd650, tree=0x0, drep=0x7fffffffc434 "",
    hfindex=897, interf=0x0) at packet-dcom.c:2142
#9  0x00007ffff50293c0 in dissect_remsysact_remotecreateinstance_rqst (tvb=0x177d300, offset=<optimized out>, pinfo=0x7fffffffd650, tree=0x0,
    drep=0x7fffffffc434 "") at packet-dcom-sysact.c:1110
#10 0x00007ffff5019b70 in dcerpc_try_handoff (pinfo=0x7fffffffd650, tree=0x0, dcerpc_tree=<optimized out>, tvb=0x177d300, decrypted_tvb=<optimized out>,
    drep=0x7fffffffc434 "", info=0x7ffff76c25a8, auth_info=0x7fffffffc3d0) at packet-dcerpc.c:2688
#11 0x00007ffff4e054f4 in dissect_dcerpc_cn_stub (tvb=0x1781c60, offset=<optimized out>, pinfo=0x7fffffffd650, dcerpc_tree=0x0, tree=0x0, hdr=0x7fffffffc430,
    di=0x7ffff76c25a8, auth_info=0x7fffffffc3d0, frame=15102, alloc_hint=<optimized out>) at packet-dcerpc.c:3344
#12 0x00007ffff501d36c in dissect_dcerpc_cn_resp (hdr=<optimized out>, tree=<optimized out>, dcerpc_tree=<optimized out>, pinfo=<optimized out>,
    offset=<optimized out>, tvb=<optimized out>) at packet-dcerpc.c:3843
#13 dissect_dcerpc_cn (tvb=<optimized out>, offset=<optimized out>, pinfo=0x7fffffffd650, tree=0x0, can_desegment=<optimized out>, pkt_len=0x7fffecc582f8)
    at packet-dcerpc.c:4647
#14 0x00007ffff501ed7d in dissect_dcerpc_cn_bs_body (tvb=0x1781ea0, pinfo=0x7fffffffd650, tree=0x0) at packet-dcerpc.c:4733
#15 0x00007ffff4e31241 in dissector_try_heuristic (sub_dissectors=<optimized out>, tvb=0x1781ea0, pinfo=0x7fffffffd650, tree=0x0, data=0x0) at packet.c:1804
#16 0x00007ffff54959c4 in decode_tcp_ports (tvb=<optimized out>, offset=<optimized out>, pinfo=0x7fffffffd650, tree=0x0, src_port=<optimized out>,
    dst_port=<optimized out>, tcpd=0x7fffecc58338) at packet-tcp.c:3963
#17 0x00007ffff5495efe in process_tcp_payload (tvb=0x1782060, offset=20, pinfo=0x7fffffffd650, tree=0x0, tcp_tree=0x0, src_port=2172, dst_port=135, seq=0,
    nxtseq=0, is_tcp_segment=0, tcpd=0x7fffecc58338) at packet-tcp.c:4008
#18 0x00007ffff54964ae in desegment_tcp (tcpd=0x7fffecc58338, tcp_tree=0x0, tree=0x0, dport=135, sport=2172, nxtseq=1943221288, seq=1943220468, offset=20,
    pinfo=0x7fffffffd650, tvb=0x1782060) at packet-tcp.c:1830
#19 dissect_tcp_payload (tvb=0x1782060, pinfo=0x7fffffffd650, offset=<optimized out>, seq=<optimized out>, nxtseq=1943221288, sport=2172, dport=135,
    tree=0x0, tcp_tree=0x0, tcpd=0x7fffecc58338) at packet-tcp.c:4075
#20 0x00007ffff5497933 in dissect_tcp (tvb=0x1782060, pinfo=0x7fffffffd650, tree=0x0) at packet-tcp.c:4853
#21 0x00007ffff4e2f2a8 in call_dissector_through_handle (handle=0x1160190, tvb=0x1782060, pinfo=0x7fffffffd650, tree=0x0, data=0x0) at packet.c:458
#22 0x00007ffff4e2fbc5 in call_dissector_work (handle=0x1160190, tvb=0x1782060, pinfo_arg=0x7fffffffd650, tree=0x0, add_proto_name=1, data=0x0)
    at packet.c:549
#23 0x00007ffff4e30453 in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=6, tvb=0x1782060, pinfo=0x7fffffffd650, tree=0x0,
    add_proto_name=1, data=0x0) at packet.c:966
#24 0x00007ffff4e304a7 in dissector_try_uint (sub_dissectors=<optimized out>, uint_val=<optimized out>, tvb=<optimized out>, pinfo=<optimized out>,
    tree=<optimized out>) at packet.c:992
#25 0x00007ffff51bb7b3 in dissect_ip (tvb=0x1781d20, pinfo=<optimized out>, parent_tree=0x0) at packet-ip.c:2418
#26 0x00007ffff4e2f2a8 in call_dissector_through_handle (handle=0xc75ae0, tvb=0x1781d20, pinfo=0x7fffffffd650, tree=0x0, data=0x0) at packet.c:458
#27 0x00007ffff4e2fbc5 in call_dissector_work (handle=0xc75ae0, tvb=0x1781d20, pinfo_arg=0x7fffffffd650, tree=0x0, add_proto_name=1, data=0x0) at packet.c:549
#28 0x00007ffff4e30453 in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=2048, tvb=0x1781d20, pinfo=0x7fffffffd650, tree=0x0,
    add_proto_name=1, data=0x0) at packet.c:966
#29 0x00007ffff4e304a7 in dissector_try_uint (sub_dissectors=<optimized out>, uint_val=<optimized out>, tvb=<optimized out>, pinfo=<optimized out>,
    tree=<optimized out>) at packet.c:992
#30 0x00007ffff5091822 in ethertype (etype=2048, tvb=0x1781d80, offset_after_etype=14, pinfo=0x7fffffffd650, tree=0x0, fh_tree=0x0, etype_id=23707,
    trailer_id=23711, fcs_len=-1) at packet-ethertype.c:280
#31 0x00007ffff50902b9 in dissect_eth_common (tvb=0x1781d80, pinfo=0x7fffffffd650, parent_tree=0x0, fcs_len=-1) at packet-eth.c:404
#32 0x00007ffff4e2f2a8 in call_dissector_through_handle (handle=0xa5dc30, tvb=0x1781d80, pinfo=0x7fffffffd650, tree=0x0, data=0x0) at packet.c:458
#33 0x00007ffff4e2fbc5 in call_dissector_work (handle=0xa5dc30, tvb=0x1781d80, pinfo_arg=0x7fffffffd650, tree=0x0, add_proto_name=1, data=0x0) at packet.c:549
#34 0x00007ffff4e30453 in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=1, tvb=0x1781d80, pinfo=0x7fffffffd650, tree=0x0,
    add_proto_name=1, data=0x0) at packet.c:966
#35 0x00007ffff4e304a7 in dissector_try_uint (sub_dissectors=<optimized out>, uint_val=<optimized out>, tvb=<optimized out>, pinfo=<optimized out>,
    tree=<optimized out>) at packet.c:992
---Type <return> to continue, or q <return> to quit---
#36 0x00007ffff50c5108 in dissect_frame (tvb=0x1781d80, pinfo=0x7fffffffd650, parent_tree=0x0) at packet-frame.c:481
#37 0x00007ffff4e2f2a8 in call_dissector_through_handle (handle=0x74c5d0, tvb=0x1781d80, pinfo=0x7fffffffd650, tree=0x0, data=0x0) at packet.c:458
#38 0x00007ffff4e2fbc5 in call_dissector_work (handle=0x74c5d0, tvb=0x1781d80, pinfo_arg=0x7fffffffd650, tree=0x0, add_proto_name=1, data=0x0) at packet.c:549
#39 0x00007ffff4e31991 in call_dissector_with_data (handle=<optimized out>, tvb=0x1781d80, pinfo=0x7fffffffd650, tree=0x0, data=<optimized out>)
    at packet.c:2073
#40 0x00007ffff4e31d64 in dissect_packet (edt=0x7fffffffd640, phdr=0xffffffffffffffc0, pd=0x1753dd0 "", fd=0x7fffffffd830, cinfo=0x0) at packet.c:392
#41 0x00007ffff4e277dc in epan_dissect_run_with_taps (edt=0x7fffffffd640, phdr=0x174ece0, data=0x1753dd0 "", fd=0x7fffffffd830, cinfo=<optimized out>)
    at epan.c:217
#42 0x000000000041935e in process_packet (cf=0x643b00, offset=<optimized out>, whdr=0x174ece0, pd=0x1753dd0 "", filtering_tap_listeners=<optimized out>,
    tap_flags=<optimized out>) at tshark.c:3251
#43 0x000000000040b519 in load_cap_file (max_byte_count=0, max_packet_count=-15101, out_file_name_res=0, out_file_type=2, save_file=0x0, cf=<optimized out>)
    at tshark.c:3046
#44 main (argc=<optimized out>, argv=<optimized out>) at tshark.c:1918
(gdb) python import exploitable
(gdb) exploitable -v
'exploitable' version 1.04
Linux nitro 3.2.0-43-generic #68-Ubuntu SMP Wed May 15 03:33:33 UTC 2013 x86_64
Signal si_signo: 6 Signal si_addr: 0x3e8000054c7
Nearby code:
   0x00007ffff297f415 <+37>:    movsxd rdx,edi
   0x00007ffff297f418 <+40>:    movsxd rsi,esi
   0x00007ffff297f41b <+43>:    movsxd rdi,eax
   0x00007ffff297f41e <+46>:    mov    eax,0xea
   0x00007ffff297f423 <+51>:    syscall
=> 0x00007ffff297f425 <+53>:    cmp    rax,0xfffffffffffff000
   0x00007ffff297f42b <+59>:    ja     0x7ffff297f43f <__GI_raise+79>
   0x00007ffff297f42d <+61>:    repz ret
   0x00007ffff297f42f <+63>:    nop
   0x00007ffff297f430 <+64>:    test   eax,eax
Stack trace:
#  0 __GI_raise at 0x7ffff297f425 in /lib/x86_64-linux-gnu/libc-2.15.so (BL)
#  1 __GI_abort at 0x7ffff2982b8b in /lib/x86_64-linux-gnu/libc-2.15.so (BL)
#  2 __libc_message at 0x7ffff29bd39e in /lib/x86_64-linux-gnu/libc-2.15.so (BL)
#  3 malloc_printerr at 0x7ffff29c7b96 in /lib/x86_64-linux-gnu/libc-2.15.so (BL)
#  4 dissect_dcom_ActivationProperties at 0x7ffff5028c2c in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
#  5 dissect_dcom_CUSTOBJREF at 0x7ffff502c06b in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
#  6 dissect_dcom_OBJREF at 0x7ffff502c32c in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
#  7 dissect_dcom_MInterfacePointer at 0x7ffff502c479 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
#  8 dissect_dcom_PMInterfacePointer at 0x7ffff502cb1a in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
#  9 dissect_remsysact_remotecreateinstance_rqst at 0x7ffff50293c0 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 10 dcerpc_try_handoff at 0x7ffff5019b70 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 11 dissect_dcerpc_cn_stub at 0x7ffff4e054f4 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 12 dissect_dcerpc_cn_resp at 0x7ffff501d36c in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 13 dissect_dcerpc_cn at 0x7ffff501d36c in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 14 dissect_dcerpc_cn_bs_body at 0x7ffff501ed7d in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 15 dissector_try_heuristic at 0x7ffff4e31241 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 16 decode_tcp_ports at 0x7ffff54959c4 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 17 process_tcp_payload at 0x7ffff5495efe in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 18 desegment_tcp at 0x7ffff54964ae in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 19 dissect_tcp_payload at 0x7ffff54964ae in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 20 dissect_tcp at 0x7ffff5497933 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 21 call_dissector_through_handle at 0x7ffff4e2f2a8 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 22 call_dissector_work at 0x7ffff4e2fbc5 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 23 dissector_try_uint_new at 0x7ffff4e30453 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 24 dissector_try_uint at 0x7ffff4e304a7 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 25 dissect_ip at 0x7ffff51bb7b3 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 26 call_dissector_through_handle at 0x7ffff4e2f2a8 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 27 call_dissector_work at 0x7ffff4e2fbc5 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 28 dissector_try_uint_new at 0x7ffff4e30453 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 29 dissector_try_uint at 0x7ffff4e304a7 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 30 ethertype at 0x7ffff5091822 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 31 dissect_eth_common at 0x7ffff50902b9 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 32 call_dissector_through_handle at 0x7ffff4e2f2a8 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 33 call_dissector_work at 0x7ffff4e2fbc5 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 34 dissector_try_uint_new at 0x7ffff4e30453 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 35 dissector_try_uint at 0x7ffff4e304a7 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 36 dissect_frame at 0x7ffff50c5108 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 37 call_dissector_through_handle at 0x7ffff4e2f2a8 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 38 call_dissector_work at 0x7ffff4e2fbc5 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 39 call_dissector_with_data at 0x7ffff4e31991 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 40 dissect_packet at 0x7ffff4e31d64 in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 41 epan_dissect_run_with_taps at 0x7ffff4e277dc in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
# 42 process_packet at 0x41935e in /home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
# 43 load_cap_file at 0x40b519 in /home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
# 44 main at 0x40b519 in /home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
Faulting frame: #  4 dissect_dcom_ActivationProperties at 0x7ffff5028c2c in /home/laurent/fuzzing/bin/wireshark-1.10.0/lib/libwireshark.so.3.0.0
Description: Abort signal
Short description: AbortSignal (19/21)
Hash: c172099a7cc49c14b62fc459ceaa0829.410472bcbdf2f39100d29eb38fa5550d
Exploitability Classification: UNKNOWN
Explanation: The target is stopped on a SIGABRT. SIGABRTs are often generated by libc and compiled check-code to indicate potentially exploitable conditions. Unfortunately this command does not yet further analyze these crashes.

added crash osubuntu uigtk version1.10 labels

Evan Huus said:

Double-free fixed in r50094, but I'm still seeing Dissector Bugs and valgrind errors with this capture in trunk, so not closing the bug yet.

Evan Huus said:

Valgrind errors fixed in r50226. Just the dissector bugs left.

Evan Huus said:

The dissector bugs are less simple. I'm not sure if they are actually bugs in the dissector, or simply things that should be replaced with expert info.

Litao, I am CCing you on this bug since you updated the dissector recently. Do you know how to fix the remaining assertions from this capture?

Jeff Morriss said:

Crash is fixed, making this one public.

Litao Gao said:

Thank Evan for the debugging and fix the double free issue!

As to the dissector assertion, after comparing the normal pcap,
I believe that these assertions should belong to expert info.
This pcap is generated by fuzz tools, right?


(In reply to comment #3)  
> The dissector bugs are less simple. I'm not sure if they are actually bugs  
> in the dissector, or simply things that should be replaced with expert info.  
>  
> Litao, I am CCing you on this bug since you updated the dissector recently.  
> Do you know how to fix the remaining assertions from this capture?

Laurent Butti said:

(In reply to comment #5)  
> Thank Evan for the debugging and fix the double free issue!  
>  
> As to the dissector assertion, after comparing the normal pcap,  
> I believe that these assertions should belong to expert info.  
> This pcap is generated by fuzz tools, right?  

Yes, thanks to dumb (but apparently efficient) fuzzing!

Litao Gao said:

(In reply to comment #6)  
>  
> Yes, thanks to dumb (but apparently efficient) fuzzing!  

Agree, fuzzing is quite helpful!
I will run as many fuzzing test as possible before submitting for code commit later on.

Thank all of you for the effort dealing with this issue.

Evan Huus said:

I replaced some of the assertions with if-branches for expert info in r50432. I didn't actually put expert info in to make backporting easier, since the expert API has changed.

There is still one: WARNING **: Dissector bug, protocol ISystemActivator, in packet 995: packet-dcom-sysact.c:600: failed assertion "len <= size"

which I'm not sure of.

Litao Gao said:

(In reply to comment #8)  
> I replaced some of the assertions with if-branches for expert info in  
> r50432. I didn't actually put expert info in to make backporting easier,  
> since the expert API has changed.  
>  
> There is still one:  
> WARNING **: Dissector bug, protocol ISystemActivator, in packet 995:  
> packet-dcom-sysact.c:600: failed assertion "len <= size"  
>  
> which I'm not sure of.  

Evan,

As to this assertion failure, it is also caused by fuzz mutation.

I have capture the picture and mark the abnormal value with oval circle.
I have provided the picture as an attachment.

As we can see, the number is 3355443288, which will be a minus value if
being treated as a value of type gint.
That is the reason why "DISSECTOR_ASSERT(len <= size);" fails.

Litao Gao said:

Created attachment 11158 This is a screen capture corresponding to comments #‍9.

Evan Huus said:

Last bits and pieces cleaned up in 50478.

Evan Huus said:

That is r50478.

Evan Huus said:

All commits scheduled for 1.10, and the relevant subset of them for 1.8.

closed