Crash when sorting columns during capture with display filter active

Summary

Clicking a column to sort packets multiple times during capture results in a crash.

Sample capture file

No capture file available. Seems to only happen with ongoing capture.

Steps to reproduce

1. Start packet capture
2. Set a display filter
3. Repeatedly click "Source" column
4. Wireshark exits with crash.

What is the current bug behavior?

It appears this happens if sorting is ongoing when clicking "Source" column to trigger a new sort.

The following can be seen with GDB:

Thread 1 "wireshark" received signal SIGSEGV, Segmentation fault.
0x00005555559c8cda in PacketListRecord::columnString (this=this@entry=0x186a0, cap_file=0x555555f6d1c0 <cfile>, column=2, 
    colorized=colorized@entry=false) at /home/mikaeka/myrepos/wireshark/ui/qt/models/packet_list_record.cpp:77
77	    bool dissect_color = ( colorized && !colorized_ ) || ( color_ver_ != rows_color_ver_ );


(gdb) bt
#0  0x00005555559c8cda in PacketListRecord::columnString(_capture_file*, int, bool)
    (this=this@entry=0x186a0, cap_file=0x555555f6d1c0 <cfile>, column=2, colorized=colorized@entry=false)
    at /home/mikaeka/myrepos/wireshark/ui/qt/models/packet_list_record.cpp:77
#1  0x00005555559c2117 in PacketListModel::recordLessThan(PacketListRecord*, PacketListRecord*) (r1=0x55555d088290, r2=0x186a0)
    at /home/mikaeka/myrepos/wireshark/ui/qt/models/packet_list_model.cpp:791
#2  0x00005555559c62a6 in __gnu_cxx::__ops::_Val_comp_iter<bool (*)(PacketListRecord*, PacketListRecord*)>::operator()<PacketListRecord*, QList<PacketListRecord*>::iterator>(PacketListRecord*&, QList<PacketListRecord*>::iterator)
    (__it=..., __val=<synthetic pointer>: <optimized out>, this=<synthetic pointer>) at /usr/include/c++/10/bits/predefined_ops.h:237
#3  std::__unguarded_linear_insert<QList<PacketListRecord*>::iterator, __gnu_cxx::__ops::_Val_comp_iter<bool (*)(PacketListRecord*, PacketListRecord*)> >(QList<PacketListRecord*>::iterator, __gnu_cxx::__ops::_Val_comp_iter<bool (*)(PacketListRecord*, PacketListRecord*)>)
    (__comp=..., __last=...) at /usr/include/c++/10/bits/stl_algo.h:1826
#4  std::__unguarded_insertion_sort<QList<PacketListRecord*>::iterator, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(PacketListRecord*, PacketListRecord*)> >(QList<PacketListRecord*>::iterator, QList<PacketListRecord*>::iterator, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(PacketListRecord*, PacketListRecord*)>) (__comp=..., __last=..., __first=...) at /usr/include/c++/10/bits/stl_algo.h:1867
#5  std::__final_insertion_sort<QList<PacketListRecord*>::iterator, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(PacketListRecord*, PacketListRecord*)> >(QList<PacketListRecord*>::iterator, QList<PacketListRecord*>::iterator, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(PacketListRecord*, PacketListRecord*)>) (__comp=..., __last=..., __first=...) at /usr/include/c++/10/bits/stl_algo.h:1887
#6  std::__sort<QList<PacketListRecord*>::iterator, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(PacketListRecord*, PacketListRecord*)> >(QList<PacketListRecord*>::iterator, QList<PacketListRecord*>::iterator, __gnu_cxx::__ops::_Iter_comp_iter<bool (*)(PacketListRecord*, PacketListRecord*)>) (__comp=..., __last=..., __first=...) at /usr/include/c++/10/bits/stl_algo.h:1977
#7  std::sort<QList<PacketListRecord*>::iterator, bool (*)(PacketListRecord*, PacketListRecord*)>(QList<PacketListRecord*>::iterator, QList<PacketListRecord*>::iterator, bool (*)(PacketListRecord*, PacketListRecord*)) (__comp=
    0x5555559c2010 <PacketListModel::recordLessThan(PacketListRecord*, PacketListRecord*)>, __last=..., __first=...)
    at /usr/include/c++/10/bits/stl_algo.h:4894
#8  PacketListModel::sort(int, Qt::SortOrder) (this=<optimized out>, column=<optimized out>, order=<optimized out>)
    at /home/mikaeka/myrepos/wireshark/ui/qt/models/packet_list_model.cpp:647
#9  0x00007ffff6a82b33 in  () at /lib/x86_64-linux-gnu/libQt6Core.so.6
#10 0x00007ffff7ba862f in QHeaderView::sortIndicatorChanged(int, Qt::SortOrder) () at /lib/x86_64-linux-gnu/libQt6Widgets.so.6
#11 0x00007ffff7bb3d79 in QHeaderView::mouseReleaseEvent(QMouseEvent*) () at /lib/x86_64-linux-gnu/libQt6Widgets.so.6
#12 0x00007ffff79268de in QWidget::event(QEvent*) () at /lib/x86_64-linux-gnu/libQt6Widgets.so.6
#13 0x00007ffff79c5b62 in QFrame::event(QEvent*) () at /lib/x86_64-linux-gnu/libQt6Widgets.so.6
#14 0x00007ffff6a2f1b4 in QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) ()
    at /lib/x86_64-linux-gnu/libQt6Core.so.6
#15 0x00007ffff78ccdd1 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /lib/x86_64-linux-gnu/libQt6Widgets.so.6
#16 0x00007ffff78d6a67 in QApplication::notify(QObject*, QEvent*) () at /lib/x86_64-linux-gnu/libQt6Widgets.so.6
#17 0x00007ffff6a2f3e8 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /lib/x86_64-linux-gnu/libQt6Core.so.6
#18 0x00007ffff78d5bc3 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool, bool) () at /lib/x86_64-linux-gnu/libQt6Widgets.so.6
#19 0x00007ffff79383c9 in  () at /lib/x86_64-linux-gnu/libQt6Widgets.so.6
#20 0x00007ffff793b1cb in  () at /lib/x86_64-linux-gnu/libQt6Widgets.so.6
#21 0x00007ffff78ccde2 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /lib/x86_64-linux-gnu/libQt6Widgets.so.6
#22 0x00007ffff6a2f3e8 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () at /lib/x86_64-linux-gnu/libQt6Core.so.6
#23 0x00007ffff709099b in QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) ()
    at /lib/x86_64-linux-gnu/libQt6Gui.so.6
#24 0x00007ffff70dbd0c in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
    at /lib/x86_64-linux-gnu/libQt6Gui.so.6
#25 0x00007fffe9e0be7a in  () at /lib/x86_64-linux-gnu/libQt6XcbQpa.so.6
#26 0x00007fffee776e6b in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#27 0x00007fffee777118 in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#28 0x00007fffee7771cf in g_main_context_iteration () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#29 0x00007ffff6c71599 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
    at /lib/x86_64-linux-gnu/libQt6Core.so.6
#30 0x00007ffff6a3b22b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /lib/x86_64-linux-gnu/libQt6Core.so.6
#31 0x00007ffff6a37082 in QCoreApplication::exec() () at /lib/x86_64-linux-gnu/libQt6Core.so.6
#32 0x0000555555686828 in main(int, char**) (argc=<optimized out>, qt_argv=<optimized out>)
    at /home/mikaeka/myrepos/wireshark/ui/qt/main.cpp:1097


(gdb) info args
this = 0x186a0
cap_file = 0x555555f6d1c0 <cfile>
column = 2
colorized = false
(gdb) p colorized
$3 = false
(gdb) p colorized_
Cannot access memory at address 0x186bc
(gdb) p color_ver_
Cannot access memory at address 0x186b8
(gdb) p rows_color_ver_
$4 = 1

What is the expected correct behavior?

No crash

Build information

Version 4.5.0 (v4.5.0rc0-1158-gd86c97744ba0).
Copyright 1998-2024 Gerald Combs <gerald@wireshark.org> and contributors.
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
Compile-time info:
 Bit width: 64-bit
  Compiler: GCC 10.2.1 20210110
      GLib: 2.66.8
 With:
  +brotli                      +Minizip 1.2.8
  +Gcrypt 1.8.8                +nghttp2 1.43.0
  +GnuTLS 3.7.1 and PKCS#11    +PCRE2 10.36 2020-12-04
  +Kerberos (MIT)              +POSIX capabilities (Linux)
  +libnl 3                     +Qt 6.4.2
  +libpcap                     +QtDBus
  +libsmi 0.4.8                +QtMultimedia
  +libxml2 2.9.10              +Snappy 1.1.8
  +Lua 5.4.2                   +zlib 1.2.11
  +LZ4 1.9.3                   +Zstandard 1.4.8
  +MaxMind 1.5.2
 Without:
  -automatic updates  -nghttp3            -zlib-ng
Runtime info:
      OS: Linux 5.10.0-33-amd64
     CPU: AMD Ryzen 9 3900X 12-Core Processor (with SSE4.2)
  Memory: 32054 MB of physical memory
    GLib: 2.66.8
  Locale: LC_TYPE=en_US.utf8
 Plugins: supported, 22 loaded
 With:
  +brotli 1.0.9                      +nghttp2 1.43.0
  +c-ares 1.17.1                     +PCRE2 10.36 2020-12-04
  +Gcrypt 1.8.8                      +QPA plugin "xcb"
  +GnuTLS 3.7.1                      +Qt 6.4.2
  +libpcap 1.10.0 (with TPACKET_V3)  +Xorg
  +libsmi 0.4.8                      +zlib 1.2.11
  +light display mode                +Zstandard 1.4.8
  +LZ4 1.9.3
 Without:
  -HiDPI
Check the man page and www.wireshark.org for more information. 

added crash uiqt labels

Reasonably reproducible if there is a robust stream of incoming packets. I've repro'd it on Debian Linux amd64 as well as on macOS 14.7.1, capturing with a concurrent flood-ping of the nearest router. (Didn't try on Windows or other OSes.)

Likely a synchronization error somewhere between the packet list sort operation and the addition of new incoming packets to the packet list.

It will actually happen without a live capture, in any case where the sorting is triggered while still sorting.

The problem seems more to be with setting the value of private member variables that the sort comparison function depends when we're in the middle of another sort, thus invalidating that sort's comparison function and leading to incorrect sorting at best (but a crash at worst because by violating the contract, the presumably optimized STL sort has things that should never happen, happen.)

mentioned in merge request !19056 (merged)

closed with commit 9cb198d7

closed with merge request !19056 (merged)

mentioned in commit e45dd6a8

mentioned in merge request !19068 (merged)

mentioned in commit a7346221