fuzz testing crashes tshark at proto.c
This issue was migrated from bug 3567 in our old bug tracker.
Original bug information:
Reporter: yami
Status: RESOLVED FIXED
Product: Wireshark
Component: TShark
OS: All
Platform: Other
Version: Git
Attachments:
fuzz-2009-06-23-23193.pcap: the fuzzed capture file.
use_se_alloc.patch: Use se_alloc()
Activity
Created attachment 3176 the fuzzed capture file.
Build Information: TShark 1.3.0 (SVN Rev 28767)
Copyright 1998-2009 Gerald Combs <gerald@wireshark.org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GLib 2.20.1, with libpcap 1.0.0, with libz 1.2.3.3, without POSIX capabilities, without libpcre, without SMI, without c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS 2.4.2, with Gcrypt 1.4.1, without Kerberos, without GeoIP. NOTE: this build doesn't support the "matches" operator for Wireshark filter syntax.
Running on Linux 2.6.28-11-generic, with libpcap version 1.0.0, GnuTLS 2.4.2, Gcrypt 1.4.1.
Built using gcc 4.3.3.
See the attached capture file. bt is: #0 0xb5ee1dec in ?? () from /lib/tls/i686/cmov/libc.so.6 #1 0xb5ee31d7 in ?? () from /lib/tls/i686/cmov/libc.so.6 #2 0xb5ee35b6 in free () from /lib/tls/i686/cmov/libc.so.6 #3 0xb61b7126 in g_free () from /usr/lib/libglib-2.0.so.0 #4 0xb673f681 in proto_cleanup () at proto.c:421 #5 0xb6721f6d in epan_cleanup () at epan.c:123 #6 0x08069161 in main (argc=3, argv=0xbfc829b4) at tshark.c:1636added clitshark crash versiondev labels
-
Created attachment 3239 Use se_alloc()
The template cache contains pointers that are session-scope (only freed in netflow_reinit()) but still we use g_malloc(). This patch changes that so we now use se_alloc(). With this patch I'm able to reproduce the crash ("Per-session memory corrupted").
-
(In reply to comment #1) > Does the latest SVN version still crash for you? I can't duplicate the problem > here. It's possible that one of the recent fuzz fixes covered this. > I've just tested. Yes, this seems to be fixed by: http://anonsvn.wireshark.org/viewvc?view=rev&revision=28911 However, it would still be nice to include attachment 3239. -
*** Bug #3646 (closed) has been marked as a duplicate of this bug. ***
-
*** Bug #3647 (closed) has been marked as a duplicate of this bug. ***
-
*** Bug #3649 (closed) has been marked as a duplicate of this bug. ***
-
*** Bug #3673 (closed) has been marked as a duplicate of this bug. ***
-
*** Bug #3674 (closed) has been marked as a duplicate of this bug. ***
-
*** Bug #3681 (closed) has been marked as a duplicate of this bug. ***
-
*** Bug #3682 (closed) has been marked as a duplicate of this bug. ***
-
*** Bug #3688 (closed) has been marked as a duplicate of this bug. ***
-
*** Bug #3696 (closed) has been marked as a duplicate of this bug. ***
mentioned in issue #3647 (closed)
mentioned in issue #3646 (closed)
mentioned in issue #3649 (closed)
mentioned in issue #3673 (closed)
mentioned in issue #3674 (closed)
mentioned in issue #3681 (closed)
mentioned in issue #3682 (closed)
mentioned in issue #3688 (closed)
mentioned in issue #3696 (closed)