[Wireshark-bugs] [Bug 14534] New: Buildbot crash output: fuzz-2018-03-14-25389.pcap

Thu, 15 Mar 2018 07:20:14 -0700 

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14534

            Bug ID: 14534
           Summary: Buildbot crash output: fuzz-2018-03-14-25389.pcap
           Product: Wireshark
           Version: unspecified
          Hardware: x86-64
                OS: Ubuntu
            Status: CONFIRMED
          Severity: Major
          Priority: High
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: buildbot-do-not-re...@wireshark.org
  Target Milestone: ---

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2018-03-14-25389.pcap

stderr:
Input file: /home/wireshark/menagerie/menagerie/4444-fuzz-2010-03-01-2704.pcap

Build host information:
Linux wsbb04 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.4 LTS
Release:        16.04
Codename:       xenial

Buildbot information:
BUILDBOT_REPOSITORY=ssh://wireshark-build...@code.wireshark.org:29418/wireshark
BUILDBOT_WORKERNAME=clang-code-analysis
BUILDBOT_BUILDNUMBER=4678
BUILDBOT_URL=http://buildbot.wireshark.org/wireshark-master/
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_GOT_REVISION=07647c2555d65171b7f6512457daf53640c07e3b

Return value:  0

Dissector bug:  0

Valgrind error count:  21



Git commit
commit 07647c2555d65171b7f6512457daf53640c07e3b
Author: AndersBroman <anders.bro...@ericsson.com>
Date:   Wed Mar 14 17:45:19 2018 +0100

    NAS-5GS: Start updating to version 0.4.0

    Change-Id: Iacf16fdc14ada5993584c9c1f8990df6125c35f5
    Reviewed-on: https://code.wireshark.org/review/26476
    Petri-Dish: Anders Broman <a.broma...@gmail.com>
    Tested-by: Petri Dish Buildbot
    Reviewed-by: Anders Broman <a.broma...@gmail.com>


==29771== Memcheck, a memory error detector
==29771== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==29771== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==29771== Command:
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.plain/bin/tshark
-nr /fuzz/buildbot/clangcodeanalysis/valgrind-fuzz/fuzz-2018-03-14-25389.pcap
==29771== 
==29771== Invalid read of size 1
==29771==    at 0x4C30F62: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29771==    by 0x1215A2: print_columns (tshark.c:3734)
==29771==    by 0x120E30: print_packet (tshark.c:3903)
==29771==    by 0x1202E7: process_packet_single_pass (tshark.c:3539)
==29771==    by 0x11EC83: process_cap_file (tshark.c:3348)
==29771==    by 0x11C4C9: main (tshark.c:2029)
==29771==  Address 0x18d96e70 is 0 bytes inside a block of size 80 free'd
==29771==    at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29771==    by 0x7D2EBC3: wmem_free (wmem_core.c:67)
==29771==    by 0x7D31773: wmem_simple_free_all (wmem_allocator_simple.c:95)
==29771==    by 0x7D2ED96: wmem_free_all_real (wmem_core.c:106)
==29771==    by 0x7D2ED46: wmem_free_all (wmem_core.c:112)
==29771==    by 0x7D33A12: wmem_leave_packet_scope (wmem_scopes.c:69)
==29771==    by 0x7D8C426: epan_dissect_run_with_taps (epan.c:554)
==29771==    by 0x12023F: process_packet_single_pass (tshark.c:3522)
==29771==    by 0x11EC83: process_cap_file (tshark.c:3348)
==29771==    by 0x11C4C9: main (tshark.c:2029)
==29771==  Block was alloc'd at
==29771==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29771==    by 0xB8D4718: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2)
==29771==    by 0x7D2EAC3: wmem_alloc (wmem_core.c:37)
==29771==    by 0x7D31539: wmem_simple_alloc (wmem_allocator_simple.c:43)
==29771==    by 0x7D2EB39: wmem_alloc (wmem_core.c:46)
==29771==    by 0x7D34A8D: wmem_strdup_vprintf (wmem_strutl.c:95)
==29771==    by 0x7D34A38: wmem_strdup_printf (wmem_strutl.c:68)
==29771==    by 0x7E04F31: val_to_str (value_string.c:38)
==29771==    by 0x7029536: dissect_nano (packet-nano.c:346)
==29771==    by 0x7DA1187: call_dissector_through_handle (packet.c:694)
==29771==    by 0x7D9D009: call_dissector_work (packet.c:779)
==29771==    by 0x7D9CE17: dissector_try_uint_new (packet.c:1361)
==29771== 
==29771== Invalid read of size 1
==29771==    at 0x4C30F74: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29771==    by 0x1215A2: print_columns (tshark.c:3734)
==29771==    by 0x120E30: print_packet (tshark.c:3903)
==29771==    by 0x1202E7: process_packet_single_pass (tshark.c:3539)
==29771==    by 0x11EC83: process_cap_file (tshark.c:3348)
==29771==    by 0x11C4C9: main (tshark.c:2029)
==29771==  Address 0x18d96e71 is 1 bytes inside a block of size 80 free'd
==29771==    at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29771==    by 0x7D2EBC3: wmem_free (wmem_core.c:67)
==29771==    by 0x7D31773: wmem_simple_free_all (wmem_allocator_simple.c:95)
==29771==    by 0x7D2ED96: wmem_free_all_real (wmem_core.c:106)
==29771==    by 0x7D2ED46: wmem_free_all (wmem_core.c:112)
==29771==    by 0x7D33A12: wmem_leave_packet_scope (wmem_scopes.c:69)
==29771==    by 0x7D8C426: epan_dissect_run_with_taps (epan.c:554)
==29771==    by 0x12023F: process_packet_single_pass (tshark.c:3522)
==29771==    by 0x11EC83: process_cap_file (tshark.c:3348)
==29771==    by 0x11C4C9: main (tshark.c:2029)
==29771==  Block was alloc'd at
==29771==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29771==    by 0xB8D4718: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2)
==29771==    by 0x7D2EAC3: wmem_alloc (wmem_core.c:37)
==29771==    by 0x7D31539: wmem_simple_alloc (wmem_allocator_simple.c:43)
==29771==    by 0x7D2EB39: wmem_alloc (wmem_core.c:46)
==29771==    by 0x7D34A8D: wmem_strdup_vprintf (wmem_strutl.c:95)
==29771==    by 0x7D34A38: wmem_strdup_printf (wmem_strutl.c:68)
==29771==    by 0x7E04F31: val_to_str (value_string.c:38)
==29771==    by 0x7029536: dissect_nano (packet-nano.c:346)
==29771==    by 0x7DA1187: call_dissector_through_handle (packet.c:694)
==29771==    by 0x7D9D009: call_dissector_work (packet.c:779)
==29771==    by 0x7D9CE17: dissector_try_uint_new (packet.c:1361)
==29771== 
==29771== Invalid read of size 2
==29771==    at 0x4C32720: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29771==    by 0x121E34: put_string (tshark.c:3626)
==29771==    by 0x1215D6: print_columns (tshark.c:3736)
==29771==    by 0x120E30: print_packet (tshark.c:3903)
==29771==    by 0x1202E7: process_packet_single_pass (tshark.c:3539)
==29771==    by 0x11EC83: process_cap_file (tshark.c:3348)
==29771==    by 0x11C4C9: main (tshark.c:2029)
==29771==  Address 0x18d96e70 is 0 bytes inside a block of size 80 free'd
==29771==    at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29771==    by 0x7D2EBC3: wmem_free (wmem_core.c:67)
==29771==    by 0x7D31773: wmem_simple_free_all (wmem_allocator_simple.c:95)
==29771==    by 0x7D2ED96: wmem_free_all_real (wmem_core.c:106)
==29771==    by 0x7D2ED46: wmem_free_all (wmem_core.c:112)
==29771==    by 0x7D33A12: wmem_leave_packet_scope (wmem_scopes.c:69)
==29771==    by 0x7D8C426: epan_dissect_run_with_taps (epan.c:554)
==29771==    by 0x12023F: process_packet_single_pass (tshark.c:3522)
==29771==    by 0x11EC83: process_cap_file (tshark.c:3348)
==29771==    by 0x11C4C9: main (tshark.c:2029)
==29771==  Block was alloc'd at
==29771==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29771==    by 0xB8D4718: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2)
==29771==    by 0x7D2EAC3: wmem_alloc (wmem_core.c:37)
==29771==    by 0x7D31539: wmem_simple_alloc (wmem_allocator_simple.c:43)
==29771==    by 0x7D2EB39: wmem_alloc (wmem_core.c:46)
==29771==    by 0x7D34A8D: wmem_strdup_vprintf (wmem_strutl.c:95)
==29771==    by 0x7D34A38: wmem_strdup_printf (wmem_strutl.c:68)
==29771==    by 0x7E04F31: val_to_str (value_string.c:38)
==29771==    by 0x7029536: dissect_nano (packet-nano.c:346)
==29771==    by 0x7DA1187: call_dissector_through_handle (packet.c:694)
==29771==    by 0x7D9D009: call_dissector_work (packet.c:779)
==29771==    by 0x7D9CE17: dissector_try_uint_new (packet.c:1361)
==29771== 
==29771== Invalid read of size 2
==29771==    at 0x4C3272E: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29771==    by 0x121E34: put_string (tshark.c:3626)
==29771==    by 0x1215D6: print_columns (tshark.c:3736)
==29771==    by 0x120E30: print_packet (tshark.c:3903)
==29771==    by 0x1202E7: process_packet_single_pass (tshark.c:3539)
==29771==    by 0x11EC83: process_cap_file (tshark.c:3348)
==29771==    by 0x11C4C9: main (tshark.c:2029)
==29771==  Address 0x18d96e74 is 4 bytes inside a block of size 80 free'd
==29771==    at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29771==    by 0x7D2EBC3: wmem_free (wmem_core.c:67)
==29771==    by 0x7D31773: wmem_simple_free_all (wmem_allocator_simple.c:95)
==29771==    by 0x7D2ED96: wmem_free_all_real (wmem_core.c:106)
==29771==    by 0x7D2ED46: wmem_free_all (wmem_core.c:112)
==29771==    by 0x7D33A12: wmem_leave_packet_scope (wmem_scopes.c:69)
==29771==    by 0x7D8C426: epan_dissect_run_with_taps (epan.c:554)
==29771==    by 0x12023F: process_packet_single_pass (tshark.c:3522)
==29771==    by 0x11EC83: process_cap_file (tshark.c:3348)
==29771==    by 0x11C4C9: main (tshark.c:2029)
==29771==  Block was alloc'd at
==29771==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29771==    by 0xB8D4718: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2)
==29771==    by 0x7D2EAC3: wmem_alloc (wmem_core.c:37)
==29771==    by 0x7D31539: wmem_simple_alloc (wmem_allocator_simple.c:43)
==29771==    by 0x7D2EB39: wmem_alloc (wmem_core.c:46)
==29771==    by 0x7D34A8D: wmem_strdup_vprintf (wmem_strutl.c:95)
==29771==    by 0x7D34A38: wmem_strdup_printf (wmem_strutl.c:68)
==29771==    by 0x7E04F31: val_to_str (value_string.c:38)
==29771==    by 0x7029536: dissect_nano (packet-nano.c:346)
==29771==    by 0x7DA1187: call_dissector_through_handle (packet.c:694)
==29771==    by 0x7D9D009: call_dissector_work (packet.c:779)
==29771==    by 0x7D9CE17: dissector_try_uint_new (packet.c:1361)
==29771== 
==29771== Invalid read of size 1
==29771==    at 0x4C32758: memcpy@@GLIBC_2.14 (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29771==    by 0x121E34: put_string (tshark.c:3626)
==29771==    by 0x1215D6: print_columns (tshark.c:3736)
==29771==    by 0x120E30: print_packet (tshark.c:3903)
==29771==    by 0x1202E7: process_packet_single_pass (tshark.c:3539)
==29771==    by 0x11EC83: process_cap_file (tshark.c:3348)
==29771==    by 0x11C4C9: main (tshark.c:2029)
==29771==  Address 0x18d96e7c is 12 bytes inside a block of size 80 free'd
==29771==    at 0x4C2EDEB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29771==    by 0x7D2EBC3: wmem_free (wmem_core.c:67)
==29771==    by 0x7D31773: wmem_simple_free_all (wmem_allocator_simple.c:95)
==29771==    by 0x7D2ED96: wmem_free_all_real (wmem_core.c:106)
==29771==    by 0x7D2ED46: wmem_free_all (wmem_core.c:112)
==29771==    by 0x7D33A12: wmem_leave_packet_scope (wmem_scopes.c:69)
==29771==    by 0x7D8C426: epan_dissect_run_with_taps (epan.c:554)
==29771==    by 0x12023F: process_packet_single_pass (tshark.c:3522)
==29771==    by 0x11EC83: process_cap_file (tshark.c:3348)
==29771==    by 0x11C4C9: main (tshark.c:2029)
==29771==  Block was alloc'd at
==29771==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29771==    by 0xB8D4718: g_malloc (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2)
==29771==    by 0x7D2EAC3: wmem_alloc (wmem_core.c:37)
==29771==    by 0x7D31539: wmem_simple_alloc (wmem_allocator_simple.c:43)
==29771==    by 0x7D2EB39: wmem_alloc (wmem_core.c:46)
==29771==    by 0x7D34A8D: wmem_strdup_vprintf (wmem_strutl.c:95)
==29771==    by 0x7D34A38: wmem_strdup_printf (wmem_strutl.c:68)
==29771==    by 0x7E04F31: val_to_str (value_string.c:38)
==29771==    by 0x7029536: dissect_nano (packet-nano.c:346)
==29771==    by 0x7DA1187: call_dissector_through_handle (packet.c:694)
==29771==    by 0x7D9D009: call_dissector_work (packet.c:779)
==29771==    by 0x7D9CE17: dissector_try_uint_new (packet.c:1361)
==29771== 
==29771== 
==29771== HEAP SUMMARY:
==29771==     in use at exit: 107,795 bytes in 150 blocks
==29771==   total heap usage: 577,315 allocs, 577,165 frees, 45,784,229 bytes
allocated
==29771== 
==29771== LEAK SUMMARY:
==29771==    definitely lost: 72 bytes in 3 blocks
==29771==    indirectly lost: 96 bytes in 3 blocks
==29771==      possibly lost: 0 bytes in 0 blocks
==29771==    still reachable: 13,032 bytes in 101 blocks
==29771==         suppressed: 94,595 bytes in 43 blocks
==29771== Rerun with --leak-check=full to see details of leaked memory
==29771== 
==29771== For counts of detected and suppressed errors, rerun with: -v
==29771== ERROR SUMMARY: 21 errors from 5 contexts (suppressed: 0 from 0)

[ no debug trace ]

-- 
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

Reply via email to