Bug 144238 - tethereal random segfault.
tethereal random segfault.
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: ethereal (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Radek Vokal
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-05 02:10 EST by Dave Jones
Modified: 2015-01-04 17:14 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-30 14:37:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Valgrind of ethereal (23.92 KB, text/plain)
2005-01-05 06:33 EST, Sitsofe Wheeler
no flags Details

  None (edit)
Description Dave Jones 2005-01-05 02:10:43 EST
Description of problem:

I was running tethereal -i eth0 on my firewall, when this happened..


362.132689 68.162.252.20 -> 128.242.99.116 TCP [TCP Dup ACK 2423#1] 34735 > http
[ACK] Seq=765 Ack=6656 Win=19920 Len=0 TSV=49247313 TSER=2434332449
362.140098 128.242.99.116 -> 68.162.252.20 HTTP HTTP/1.1 200 OK (JPEG JFIF image)
*** glibc detected *** free(): invalid next size (normal): 0x09fed0a0 ***

Version-Release number of selected component (if applicable):
ethereal-0.10.6-3

backtrace...

Core was generated by `/usr/sbin/tethereal -i eth0'.
Program terminated with signal 6, Aborted.
Reading symbols from /usr/lib/libwiretap.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libwiretap.so.0
Reading symbols from /usr/lib/libethereal.so.0...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libethereal.so.0
Reading symbols from /usr/lib/libgmodule-2.0.so.0...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libgmodule-2.0.so.0
Reading symbols from /lib/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /usr/lib/libglib-2.0.so.0...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libglib-2.0.so.0
Reading symbols from /lib/tls/libm.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/tls/libm.so.6
Reading symbols from /usr/lib/libpcap.so.0.8.3...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8.3
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/tls/libpthread.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/tls/libpthread.so.0
Reading symbols from /lib/tls/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/tls/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libnss_files.so.2
#0  0x0058b7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
(gdb) bt
#0  0x0058b7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0x005cb955 in raise () from /lib/tls/libc.so.6
#2  0x005cd319 in abort () from /lib/tls/libc.so.6
#3  0x005fef9a in __libc_message () from /lib/tls/libc.so.6
#4  0x00605528 in _int_free () from /lib/tls/libc.so.6
#5  0x00605afa in free () from /lib/tls/libc.so.6
#6  0x005fdffb in vasprintf () from /lib/tls/libc.so.6
#7  0x007db86f in g_vasprintf () from /usr/lib/libglib-2.0.so.0
#8  0x007cc78b in g_strdup_vprintf () from /usr/lib/libglib-2.0.so.0
#9  0x007cc7b8 in g_strdup_printf () from /usr/lib/libglib-2.0.so.0
#10 0x024c33b0 in add_new_data_source () from /usr/lib/libethereal.so.0
#11 0x024c3c45 in dissect_packet () from /usr/lib/libethereal.so.0
#12 0x024c15f1 in epan_dissect_run () from /usr/lib/libethereal.so.0
#13 0x080599e7 in register_ethereal_tap ()
#14 0x0805a27e in register_ethereal_tap ()
#15 0x007324ae in ?? () from /usr/lib/libpcap.so.0.8.3
#16 0x08066760 in ReleaseCompleteReason_vals ()
#17 0xbff508c0 in ?? ()
#18 0x09f8ef82 in ?? ()
#19 0x00000020 in ?? ()
#20 0xbff508d0 in ?? ()
#21 0xbff508bc in ?? ()
#22 0xbff508d8 in ?? ()
#23 0x007ad55f in g_hash_table_lookup () from /usr/lib/libglib-2.0.so.0
#24 0x00733e37 in pcap_dispatch () from /usr/lib/libpcap.so.0.8.3
#25 0x0805addb in cf_open ()
#26 0x0805d0d5 in main ()
Comment 1 Dave Jones 2005-01-05 02:12:27 EST
its reproducable.  Visit http://www.cafepress.com/mjg59 whilst snooping eth0.
segfaults every time here.
Comment 3 Sitsofe Wheeler 2005-01-05 06:33:51 EST
Created attachment 109360 [details]
Valgrind of ethereal

Valgrind reports various errors during this. The first error (Syscall param
socketcall.setsockopt) always happens but the others could be quite hard to
reproduce and required reloading the mentioned link many times...
Comment 7 Sitsofe Wheeler 2005-01-10 20:49:31 EST
Is this one of the bugs addressed by the 0.17 update -
http://www.ethereal.com/appnotes/enpa-sa-00016.html (I checked the ethereal RPM
changelog and I don't see any security backports)? I notice that double frees in
the HTTP dissector is covered by
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1141
Comment 8 Dave Jones 2005-01-10 21:15:15 EST
Radek suggested the same thing to me.
I did try the 0.10.8 update, and it was reproduceable there too.

Oddly, I can't see to reproduce it any more on any version of ethereal.
Comment 9 Radek Vokal 2005-01-30 14:37:14 EST
Dave, I've just rebuild new ethereal-0.10.9 and it's already avaliable
in update. It fixes another few memory leaks (
http://www.ethereal.com/news/item_20050120_01.html ), might also fix
your issue. Let me know if I'm wrong. 

Note You need to log in before you can comment on or make changes to this bug.