Bug 144238 - tethereal random segfault.
Summary: tethereal random segfault.
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: ethereal
Version: 3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Radek Vokál
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-01-05 07:10 UTC by Dave Jones
Modified: 2015-01-04 22:14 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-01-30 19:37:14 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Valgrind of ethereal (23.92 KB, text/plain)
2005-01-05 11:33 UTC, Sitsofe Wheeler
no flags Details

Description Dave Jones 2005-01-05 07:10:43 UTC
Description of problem:

I was running tethereal -i eth0 on my firewall, when this happened..


362.132689 68.162.252.20 -> 128.242.99.116 TCP [TCP Dup ACK 2423#1] 34735 > http
[ACK] Seq=765 Ack=6656 Win=19920 Len=0 TSV=49247313 TSER=2434332449
362.140098 128.242.99.116 -> 68.162.252.20 HTTP HTTP/1.1 200 OK (JPEG JFIF image)
*** glibc detected *** free(): invalid next size (normal): 0x09fed0a0 ***

Version-Release number of selected component (if applicable):
ethereal-0.10.6-3

backtrace...

Core was generated by `/usr/sbin/tethereal -i eth0'.
Program terminated with signal 6, Aborted.
Reading symbols from /usr/lib/libwiretap.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libwiretap.so.0
Reading symbols from /usr/lib/libethereal.so.0...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libethereal.so.0
Reading symbols from /usr/lib/libgmodule-2.0.so.0...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libgmodule-2.0.so.0
Reading symbols from /lib/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /usr/lib/libglib-2.0.so.0...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libglib-2.0.so.0
Reading symbols from /lib/tls/libm.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/tls/libm.so.6
Reading symbols from /usr/lib/libpcap.so.0.8.3...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libpcap.so.0.8.3
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/tls/libpthread.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/tls/libpthread.so.0
Reading symbols from /lib/tls/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/tls/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libnss_files.so.2
#0  0x0058b7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
(gdb) bt
#0  0x0058b7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0x005cb955 in raise () from /lib/tls/libc.so.6
#2  0x005cd319 in abort () from /lib/tls/libc.so.6
#3  0x005fef9a in __libc_message () from /lib/tls/libc.so.6
#4  0x00605528 in _int_free () from /lib/tls/libc.so.6
#5  0x00605afa in free () from /lib/tls/libc.so.6
#6  0x005fdffb in vasprintf () from /lib/tls/libc.so.6
#7  0x007db86f in g_vasprintf () from /usr/lib/libglib-2.0.so.0
#8  0x007cc78b in g_strdup_vprintf () from /usr/lib/libglib-2.0.so.0
#9  0x007cc7b8 in g_strdup_printf () from /usr/lib/libglib-2.0.so.0
#10 0x024c33b0 in add_new_data_source () from /usr/lib/libethereal.so.0
#11 0x024c3c45 in dissect_packet () from /usr/lib/libethereal.so.0
#12 0x024c15f1 in epan_dissect_run () from /usr/lib/libethereal.so.0
#13 0x080599e7 in register_ethereal_tap ()
#14 0x0805a27e in register_ethereal_tap ()
#15 0x007324ae in ?? () from /usr/lib/libpcap.so.0.8.3
#16 0x08066760 in ReleaseCompleteReason_vals ()
#17 0xbff508c0 in ?? ()
#18 0x09f8ef82 in ?? ()
#19 0x00000020 in ?? ()
#20 0xbff508d0 in ?? ()
#21 0xbff508bc in ?? ()
#22 0xbff508d8 in ?? ()
#23 0x007ad55f in g_hash_table_lookup () from /usr/lib/libglib-2.0.so.0
#24 0x00733e37 in pcap_dispatch () from /usr/lib/libpcap.so.0.8.3
#25 0x0805addb in cf_open ()
#26 0x0805d0d5 in main ()

Comment 1 Dave Jones 2005-01-05 07:12:27 UTC
its reproducable.  Visit http://www.cafepress.com/mjg59 whilst snooping eth0.
segfaults every time here.


Comment 3 Sitsofe Wheeler 2005-01-05 11:33:51 UTC
Created attachment 109360 [details]
Valgrind of ethereal

Valgrind reports various errors during this. The first error (Syscall param
socketcall.setsockopt) always happens but the others could be quite hard to
reproduce and required reloading the mentioned link many times...

Comment 7 Sitsofe Wheeler 2005-01-11 01:49:31 UTC
Is this one of the bugs addressed by the 0.17 update -
http://www.ethereal.com/appnotes/enpa-sa-00016.html (I checked the ethereal RPM
changelog and I don't see any security backports)? I notice that double frees in
the HTTP dissector is covered by
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1141

Comment 8 Dave Jones 2005-01-11 02:15:15 UTC
Radek suggested the same thing to me.
I did try the 0.10.8 update, and it was reproduceable there too.

Oddly, I can't see to reproduce it any more on any version of ethereal.


Comment 9 Radek Vokál 2005-01-30 19:37:14 UTC
Dave, I've just rebuild new ethereal-0.10.9 and it's already avaliable
in update. It fixes another few memory leaks (
http://www.ethereal.com/news/item_20050120_01.html ), might also fix
your issue. Let me know if I'm wrong. 


Note You need to log in before you can comment on or make changes to this bug.