https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14976
Bug ID: 14976
Summary: Buildbot crash output: fuzz-2018-07-15-18210.pcap
Product: Wireshark
Version: unspecified
Hardware: x86-64
OS: Ubuntu
Status: CONFIRMED
Severity: Major
Priority: High
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: buildbot-do-not-re...@wireshark.org
Target Milestone: ---
Problems have been found with the following capture file:
https://www.wireshark.org/download/automated/captures/fuzz-2018-07-15-18210.pcap
stderr:
Input file: /home/wireshark/menagerie/menagerie/13056-svi7.pcap
Build host information:
Linux wsbb04 4.4.0-130-generic #156-Ubuntu SMP Thu Jun 14 08:53:28 UTC 2018
x86_64 x86_64 x86_64 GNU/Linux
Distributor ID: Ubuntu
Description: Ubuntu 16.04.4 LTS
Release: 16.04
Codename: xenial
Buildbot information:
BUILDBOT_REPOSITORY=ssh://wireshark-build...@code.wireshark.org:29418/wireshark
BUILDBOT_WORKERNAME=clang-code-analysis
BUILDBOT_BUILDNUMBER=4826
BUILDBOT_URL=http://buildbot.wireshark.org/wireshark-master/
BUILDBOT_BUILDERNAME=Clang Code Analysis
BUILDBOT_GOT_REVISION=1834cda2ee945c09f3306e001af9d9bac97d6422
Return value: 0
Dissector bug: 0
Valgrind error count: 37
Git commit
commit 1834cda2ee945c09f3306e001af9d9bac97d6422
Author: Guy Harris <g...@alum.mit.edu>
Date: Sat Jul 14 14:43:55 2018 -0700
The maximum offset in an IP option dissector is the length of the option.
It's *not* the sum of the length of the option and the length of the
option header.
Change-Id: I0b5ab0e35ca33dc02a0bc2501e0f0f531ec3f376
Reviewed-on: https://code.wireshark.org/review/28701
Reviewed-by: Guy Harris <g...@alum.mit.edu>
Command and args: ./tools/valgrind-wireshark.sh -b
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.plain/bin
-T
==30006== Memcheck, a memory error detector
==30006== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==30006== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==30006== Command:
/home/wireshark/builders/wireshark-master-fuzz/clangcodeanalysis/install.plain/bin/tshark
-Vx -nr
/fuzz/buildbot/clangcodeanalysis/valgrind-fuzz/fuzz-2018-07-15-18210.pcap
==30006==
==30006== Conditional jump or move depends on uninitialised value(s)
==30006== at 0x7F76B88: display_signed_time (to_str.c:655)
==30006== by 0x7F7746A: rel_time_to_secs_str (to_str.c:924)
==30006== by 0x7F5168F: proto_item_fill_label (proto.c:8344)
==30006== by 0x7F23C51: proto_tree_print_node (print.c:187)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23B1C: proto_tree_print (print.c:156)
==30006== by 0x120F24: print_packet (tshark.c:3931)
==30006== by 0x12040D: process_packet_single_pass (tshark.c:3564)
==30006==
==30006== Conditional jump or move depends on uninitialised value(s)
==30006== at 0x7F76DB3: int_to_str_back (to_str.c:1296)
==30006== by 0x7F76BCC: display_signed_time (to_str.c:664)
==30006== by 0x7F7746A: rel_time_to_secs_str (to_str.c:924)
==30006== by 0x7F5168F: proto_item_fill_label (proto.c:8344)
==30006== by 0x7F23C51: proto_tree_print_node (print.c:187)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23B1C: proto_tree_print (print.c:156)
==30006== by 0x120F24: print_packet (tshark.c:3931)
==30006==
==30006== Conditional jump or move depends on uninitialised value(s)
==30006== at 0x7F75F3F: uint_to_str_back (to_str.c:1210)
==30006== by 0x7F76DF0: int_to_str_back (to_str.c:1300)
==30006== by 0x7F76BCC: display_signed_time (to_str.c:664)
==30006== by 0x7F7746A: rel_time_to_secs_str (to_str.c:924)
==30006== by 0x7F5168F: proto_item_fill_label (proto.c:8344)
==30006== by 0x7F23C51: proto_tree_print_node (print.c:187)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23B1C: proto_tree_print (print.c:156)
==30006==
==30006== Conditional jump or move depends on uninitialised value(s)
==30006== at 0x7F75F61: uint_to_str_back (to_str.c:1213)
==30006== by 0x7F76DF0: int_to_str_back (to_str.c:1300)
==30006== by 0x7F76BCC: display_signed_time (to_str.c:664)
==30006== by 0x7F7746A: rel_time_to_secs_str (to_str.c:924)
==30006== by 0x7F5168F: proto_item_fill_label (proto.c:8344)
==30006== by 0x7F23C51: proto_tree_print_node (print.c:187)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23B1C: proto_tree_print (print.c:156)
==30006==
==30006== Use of uninitialised value of size 8
==30006== at 0x7F75FA4: uint_to_str_back (to_str.c:1218)
==30006== by 0x7F76DF0: int_to_str_back (to_str.c:1300)
==30006== by 0x7F76BCC: display_signed_time (to_str.c:664)
==30006== by 0x7F7746A: rel_time_to_secs_str (to_str.c:924)
==30006== by 0x7F5168F: proto_item_fill_label (proto.c:8344)
==30006== by 0x7F23C51: proto_tree_print_node (print.c:187)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23B1C: proto_tree_print (print.c:156)
==30006==
==30006== Use of uninitialised value of size 8
==30006== at 0x7F75FBF: uint_to_str_back (to_str.c:1219)
==30006== by 0x7F76DF0: int_to_str_back (to_str.c:1300)
==30006== by 0x7F76BCC: display_signed_time (to_str.c:664)
==30006== by 0x7F7746A: rel_time_to_secs_str (to_str.c:924)
==30006== by 0x7F5168F: proto_item_fill_label (proto.c:8344)
==30006== by 0x7F23C51: proto_tree_print_node (print.c:187)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23B1C: proto_tree_print (print.c:156)
==30006==
==30006== Conditional jump or move depends on uninitialised value(s)
==30006== at 0x7F75FDF: uint_to_str_back (to_str.c:1222)
==30006== by 0x7F76DF0: int_to_str_back (to_str.c:1300)
==30006== by 0x7F76BCC: display_signed_time (to_str.c:664)
==30006== by 0x7F7746A: rel_time_to_secs_str (to_str.c:924)
==30006== by 0x7F5168F: proto_item_fill_label (proto.c:8344)
==30006== by 0x7F23C51: proto_tree_print_node (print.c:187)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23B1C: proto_tree_print (print.c:156)
==30006==
==30006== Conditional jump or move depends on uninitialised value(s)
==30006== at 0x7F75F3F: uint_to_str_back (to_str.c:1210)
==30006== by 0x7F76E1D: uint_to_str_back_len (to_str.c:1258)
==30006== by 0x7F76CF2: display_signed_time (to_str.c:695)
==30006== by 0x7F7746A: rel_time_to_secs_str (to_str.c:924)
==30006== by 0x7F5168F: proto_item_fill_label (proto.c:8344)
==30006== by 0x7F23C51: proto_tree_print_node (print.c:187)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23B1C: proto_tree_print (print.c:156)
==30006==
==30006== Conditional jump or move depends on uninitialised value(s)
==30006== at 0x7F75F61: uint_to_str_back (to_str.c:1213)
==30006== by 0x7F76E1D: uint_to_str_back_len (to_str.c:1258)
==30006== by 0x7F76CF2: display_signed_time (to_str.c:695)
==30006== by 0x7F7746A: rel_time_to_secs_str (to_str.c:924)
==30006== by 0x7F5168F: proto_item_fill_label (proto.c:8344)
==30006== by 0x7F23C51: proto_tree_print_node (print.c:187)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23B1C: proto_tree_print (print.c:156)
==30006==
==30006== Use of uninitialised value of size 8
==30006== at 0x7F75FA4: uint_to_str_back (to_str.c:1218)
==30006== by 0x7F76E1D: uint_to_str_back_len (to_str.c:1258)
==30006== by 0x7F76CF2: display_signed_time (to_str.c:695)
==30006== by 0x7F7746A: rel_time_to_secs_str (to_str.c:924)
==30006== by 0x7F5168F: proto_item_fill_label (proto.c:8344)
==30006== by 0x7F23C51: proto_tree_print_node (print.c:187)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23B1C: proto_tree_print (print.c:156)
==30006==
==30006== Use of uninitialised value of size 8
==30006== at 0x7F75FBF: uint_to_str_back (to_str.c:1219)
==30006== by 0x7F76E1D: uint_to_str_back_len (to_str.c:1258)
==30006== by 0x7F76CF2: display_signed_time (to_str.c:695)
==30006== by 0x7F7746A: rel_time_to_secs_str (to_str.c:924)
==30006== by 0x7F5168F: proto_item_fill_label (proto.c:8344)
==30006== by 0x7F23C51: proto_tree_print_node (print.c:187)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23B1C: proto_tree_print (print.c:156)
==30006==
==30006== Conditional jump or move depends on uninitialised value(s)
==30006== at 0x7F75FDF: uint_to_str_back (to_str.c:1222)
==30006== by 0x7F76E1D: uint_to_str_back_len (to_str.c:1258)
==30006== by 0x7F76CF2: display_signed_time (to_str.c:695)
==30006== by 0x7F7746A: rel_time_to_secs_str (to_str.c:924)
==30006== by 0x7F5168F: proto_item_fill_label (proto.c:8344)
==30006== by 0x7F23C51: proto_tree_print_node (print.c:187)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23B1C: proto_tree_print (print.c:156)
==30006==
==30006== Conditional jump or move depends on uninitialised value(s)
==30006== at 0xBE90CC0: vfprintf (vfprintf.c:1632)
==30006== by 0xBF58895: __vsnprintf_chk (vsnprintf_chk.c:63)
==30006== by 0xBBBEC5E: g_snprintf (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2)
==30006== by 0x7F516B7: proto_item_fill_label (proto.c:8345)
==30006== by 0x7F23C51: proto_tree_print_node (print.c:187)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23B1C: proto_tree_print (print.c:156)
==30006== by 0x120F24: print_packet (tshark.c:3931)
==30006==
==30006== Conditional jump or move depends on uninitialised value(s)
==30006== at 0x4C30F78: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30006== by 0xBEB003E: fputs (iofputs.c:33)
==30006== by 0x7F2AA2C: print_line_color_text (print_stream.c:328)
==30006== by 0x7F2A79E: print_line_text (print_stream.c:343)
==30006== by 0x7F2A2E5: print_line (print_stream.c:242)
==30006== by 0x7F23CEC: proto_tree_print_node (print.c:193)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23B1C: proto_tree_print (print.c:156)
==30006==
==30006== Syscall param write(buf) points to uninitialised byte(s)
==30006== at 0xBF392DD: ??? (syscall-template.S:84)
==30006== by 0xBEBABFE: _IO_file_write@@GLIBC_2.2.5 (fileops.c:1263)
==30006== by 0xBEBC408: new_do_write (fileops.c:518)
==30006== by 0xBEBC408: _IO_do_write@@GLIBC_2.2.5 (fileops.c:494)
==30006== by 0xBEBB47C: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1331)
==30006== by 0xBEB00C7: fputs (iofputs.c:38)
==30006== by 0x7F2AA2C: print_line_color_text (print_stream.c:328)
==30006== by 0x7F2A79E: print_line_text (print_stream.c:343)
==30006== by 0x7F2A2E5: print_line (print_stream.c:242)
==30006== by 0x7F23CEC: proto_tree_print_node (print.c:193)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23F29: proto_tree_print_node (print.c:242)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== Address 0x18b2e8fb is 1,563 bytes inside a block of size 4,096
alloc'd
==30006== at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30006== by 0xBEAF1D4: _IO_file_doallocate (filedoalloc.c:127)
==30006== by 0xBEBD593: _IO_doallocbuf (genops.c:398)
==30006== by 0xBEBC8F7: _IO_file_overflow@@GLIBC_2.2.5 (fileops.c:820)
==30006== by 0xBEBB28C: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1331)
==30006== by 0xBEB00C7: fputs (iofputs.c:38)
==30006== by 0x7F2AA2C: print_line_color_text (print_stream.c:328)
==30006== by 0x7F2A79E: print_line_text (print_stream.c:343)
==30006== by 0x7F2A2E5: print_line (print_stream.c:242)
==30006== by 0x7F23CEC: proto_tree_print_node (print.c:193)
==30006== by 0x7F3B003: proto_tree_children_foreach (proto.c:687)
==30006== by 0x7F23B1C: proto_tree_print (print.c:156)
==30006==
==30006==
==30006== HEAP SUMMARY:
==30006== in use at exit: 125,530 bytes in 368 blocks
==30006== total heap usage: 16,302,819 allocs, 16,302,451 frees,
1,158,594,480 bytes allocated
==30006==
==30006== LEAK SUMMARY:
==30006== definitely lost: 0 bytes in 0 blocks
==30006== indirectly lost: 0 bytes in 0 blocks
==30006== possibly lost: 0 bytes in 0 blocks
==30006== still reachable: 14,851 bytes in 88 blocks
==30006== of which reachable via heuristic:
==30006== newarray : 1,536 bytes in 16 blocks
==30006== suppressed: 110,679 bytes in 280 blocks
==30006== Rerun with --leak-check=full to see details of leaked memory
==30006==
==30006== For counts of detected and suppressed errors, rerun with: -v
==30006== Use --track-origins=yes to see where uninitialised values come from
==30006== ERROR SUMMARY: 37 errors from 15 contexts (suppressed: 0 from 0)
[ no debug trace ]
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
