Found a new bug#2981951 - Intermittent crashes in scanner. The problem is in the native protocol implementation of the scan functions. There is a combination of validate_* and scan_* functions called on various protocols. I found 2 problems:
1) http and sip scanners would rely on tcp header residing within the packet.
2) some headers did not check buffer boundary properly and would cause VM crashes, especially for mal-formed or truncated packets.
In #1 most http packets have tcp header as well, but not always. For example, the jnetpcap HttpAnalyzer generates pure http packets as a result of tcp stream reassembly and no tcp header exists in those types of packets. The pure http packets, still have access to the original packets that comprise them, so the ip/tcp information is still available, but not in the actual new packet itself.
In second case, the scanner methods would sometimes, especially under mal-formed or truncated packets go out of bounds in the packet buffer. This usually went unnoticed as the packet interpretation typically didn't make sense beyond the actual packet boundaries, and packet scanner would terminate the scan on its own. But once in a while, this also caused SIGV exception causing a VM crash. Of course, this is a serious bug that went unnoticed.
The bug affects 1.2, 1.3, 1.4 and 2.0.b0001 releases. I am applying the fix to 1.3, soon to be released 1.4 and will also update the 2.0.b0001 (to 2.0.dev2) even though its not officially supported simply because I think some of the problems reported to me in the support forums are caused by this. The ports to 64-bit may also be affected by this, as different memory architecture can exasperate this problem.