osmith/wireshark
1
0
Fork 0
forked from osmocom/wireshark
Code Pull requests Releases Wiki Activity

xnap: fix use-after-free of "xnap_conv->addr_a"

Browse source 
Fix wrong memory scope to address a heap-use-after-free via:

    addresses_equal epan/address.h:218:10
    dissect_xnap_T_rrc_Context_01 epan/dissectors/asn1/xnap/xnap.cnf:127

Change-Id: I38bb64c2c8809cb1224d2c44076255d1789c4d5e
Fixes: v2.9.0rc0-1116-gcc5701fbb1 ("XnAP: add dissector based on v15.0.0")
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9199
Reviewed-on: https://code.wireshark.org/review/28658
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
This commit is contained in:
Peter Wu 2018-07-08 15:28:34 +02:00 committed by Pascal Quantin
parent 0e043692ec
commit 55c6038fb0
2 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
epan/dissectors/asn1/xnap/packet-xnap-template.c
View file

@ -194,9 +194,9 @@ dissect_xnap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
xnap_data->xnap_conv = (struct xnap_conv_info *)conversation_get_proto_data(conversation, proto_xnap);
if (!xnap_data->xnap_conv) {
xnap_data->xnap_conv = wmem_new0(wmem_file_scope(), struct xnap_conv_info);
copy_address_wmem(wmem_packet_scope(), &xnap_data->xnap_conv->addr_a, &pinfo->src);
copy_address_wmem(wmem_file_scope(), &xnap_data->xnap_conv->addr_a, &pinfo->src);
xnap_data->xnap_conv->ranmode_id_a = (GlobalNG_RANNode_ID_enum)-1;
copy_address_wmem(wmem_packet_scope(), &xnap_data->xnap_conv->addr_b, &pinfo->dst);
copy_address_wmem(wmem_file_scope(), &xnap_data->xnap_conv->addr_b, &pinfo->dst);
xnap_data->xnap_conv->ranmode_id_b = (GlobalNG_RANNode_ID_enum)-1;
conversation_add_proto_data(conversation, proto_xnap, xnap_data->xnap_conv);
}

4
epan/dissectors/packet-xnap.c
View file

@ -7363,9 +7363,9 @@ dissect_xnap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
xnap_data->xnap_conv = (struct xnap_conv_info *)conversation_get_proto_data(conversation, proto_xnap);
if (!xnap_data->xnap_conv) {
xnap_data->xnap_conv = wmem_new0(wmem_file_scope(), struct xnap_conv_info);
copy_address_wmem(wmem_packet_scope(), &xnap_data->xnap_conv->addr_a, &pinfo->src);
copy_address_wmem(wmem_file_scope(), &xnap_data->xnap_conv->addr_a, &pinfo->src);
xnap_data->xnap_conv->ranmode_id_a = (GlobalNG_RANNode_ID_enum)-1;
copy_address_wmem(wmem_packet_scope(), &xnap_data->xnap_conv->addr_b, &pinfo->dst);
copy_address_wmem(wmem_file_scope(), &xnap_data->xnap_conv->addr_b, &pinfo->dst);
xnap_data->xnap_conv->ranmode_id_b = (GlobalNG_RANNode_ID_enum)-1;
conversation_add_proto_data(conversation, proto_xnap, xnap_data->xnap_conv);
}