coap: fix use-after-free of "coinfo->ctype_str"

A use-after-free is possible through the following path: // returns wmem_packet_scope() memory coinfo->ctype_str = val_to_str(coinfo->ctype_value, vals_ctype, "Unknown Type %u"); // leaks packet scoped memory into conversation coap_trans = wmem_new0(wmem_file_scope(), coap_transaction); coap_trans->req_ctype_str = coinfo->ctype_str; // <-- oops // next packet: use-after-free of packet scoped memory coinfo->ctype_str = coap_trans->req_ctype_str; This could be fixed by duplicating "ctype_str" with wmem_file_scope, but since all "ctype_str" strings are constant, make the problematic "ctype_str" assignment also constant for unknown types (the numeric type is also stored in "ctype_value" if necessary). Change-Id: I6249e076fa282bbe0982b8c709788e27f6fdf86e Fixes: v2.9.0rc0-317-g46fcf452ac ("coap: Store ctype values in transaction tracking") Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8196 Reviewed-on: https://code.wireshark.org/review/27477 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
2018-05-13 00:27:03 +02:00 · 2018-05-13 00:27:03 +02:00 · b1e0cb01b3
parent 5b385f3a4d
commit b1e0cb01b3
1 changed files with 1 additions and 1 deletions
--- a/epan/dissectors/packet-coap.c
+++ b/epan/dissectors/packet-coap.c
@ -574,7 +574,7 @@ dissect_coap_opt_ctype(tvbuff_t *tvb, proto_item *head_item, proto_tree *subtree
 		coinfo->ctype_value = coap_get_opt_uint(tvb, offset, opt_length);
 	}

-	coinfo->ctype_str = val_to_str(coinfo->ctype_value, vals_ctype, "Unknown Type %u");
+	coinfo->ctype_str = val_to_str_const(coinfo->ctype_value, vals_ctype, "Unknown Type");

 	proto_tree_add_string(subtree, hf, tvb, offset, opt_length, coinfo->ctype_str);