forked from osmocom/wireshark
coap: fix use-after-free of "coinfo->ctype_str"
A use-after-free is possible through the following path: // returns wmem_packet_scope() memory coinfo->ctype_str = val_to_str(coinfo->ctype_value, vals_ctype, "Unknown Type %u"); // leaks packet scoped memory into conversation coap_trans = wmem_new0(wmem_file_scope(), coap_transaction); coap_trans->req_ctype_str = coinfo->ctype_str; // <-- oops // next packet: use-after-free of packet scoped memory coinfo->ctype_str = coap_trans->req_ctype_str; This could be fixed by duplicating "ctype_str" with wmem_file_scope, but since all "ctype_str" strings are constant, make the problematic "ctype_str" assignment also constant for unknown types (the numeric type is also stored in "ctype_value" if necessary). Change-Id: I6249e076fa282bbe0982b8c709788e27f6fdf86e Fixes: v2.9.0rc0-317-g46fcf452ac ("coap: Store ctype values in transaction tracking") Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8196 Reviewed-on: https://code.wireshark.org/review/27477 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
parent
5b385f3a4d
commit
b1e0cb01b3
|
@ -574,7 +574,7 @@ dissect_coap_opt_ctype(tvbuff_t *tvb, proto_item *head_item, proto_tree *subtree
|
|||
coinfo->ctype_value = coap_get_opt_uint(tvb, offset, opt_length);
|
||||
}
|
||||
|
||||
coinfo->ctype_str = val_to_str(coinfo->ctype_value, vals_ctype, "Unknown Type %u");
|
||||
coinfo->ctype_str = val_to_str_const(coinfo->ctype_value, vals_ctype, "Unknown Type");
|
||||
|
||||
proto_tree_add_string(subtree, hf, tvb, offset, opt_length, coinfo->ctype_str);
|
||||
|
||||
|
|
Loading…
Reference in New Issue