osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

ptvcursor: Fix crash with deeply nested subtrees 

If the proto tree is more than 8 levels deep, the subtree_lvl array
length is extended, by allocating a new area and copying everything into
that new area. However the old array length wasn't calculated correctly,
so only part of the subtree_lvl array was copied, causing a crash after
two ptvcursor_pop_subtree() calls.


(cherry picked from commit fa483ac191)
This commit is contained in:
Simon Holesch 2021-03-06 01:56:06 +01:00 committed by Guy Harris
parent 489fc40a49
commit d28ded7244
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
epan/proto.c
View File

@ -1120,6 +1120,7 @@ static void
ptvcursor_new_subtree_levels(ptvcursor_t *ptvc)
{
subtree_lvl *pushed_tree;
size_t pushed_tree_len = sizeof(subtree_lvl) * ptvc->pushed_tree_max;
DISSECTOR_ASSERT(ptvc->pushed_tree_max <= SUBTREE_MAX_LEVELS-SUBTREE_ONCE_ALLOCATION_NUMBER);
ptvc->pushed_tree_max += SUBTREE_ONCE_ALLOCATION_NUMBER;
@ -1127,7 +1128,7 @@ ptvcursor_new_subtree_levels(ptvcursor_t *ptvc)
pushed_tree = (subtree_lvl *)wmem_alloc(wmem_packet_scope(), sizeof(subtree_lvl) * ptvc->pushed_tree_max);
DISSECTOR_ASSERT(pushed_tree != NULL);
if (ptvc->pushed_tree)
memcpy(pushed_tree, ptvc->pushed_tree, ptvc->pushed_tree_max - SUBTREE_ONCE_ALLOCATION_NUMBER);
memcpy(pushed_tree, ptvc->pushed_tree, pushed_tree_len);
ptvc->pushed_tree = pushed_tree;
}