osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

wtap: fix regression in wtap_read_packet_bytes 

The "first_free" pointer is currently only increaseed by
ws_buffer_increase_length (unused) and ws_buffer_append (for writes).
Reading into the buffer should not reduce the available space. Otherwise
the next wtap_read_packet_bytes call will reallocate the buffer.

This reallocation is unexpected by some users of cf_read_record and
results in a use-after-free crash following these steps:
1. Open packet capture.
2. Ignore packet.
3. Open context menu, twice.

This crashes because the ByteViewText class points to the buffer which
is reallocated after calling PacketList::getFilterFromRowAndColumn.

Change-Id: I4f1264a406a28c79491dcd77c552193bf3cdf62d
Fixes: v2.9.0rc0-2001-g123bcb0362 ("Make systemd journal entries events.")
Reviewed-on: https://code.wireshark.org/review/29915
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
Peter Wu 2018-09-29 13:14:18 +02:00 committed by Anders Broman
parent 4a45ff2614
commit 2359523b1a
1 changed files with 2 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
wiretap/wtap.c
View File

@ -1366,12 +1366,8 @@ wtap_read_packet_bytes(FILE_T fh, Buffer *buf, guint length, int *err,
gchar **err_info)
{
ws_buffer_assure_space(buf, length);
if (wtap_read_bytes(fh, ws_buffer_start_ptr(buf), length, err,
err_info)) {
ws_buffer_increase_length(buf, length);
return TRUE;
}
return FALSE;
return wtap_read_bytes(fh, ws_buffer_start_ptr(buf), length, err,
err_info);
}
/*