wtap: fix regression in wtap_read_packet_bytes
The "first_free" pointer is currently only increaseed by ws_buffer_increase_length (unused) and ws_buffer_append (for writes). Reading into the buffer should not reduce the available space. Otherwise the next wtap_read_packet_bytes call will reallocate the buffer. This reallocation is unexpected by some users of cf_read_record and results in a use-after-free crash following these steps: 1. Open packet capture. 2. Ignore packet. 3. Open context menu, twice. This crashes because the ByteViewText class points to the buffer which is reallocated after calling PacketList::getFilterFromRowAndColumn. Change-Id: I4f1264a406a28c79491dcd77c552193bf3cdf62d Fixes: v2.9.0rc0-2001-g123bcb0362 ("Make systemd journal entries events.") Reviewed-on: https://code.wireshark.org/review/29915 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
parent
4a45ff2614
commit
2359523b1a
|
@ -1366,12 +1366,8 @@ wtap_read_packet_bytes(FILE_T fh, Buffer *buf, guint length, int *err,
|
|||
gchar **err_info)
|
||||
{
|
||||
ws_buffer_assure_space(buf, length);
|
||||
if (wtap_read_bytes(fh, ws_buffer_start_ptr(buf), length, err,
|
||||
err_info)) {
|
||||
ws_buffer_increase_length(buf, length);
|
||||
return TRUE;
|
||||
}
|
||||
return FALSE;
|
||||
return wtap_read_bytes(fh, ws_buffer_start_ptr(buf), length, err,
|
||||
err_info);
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
Loading…
Reference in New Issue