From 2359523b1a8d7df74e456c6d8a1b047a7e53c512 Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Sat, 29 Sep 2018 13:14:18 +0200 Subject: [PATCH] wtap: fix regression in wtap_read_packet_bytes The "first_free" pointer is currently only increaseed by ws_buffer_increase_length (unused) and ws_buffer_append (for writes). Reading into the buffer should not reduce the available space. Otherwise the next wtap_read_packet_bytes call will reallocate the buffer. This reallocation is unexpected by some users of cf_read_record and results in a use-after-free crash following these steps: 1. Open packet capture. 2. Ignore packet. 3. Open context menu, twice. This crashes because the ByteViewText class points to the buffer which is reallocated after calling PacketList::getFilterFromRowAndColumn. Change-Id: I4f1264a406a28c79491dcd77c552193bf3cdf62d Fixes: v2.9.0rc0-2001-g123bcb0362 ("Make systemd journal entries events.") Reviewed-on: https://code.wireshark.org/review/29915 Petri-Dish: Peter Wu Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman --- wiretap/wtap.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/wiretap/wtap.c b/wiretap/wtap.c index bac88d8be2..1944c4ce11 100644 --- a/wiretap/wtap.c +++ b/wiretap/wtap.c @@ -1366,12 +1366,8 @@ wtap_read_packet_bytes(FILE_T fh, Buffer *buf, guint length, int *err, gchar **err_info) { ws_buffer_assure_space(buf, length); - if (wtap_read_bytes(fh, ws_buffer_start_ptr(buf), length, err, - err_info)) { - ws_buffer_increase_length(buf, length); - return TRUE; - } - return FALSE; + return wtap_read_bytes(fh, ws_buffer_start_ptr(buf), length, err, + err_info); } /*