osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Prevent use-after-free issues with pcapng.c/wtap_opttypes.c 

Bug: 12173
Change-Id: Ifff28491073d50e088b26847830a3bc8835f4282
Reviewed-on: https://code.wireshark.org/review/14180
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
This commit is contained in:
Michael Mann 2016-02-26 17:10:02 -05:00
parent e326e85a88
commit 64a5cd9ce0
3 changed files with 14 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
wiretap/pcapng.c
View File

@ -2487,6 +2487,7 @@ pcapng_open(wtap *wth, int *err, gchar **err_info)
case PCAPNG_BLOCK_NOT_SHB:
/* An error indicating that this isn't a pcap-ng file. */
wtap_optionblock_free(wblock.block);
wblock.block = NULL;
*err = 0;
*err_info = NULL;
return WTAP_OPEN_NOT_MINE;
@ -2494,6 +2495,7 @@ pcapng_open(wtap *wth, int *err, gchar **err_info)
case PCAPNG_BLOCK_ERROR:
/* An I/O error, or this probably *is* a pcap-ng file but not a valid one. */
wtap_optionblock_free(wblock.block);
wblock.block = NULL;
return WTAP_OPEN_ERROR;
}
@ -2506,6 +2508,7 @@ pcapng_open(wtap *wth, int *err, gchar **err_info)
*/
pcapng_debug("pcapng_open: first block type %u not SHB", wblock.type);
wtap_optionblock_free(wblock.block);
wblock.block = NULL;
return WTAP_OPEN_NOT_MINE;
}
pn.shb_read = TRUE;
@ -2561,10 +2564,12 @@ pcapng_open(wtap *wth, int *err, gchar **err_info)
if (*err == 0) {
pcapng_debug("No more IDBs available...");
wtap_optionblock_free(wblock.block);
wblock.block = NULL;
break;
} else {
pcapng_debug("pcapng_open: couldn't read IDB");
wtap_optionblock_free(wblock.block);
wblock.block = NULL;
return WTAP_OPEN_ERROR;
}
}

9
wiretap/wtap.c
View File

@ -1180,10 +1180,8 @@ wtap_fdclose(wtap *wth)
void
wtap_close(wtap *wth)
{
guint i, j;
guint i;
wtap_optionblock_t wtapng_if_descr;
wtap_optionblock_t if_stats;
wtapng_if_descr_mandatory_t* wtapng_if_descr_mand;
wtap_sequential_close(wth);
@ -1205,11 +1203,6 @@ wtap_close(wtap *wth)
for(i = 0; i < wth->interface_data->len; i++) {
wtapng_if_descr = g_array_index(wth->interface_data, wtap_optionblock_t, i);
wtapng_if_descr_mand = (wtapng_if_descr_mandatory_t*)wtap_optionblock_get_mandatory_data(wtapng_if_descr);
for(j = 0; j < wtapng_if_descr_mand->num_stat_entries; j++) {
if_stats = g_array_index(wtapng_if_descr_mand->interface_statistics, wtap_optionblock_t, j);
wtap_optionblock_free(if_stats);
}
wtap_optionblock_free(wtapng_if_descr);
}
g_array_free(wth->interface_data, TRUE);

11
wiretap/wtap_opttypes.c
View File

@ -155,16 +155,21 @@ static void wtap_optionblock_free_options(wtap_optionblock_t block)
void wtap_optionblock_free(wtap_optionblock_t block)
{
guint j;
wtap_optionblock_t if_stats;
if (block != NULL)
{
/* Need special consideration for freeing of the interface_statistics member */
if (block->type == WTAP_OPTION_BLOCK_IF_DESCR)
{
wtapng_if_descr_mandatory_t* mand = (wtapng_if_descr_mandatory_t*)block->mandatory_data;
if (mand->num_stat_entries != 0)
{
g_array_free(mand->interface_statistics, TRUE);
for(j = 0; j < mand->num_stat_entries; j++) {
if_stats = g_array_index(mand->interface_statistics, wtap_optionblock_t, j);
wtap_optionblock_free(if_stats);
}
g_array_free(mand->interface_statistics, TRUE);
}
g_free(block->mandatory_data);