Prevent use-after-free issues with pcapng.c/wtap_opttypes.c
Bug: 12173 Change-Id: Ifff28491073d50e088b26847830a3bc8835f4282 Reviewed-on: https://code.wireshark.org/review/14180 Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
This commit is contained in:
parent
e326e85a88
commit
64a5cd9ce0
|
@ -2487,6 +2487,7 @@ pcapng_open(wtap *wth, int *err, gchar **err_info)
|
||||||
case PCAPNG_BLOCK_NOT_SHB:
|
case PCAPNG_BLOCK_NOT_SHB:
|
||||||
/* An error indicating that this isn't a pcap-ng file. */
|
/* An error indicating that this isn't a pcap-ng file. */
|
||||||
wtap_optionblock_free(wblock.block);
|
wtap_optionblock_free(wblock.block);
|
||||||
|
wblock.block = NULL;
|
||||||
*err = 0;
|
*err = 0;
|
||||||
*err_info = NULL;
|
*err_info = NULL;
|
||||||
return WTAP_OPEN_NOT_MINE;
|
return WTAP_OPEN_NOT_MINE;
|
||||||
|
@ -2494,6 +2495,7 @@ pcapng_open(wtap *wth, int *err, gchar **err_info)
|
||||||
case PCAPNG_BLOCK_ERROR:
|
case PCAPNG_BLOCK_ERROR:
|
||||||
/* An I/O error, or this probably *is* a pcap-ng file but not a valid one. */
|
/* An I/O error, or this probably *is* a pcap-ng file but not a valid one. */
|
||||||
wtap_optionblock_free(wblock.block);
|
wtap_optionblock_free(wblock.block);
|
||||||
|
wblock.block = NULL;
|
||||||
return WTAP_OPEN_ERROR;
|
return WTAP_OPEN_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2506,6 +2508,7 @@ pcapng_open(wtap *wth, int *err, gchar **err_info)
|
||||||
*/
|
*/
|
||||||
pcapng_debug("pcapng_open: first block type %u not SHB", wblock.type);
|
pcapng_debug("pcapng_open: first block type %u not SHB", wblock.type);
|
||||||
wtap_optionblock_free(wblock.block);
|
wtap_optionblock_free(wblock.block);
|
||||||
|
wblock.block = NULL;
|
||||||
return WTAP_OPEN_NOT_MINE;
|
return WTAP_OPEN_NOT_MINE;
|
||||||
}
|
}
|
||||||
pn.shb_read = TRUE;
|
pn.shb_read = TRUE;
|
||||||
|
@ -2561,10 +2564,12 @@ pcapng_open(wtap *wth, int *err, gchar **err_info)
|
||||||
if (*err == 0) {
|
if (*err == 0) {
|
||||||
pcapng_debug("No more IDBs available...");
|
pcapng_debug("No more IDBs available...");
|
||||||
wtap_optionblock_free(wblock.block);
|
wtap_optionblock_free(wblock.block);
|
||||||
|
wblock.block = NULL;
|
||||||
break;
|
break;
|
||||||
} else {
|
} else {
|
||||||
pcapng_debug("pcapng_open: couldn't read IDB");
|
pcapng_debug("pcapng_open: couldn't read IDB");
|
||||||
wtap_optionblock_free(wblock.block);
|
wtap_optionblock_free(wblock.block);
|
||||||
|
wblock.block = NULL;
|
||||||
return WTAP_OPEN_ERROR;
|
return WTAP_OPEN_ERROR;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1180,10 +1180,8 @@ wtap_fdclose(wtap *wth)
|
||||||
void
|
void
|
||||||
wtap_close(wtap *wth)
|
wtap_close(wtap *wth)
|
||||||
{
|
{
|
||||||
guint i, j;
|
guint i;
|
||||||
wtap_optionblock_t wtapng_if_descr;
|
wtap_optionblock_t wtapng_if_descr;
|
||||||
wtap_optionblock_t if_stats;
|
|
||||||
wtapng_if_descr_mandatory_t* wtapng_if_descr_mand;
|
|
||||||
|
|
||||||
wtap_sequential_close(wth);
|
wtap_sequential_close(wth);
|
||||||
|
|
||||||
|
@ -1205,11 +1203,6 @@ wtap_close(wtap *wth)
|
||||||
|
|
||||||
for(i = 0; i < wth->interface_data->len; i++) {
|
for(i = 0; i < wth->interface_data->len; i++) {
|
||||||
wtapng_if_descr = g_array_index(wth->interface_data, wtap_optionblock_t, i);
|
wtapng_if_descr = g_array_index(wth->interface_data, wtap_optionblock_t, i);
|
||||||
wtapng_if_descr_mand = (wtapng_if_descr_mandatory_t*)wtap_optionblock_get_mandatory_data(wtapng_if_descr);
|
|
||||||
for(j = 0; j < wtapng_if_descr_mand->num_stat_entries; j++) {
|
|
||||||
if_stats = g_array_index(wtapng_if_descr_mand->interface_statistics, wtap_optionblock_t, j);
|
|
||||||
wtap_optionblock_free(if_stats);
|
|
||||||
}
|
|
||||||
wtap_optionblock_free(wtapng_if_descr);
|
wtap_optionblock_free(wtapng_if_descr);
|
||||||
}
|
}
|
||||||
g_array_free(wth->interface_data, TRUE);
|
g_array_free(wth->interface_data, TRUE);
|
||||||
|
|
|
@ -155,16 +155,21 @@ static void wtap_optionblock_free_options(wtap_optionblock_t block)
|
||||||
|
|
||||||
void wtap_optionblock_free(wtap_optionblock_t block)
|
void wtap_optionblock_free(wtap_optionblock_t block)
|
||||||
{
|
{
|
||||||
|
guint j;
|
||||||
|
wtap_optionblock_t if_stats;
|
||||||
|
|
||||||
if (block != NULL)
|
if (block != NULL)
|
||||||
{
|
{
|
||||||
/* Need special consideration for freeing of the interface_statistics member */
|
/* Need special consideration for freeing of the interface_statistics member */
|
||||||
if (block->type == WTAP_OPTION_BLOCK_IF_DESCR)
|
if (block->type == WTAP_OPTION_BLOCK_IF_DESCR)
|
||||||
{
|
{
|
||||||
wtapng_if_descr_mandatory_t* mand = (wtapng_if_descr_mandatory_t*)block->mandatory_data;
|
wtapng_if_descr_mandatory_t* mand = (wtapng_if_descr_mandatory_t*)block->mandatory_data;
|
||||||
if (mand->num_stat_entries != 0)
|
for(j = 0; j < mand->num_stat_entries; j++) {
|
||||||
{
|
if_stats = g_array_index(mand->interface_statistics, wtap_optionblock_t, j);
|
||||||
g_array_free(mand->interface_statistics, TRUE);
|
wtap_optionblock_free(if_stats);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
g_array_free(mand->interface_statistics, TRUE);
|
||||||
}
|
}
|
||||||
|
|
||||||
g_free(block->mandatory_data);
|
g_free(block->mandatory_data);
|
||||||
|
|
Loading…
Reference in New Issue