NFS: Fix hash table key memory corruption
When the same (as determined by key_equal_func) key gets added to the GHashTable, old value gets freed and replaced with the new one. This is fine for hash tables where the key validity is not tightly coupled to the actual data. In the nfs_name_snoop_matched hash table the key becomes invalid once the value gets destroyed (because it shares the data pointed to by fh, which gets freed once the value is destroyed). A problematic capture includes packets such that the matching fh gets added twice to the nfs_name_snoop_matched hash table. Prior to this change the hash table would end up in a state where the new value is associated with the old key (which contains pointer to already freed memory). According to the nfs_name_snoop_matched_equal(), the old key was equal to the key intended for new value *at the time* of insertion. This change fixes the bug by using g_hash_table_replace() which does update the key in case it already exists in the GHashTable. Bug: 16017 Bug: 16019 Change-Id: Ib3943f1e27e82c05d9abaa1e436554b37a98488e Reviewed-on: https://code.wireshark.org/review/34360 Reviewed-by: Michael Mann <mmann78@netscape.net> Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
Tomasz Moń
Anders Broman
parent
35056a6033
commit
efe2926a66
|
|
@ -1211,7 +1211,7 @@ nfs_name_snoop_add_fh(int xid, tvbuff_t *tvb, int fh_offset, int fh_length)
|
|||
key->fh = nns->fh;
|
||||
|
||||
g_hash_table_steal(nfs_name_snoop_unmatched, GINT_TO_POINTER(xid));
|
||||
g_hash_table_insert(nfs_name_snoop_matched, key, nns);
|
||||
g_hash_table_replace(nfs_name_snoop_matched, key, nns);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue