https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3495
--- Comment #29 from Bill Meier <wmeier@xxxxxxxxxxx> 2011-12-15 15:00:21 EST ---
Tobias:
I've been reviewing all the Wireshark uses of tvb_new_real_data().
While looking at packet-rlc.c I noticed the following:
sdu->tvb = tvb_new_real_data(sdu->data, sdu->len, sdu->len);
tvb_set_child_real_data_tvbuff(tvb, sdu->tvb);
Looking just a bit more, I get the impression that the tvb is saved in a hash
table for later use (when dissecting this frame at another time or when
dissecting another frame).
Is my impression correct ?
(If yes I would have expected crashes, so maybe my impression is wrong...).
If yes, I expect there's a problem:
Because of the tvb_set_child_real_data() call, the tvb will be freed when
dissection of *this* frame is complete and the "top-level" tvb is freed. Any
saved references to any tvbs which are children of the top-level tvb it will be
stale.
(Actually: thinking about this a bit more: there are some bugs in the tvbuff
code related to the use of REAL_DATA tvbs such that it's possible that the
tvb(s) never actually get(s) freed when the dissection of the frame completes.
These bugs are about to be fixed).
Notes:
1. The current version of packet-rlc.c actually uses tvb_new_child_real_data()
which is the equivalent of the above two lines of code).
2. In general:
- tvbs can be created with tvb_new_real_data and saved as the dissector
wishes. The dissector must then free up the tvbs via an init fcn.
(Unfortunately there's no se_tvb_new...() function. (Maybe there should
be).
or
- tvbs for saved data can be created as needed when dissecting a
specific frame based upon saved pointers to the data. (That is: save
just the data not the tvbs pointing to the data).
Bill
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.