Pascal Quantin
changed
bug 10729
Comment # 1
on bug 10729
from Pascal Quantin
This crash is a side effect of ge3a04bb (Ensure dissector data parameter is
used instead of pinfo->private_data when passing data between dissectors using
the "media_type" subdissector).
HTTP dissector is passing the media_str as "data" parameter:
if (headers.content_type_parameters)
media_str = wmem_strdup(wmem_packet_scope(),
headers.content_type_parameters);
[...]
dissected = call_dissector_only(handle, next_tvb, pinfo, tree,
media_str);
while the xml dissector assumes that if data parameter is not NULL, it means
that it can store a pointer in it:
xml_frame_t **ret_frame = (xml_frame_t**)data;
[...]
if (ret_frame != NULL)
*ret_frame = current_frame; /* pass XML structure to the dissector
calling XML */
It leads to the storage of 8 bytes (on a Linux x64 machine) in a 4 bytes long
dynamic memory block, which corrupts the memory.
You are receiving this mail because:
- You are watching all bug changes.