Wireshark-commits: [Wireshark-commits] master e9376e4: h225: Fix use after free.

From: Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>
Date: Mon, 12 Feb 2018 16:49:05 +0000
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e9376e47307daf4dd81658b8d0c356e0936b692c
Submitter: Anders Broman (a.broman58@xxxxxxxxx)
Changed: branch: master
Repository: wireshark

Commits:

e9376e4 by Jakub Zawadzki (darkjames-ws@xxxxxxxxxxxx):

    h225: Fix use after free.
    
    next_tvb_add_handle() allocates memory in packet scope.
    When dissecting another packet from dissect_h225_h225_RasMessage() handler [it don't call next_tvb_init()]
    next_tvb_add_handle() will write to freed pointer.
    
    Fix by calling next_tvb_init() after leaving scope in order to clear list->last pointer.
    
    ASAN report:
    ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000854f0 at pc 0x00000208574a bp 0x7ffca839cf00 sp 0x7ffca839cef8
    WRITE of size 8 at 0x6070000854f0 thread T0
        #0 0x2085749 in next_tvb_add_handle /src/wireshark/epan/next_tvb.c
        #1 0xef8728 in dissect_h225_ParallelH245Control_item /src/wireshark/epan/dissectors/./asn1/h225/h225.cnf:368:3
    (...)
        #21 0x168f460 in dissect_per_sequence /src/wireshark/epan/dissectors/packet-per.c:1920:12
        #22 0xef31d3 in dissect_h225_InfoRequestResponse /src/wireshark/epan/dissectors/./asn1/h225/h225.cnf:910:12
        #23 0x168e7db in dissect_per_choice /src/wireshark/epan/dissectors/packet-per.c
        #24 0xeed6e3 in dissect_h225_RasMessage /src/wireshark/epan/dissectors/./asn1/h225/h225.cnf:298:12
        #25 0xef97af in dissect_RasMessage_PDU /src/wireshark/epan/dissectors/./asn1/h225/h225.cnf:339:12
        #26 0xeef872 in dissect_h225_h225_RasMessage /src/wireshark/epan/dissectors/./asn1/h225/packet-h225-template.c:385:12
    
    0x6070000854f0 is located 0 bytes inside of 72-byte region [0x6070000854f0,0x607000085538)
    freed by thread T0 here:
        #0 0x4e2528 in __interceptor_cfree.localalias.0 /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:76
        #1 0x21263a1 in wmem_simple_free_all /src/wireshark/epan/wmem/wmem_allocator_simple.c:107:9
        #2 0x205aa4d in wmem_leave_packet_scope /src/wireshark/epan/wmem/wmem_scopes.c:81:5
    (...)
    
    previously allocated by thread T0 here:
        #0 0x4e26e8 in __interceptor_malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
        #1 0x225c588 in g_malloc (/out/fuzzshark_test+0x225c588)
        #2 0x20855e0 in next_tvb_add_handle /src/wireshark/epan/next_tvb.c:40:10
        #3 0xef8728 in dissect_h225_ParallelH245Control_item /src/wireshark/epan/dissectors/./asn1/h225/h225.cnf:368:3
    
    Found by oss-fuzz/5921
    
    Change-Id: Iea006914a9e0c433d2073f6f4c7a2973d5a33a11
    Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5921
    Reviewed-on: https://code.wireshark.org/review/25593
    Petri-Dish: Jakub Zawadzki <darkjames-ws@xxxxxxxxxxxx>
    Tested-by: Petri Dish Buildbot
    Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
    

Actions performed:

    from  27b571e   NBAP: copy address in pinfo->pool
    adds  e9376e4   h225: Fix use after free.


Summary of changes:
 epan/dissectors/asn1/h225/packet-h225-template.c | 12 ++++++++++++
 epan/dissectors/packet-h225.c                    | 22 +++++++++++++++++-----
 2 files changed, 29 insertions(+), 5 deletions(-)