Wireshark-commits: [Wireshark-commits] master e9376e4: h225: Fix use after free.
From: Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>
Date: Mon, 12 Feb 2018 16:49:05 +0000
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e9376e47307daf4dd81658b8d0c356e0936b692c Submitter: Anders Broman (a.broman58@xxxxxxxxx) Changed: branch: master Repository: wireshark Commits: e9376e4 by Jakub Zawadzki (darkjames-ws@xxxxxxxxxxxx): h225: Fix use after free. next_tvb_add_handle() allocates memory in packet scope. When dissecting another packet from dissect_h225_h225_RasMessage() handler [it don't call next_tvb_init()] next_tvb_add_handle() will write to freed pointer. Fix by calling next_tvb_init() after leaving scope in order to clear list->last pointer. ASAN report: ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000854f0 at pc 0x00000208574a bp 0x7ffca839cf00 sp 0x7ffca839cef8 WRITE of size 8 at 0x6070000854f0 thread T0 #0 0x2085749 in next_tvb_add_handle /src/wireshark/epan/next_tvb.c #1 0xef8728 in dissect_h225_ParallelH245Control_item /src/wireshark/epan/dissectors/./asn1/h225/h225.cnf:368:3 (...) #21 0x168f460 in dissect_per_sequence /src/wireshark/epan/dissectors/packet-per.c:1920:12 #22 0xef31d3 in dissect_h225_InfoRequestResponse /src/wireshark/epan/dissectors/./asn1/h225/h225.cnf:910:12 #23 0x168e7db in dissect_per_choice /src/wireshark/epan/dissectors/packet-per.c #24 0xeed6e3 in dissect_h225_RasMessage /src/wireshark/epan/dissectors/./asn1/h225/h225.cnf:298:12 #25 0xef97af in dissect_RasMessage_PDU /src/wireshark/epan/dissectors/./asn1/h225/h225.cnf:339:12 #26 0xeef872 in dissect_h225_h225_RasMessage /src/wireshark/epan/dissectors/./asn1/h225/packet-h225-template.c:385:12 0x6070000854f0 is located 0 bytes inside of 72-byte region [0x6070000854f0,0x607000085538) freed by thread T0 here: #0 0x4e2528 in __interceptor_cfree.localalias.0 /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:76 #1 0x21263a1 in wmem_simple_free_all /src/wireshark/epan/wmem/wmem_allocator_simple.c:107:9 #2 0x205aa4d in wmem_leave_packet_scope /src/wireshark/epan/wmem/wmem_scopes.c:81:5 (...) previously allocated by thread T0 here: #0 0x4e26e8 in __interceptor_malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88 #1 0x225c588 in g_malloc (/out/fuzzshark_test+0x225c588) #2 0x20855e0 in next_tvb_add_handle /src/wireshark/epan/next_tvb.c:40:10 #3 0xef8728 in dissect_h225_ParallelH245Control_item /src/wireshark/epan/dissectors/./asn1/h225/h225.cnf:368:3 Found by oss-fuzz/5921 Change-Id: Iea006914a9e0c433d2073f6f4c7a2973d5a33a11 Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5921 Reviewed-on: https://code.wireshark.org/review/25593 Petri-Dish: Jakub Zawadzki <darkjames-ws@xxxxxxxxxxxx> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx> Actions performed: from 27b571e NBAP: copy address in pinfo->pool adds e9376e4 h225: Fix use after free. Summary of changes: epan/dissectors/asn1/h225/packet-h225-template.c | 12 ++++++++++++ epan/dissectors/packet-h225.c | 22 +++++++++++++++++----- 2 files changed, 29 insertions(+), 5 deletions(-)
- Prev by Date: [Wireshark-commits] master-2.4 81216a1: packet-ipmi-picmg.c: Add NULL check in rq17.
- Next by Date: [Wireshark-commits] master fe21963: dissectors: use SPDX identifiers.
- Previous by thread: [Wireshark-commits] master-2.4 81216a1: packet-ipmi-picmg.c: Add NULL check in rq17.
- Next by thread: [Wireshark-commits] master fe21963: dissectors: use SPDX identifiers.
- Index(es):