URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8559b09065973aab232173f8cf43fc73d46e29a1
Submitter: "Peter Wu <peter@xxxxxxxxxxxxx>"
Changed: branch: master-2.6
Repository: wireshark
Commits:
8559b09 by Peter Wu (peter@xxxxxxxxxxxxx):
wsutil: fix crash due to corruption of the "small_buffers" array
Gracefully handle repeated calls of ws_buffer_free on the same buffer to
avoid strange crashes in other new users that allocate a "small" buffer.
The first call to ws_buffer_free would store data pointer in the
'small_buffers' array for reuse and set the pointer to NULL. Result:
(gdb) p cfile.rec.options_buf
$2 = {
data = 0x0,
allocated = 2048, // Oops, not modified!
start = 0,
first_free = 0
}
All users of Buffer (including ws_buffer_free) however asssume that
'allocated' reflects the actual size of 'data'. If this is not the case
(if ws_buffer_free is called again), then a data pointer (NULL!) will be
stored and the next ws_buffer_init request for a "small buffer" will
result in unexpected behavior (including crashes).
Fix the issue by clearing the 'allocated' field as well. Add assertions
to catch such issues earlier rather than crashing at random users of
these buffers (such as frame_tvbuff).
Bug: 15263
Change-Id: I0b491c3fccac8c6fddd43779629343d721638ca9
Reviewed-on: https://code.wireshark.org/review/31278
Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
(cherry picked from commit ae2a75233cec4e1286964963e6ac4ba936322cb1)
Reviewed-on: https://code.wireshark.org/review/31301
Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
Actions performed:
from f184e2a Qt: Pluralize "Copy Row(s)"
add 8559b09 wsutil: fix crash due to corruption of the "small_buffers" array
Summary of changes:
wsutil/buffer.c | 3 +++
1 file changed, 3 insertions(+)