URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5f7ba271eccca43b7ef6663f4c8960556f84676c
Submitter: "Peter Wu <peter@xxxxxxxxxxxxx>"
Changed: branch: master-2.4
Repository: wireshark
Commits:
5f7ba27 by Peter Wu (peter@xxxxxxxxxxxxx):
wsutil: fix crash due to corruption of the "small_buffers" array
Gracefully handle repeated calls of ws_buffer_free on the same buffer to
avoid strange crashes in other new users that allocate a "small" buffer.
The first call to ws_buffer_free would store data pointer in the
'small_buffers' array for reuse and set the pointer to NULL. Result:
(gdb) p cfile.rec.options_buf
$2 = {
data = 0x0,
allocated = 2048, // Oops, not modified!
start = 0,
first_free = 0
}
All users of Buffer (including ws_buffer_free) however asssume that
'allocated' reflects the actual size of 'data'. If this is not the case
(if ws_buffer_free is called again), then a data pointer (NULL!) will be
stored and the next ws_buffer_init request for a "small buffer" will
result in unexpected behavior (including crashes).
Fix the issue by clearing the 'allocated' field as well. Add assertions
to catch such issues earlier rather than crashing at random users of
these buffers (such as frame_tvbuff).
Bug: 15263
Change-Id: I0b491c3fccac8c6fddd43779629343d721638ca9
Reviewed-on: https://code.wireshark.org/review/31278
Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
(cherry picked from commit ae2a75233cec4e1286964963e6ac4ba936322cb1)
Reviewed-on: https://code.wireshark.org/review/31302
Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
Actions performed:
from cf10756 Happy New Year 2019!
add 5f7ba27 wsutil: fix crash due to corruption of the "small_buffers" array
Summary of changes:
wsutil/buffer.c | 3 +++
1 file changed, 3 insertions(+)