diff options
| author | Evan Huus <eapache@gmail.com> | 2013-07-25 23:58:49 +0000 |
|---|---|---|
| committer | Evan Huus <eapache@gmail.com> | 2013-07-25 23:58:49 +0000 |
| commit | 8441fff193a094e8907b0d7026f87e15600436dc (patch) | |
| tree | 51a98634c61a4042511d4144ab53e283217c6e1e | |
| parent | a05f55bffc2bc7d52d3f35370a7ae1eea2b75839 (diff) | |
| download | wireshark-8441fff193a094e8907b0d7026f87e15600436dc.tar.gz | |
Use the pinfo pool for adding data sources in the h245 dissector. The packet
pool is freed before the packet is displayed or otherwise processed, so adding
data sources from it leads to use-after-free errors.
Not sure why this wasn't showing up in the fuzz-bot valgrind step, there
are lots of h245 captures in the menagerie...
svn path=/trunk/; revision=50897
| -rw-r--r-- | asn1/h245/h245.cnf | 10 | ||||
| -rw-r--r-- | epan/dissectors/packet-h245.c | 10 |
2 files changed, 10 insertions, 10 deletions
diff --git a/asn1/h245/h245.cnf b/asn1/h245/h245.cnf index f5de35e079..01bb44b489 100644 --- a/asn1/h245/h245.cnf +++ b/asn1/h245/h245.cnf @@ -775,7 +775,7 @@ if (h245_pi != NULL) %(DEFAULT_BODY)s gefx = gef_ctx_get(actx->private_data); if (gefx) { - buf = wmem_new(wmem_packet_scope(), guint8); + buf = wmem_new(actx->pinfo->pool, guint8); buf[0] = value; value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint8), sizeof(guint8)); /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %%s", gefx->key);*/ @@ -792,7 +792,7 @@ if (h245_pi != NULL) %(DEFAULT_BODY)s gefx = gef_ctx_get(actx->private_data); if (gefx) { - buf = (guint8 *)wmem_new(wmem_packet_scope(), guint16); + buf = (guint8 *)wmem_new(actx->pinfo->pool, guint16); phtons(buf, value); value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint16), sizeof(guint16)); /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %%s", gefx->key);*/ @@ -809,7 +809,7 @@ if (h245_pi != NULL) %(DEFAULT_BODY)s gefx = gef_ctx_get(actx->private_data); if (gefx) { - buf = (guint8 *)wmem_new(wmem_packet_scope(), guint16); + buf = (guint8 *)wmem_new(actx->pinfo->pool, guint16); phtons(buf, value); value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint16), sizeof(guint16)); /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %%s", gefx->key);*/ @@ -826,7 +826,7 @@ if (h245_pi != NULL) %(DEFAULT_BODY)s gefx = gef_ctx_get(actx->private_data); if (gefx) { - buf = (guint8 *)wmem_new(wmem_packet_scope(), guint32); + buf = (guint8 *)wmem_new(actx->pinfo->pool, guint32); phtonl(buf, value); value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint32), sizeof(guint32)); /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %%s", gefx->key);*/ @@ -843,7 +843,7 @@ if (h245_pi != NULL) %(DEFAULT_BODY)s gefx = gef_ctx_get(actx->private_data); if (gefx) { - buf = (guint8 *)wmem_new(wmem_packet_scope(), guint32); + buf = (guint8 *)wmem_new(actx->pinfo->pool, guint32); phtonl(buf, value); value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint32), sizeof(guint32)); /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %%s", gefx->key);*/ diff --git a/epan/dissectors/packet-h245.c b/epan/dissectors/packet-h245.c index d7b69731fc..e73a1c15f5 100644 --- a/epan/dissectors/packet-h245.c +++ b/epan/dissectors/packet-h245.c @@ -3709,7 +3709,7 @@ dissect_h245_T_booleanArray(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx gefx = gef_ctx_get(actx->private_data); if (gefx) { - buf = wmem_new(wmem_packet_scope(), guint8); + buf = wmem_new(actx->pinfo->pool, guint8); buf[0] = value; value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint8), sizeof(guint8)); /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %s", gefx->key);*/ @@ -3736,7 +3736,7 @@ dissect_h245_T_unsignedMin(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _ gefx = gef_ctx_get(actx->private_data); if (gefx) { - buf = (guint8 *)wmem_new(wmem_packet_scope(), guint16); + buf = (guint8 *)wmem_new(actx->pinfo->pool, guint16); phtons(buf, value); value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint16), sizeof(guint16)); /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %s", gefx->key);*/ @@ -3763,7 +3763,7 @@ dissect_h245_T_unsignedMax(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _ gefx = gef_ctx_get(actx->private_data); if (gefx) { - buf = (guint8 *)wmem_new(wmem_packet_scope(), guint16); + buf = (guint8 *)wmem_new(actx->pinfo->pool, guint16); phtons(buf, value); value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint16), sizeof(guint16)); /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %s", gefx->key);*/ @@ -3790,7 +3790,7 @@ dissect_h245_T_unsigned32Min(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx gefx = gef_ctx_get(actx->private_data); if (gefx) { - buf = (guint8 *)wmem_new(wmem_packet_scope(), guint32); + buf = (guint8 *)wmem_new(actx->pinfo->pool, guint32); phtonl(buf, value); value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint32), sizeof(guint32)); /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %s", gefx->key);*/ @@ -3817,7 +3817,7 @@ dissect_h245_T_unsigned32Max(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx gefx = gef_ctx_get(actx->private_data); if (gefx) { - buf = (guint8 *)wmem_new(wmem_packet_scope(), guint32); + buf = (guint8 *)wmem_new(actx->pinfo->pool, guint32); phtonl(buf, value); value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint32), sizeof(guint32)); /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %s", gefx->key);*/ |