diff options
| author | Peter Wu <peter@lekensteyn.nl> | 2017-02-27 23:47:11 +0100 |
|---|---|---|
| committer | Michael Mann <mmann78@netscape.net> | 2017-02-28 19:05:50 +0000 |
| commit | 3c6900f31fcfed080d165b581ccef8f022109491 (patch) | |
| tree | 4bff36531ad22eca322a73cd99cbf554a2a27c0b /epan/radius_dict.l | |
| parent | 87b7242e69845db13daf570101903521e17cfd50 (diff) | |
| download | wireshark-3c6900f31fcfed080d165b581ccef8f022109491.tar.gz | |
radius: fix use-after-free after recent memleak fixes
The same data is referenced by the ID-to-name and name-to-ID mapping, so
be make sure that the ID mapping is responsible (as the name mapping is
just used for duplicate detection and while parsing dictionary files).
Still to be done is fixing duplicate attribute numbers (by adding
support for OIDs and changing TLV attribute type IDs to OIDs) and fixing
duplicate attribute names (by prefixing the Vendor Names to them).
Also not handled is fixing Value memleaks.
Reproducers of the crash under ASAN:
tshark -G fields >/dev/null
tshark -r radius-ms-mppe-etrl-bug.cap (from bug 796)
Change-Id: Ifa4055901072bc830e19fe06937af67ce524a3be
Fixes: v2.3.0rc0-2536-gd4cf57100c ("Free radius dissector memory on shutdown")
Reviewed-on: https://code.wireshark.org/review/20307
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan/radius_dict.l')
| -rw-r--r-- | epan/radius_dict.l | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/epan/radius_dict.l b/epan/radius_dict.l index 2b8b9bfd31..eb0dfdce74 100644 --- a/epan/radius_dict.l +++ b/epan/radius_dict.l @@ -523,10 +523,10 @@ static gboolean add_attribute(Radius_scanner_state_t* state, const gchar* name, */ if (g_strcmp0(a->name, name) != 0) { /* - * Yes. Remove the entry from the by-name hash table + * Yes. Steal the entry from the by-name hash table * and re-insert it with the new name. */ - g_hash_table_remove(state->dict->attrs_by_name, (gpointer) (a->name)); + g_hash_table_steal(state->dict->attrs_by_name, (gpointer) (a->name)); g_free((gpointer) a->name); a->name = g_strdup(name); g_hash_table_insert(state->dict->attrs_by_name, (gpointer) (a->name),a); @@ -554,7 +554,7 @@ static gboolean add_tlv(Radius_scanner_state_t* state, const gchar* name, const if (! a->tlvs_by_id) { - a->tlvs_by_id = g_hash_table_new(g_direct_hash,g_direct_equal); + a->tlvs_by_id = g_hash_table_new_full(g_direct_hash, g_direct_equal, NULL, free_radius_attr_info); } code = (guint32) strtoul(codestr, NULL, 10); |