Wireshark-commits: [Wireshark-commits] master 5831501: extcap: fix use-after-free for preferences
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=583150198b78c84d043455b0afcca58a9659eab3
Submitter: Roland Knall (rknall@xxxxxxxxx)
Changed: branch: master
Repository: wireshark
Commits:
5831501 by Peter Wu (peter@xxxxxxxxxxxxx):
extcap: fix use-after-free for preferences
In commit v2.3.0rc0-117-g485bc45 (backported to v2.2.0rc0-44-g66721ca),
extcap_prefs_dynamic_vals and extcap_cleanup were added in an attempt to
address dangling pointers.
Unfortunately it is not sufficient:
- A pointer to the preference value is stored in extcap_arg and passed
to the prefs API, but this extcap_arg structure can become invalid
which result in use-after-free whenever the preference is accessed.
- On exit, a use-after-free occurs in prefs_cleanup when the preference
value is being checked.
As the preference subsystem actually manages the memory for the string
value and consumers should only provide a pointer where the value can be
stored, convert the char* field in extcap to char**. This has as
additional benefit that values are not limited to 256 bytes anymore.
extcap_cleanup is moved after epan_cleanup to ensure that prefs_cleanup
does not operate on dangling pointers.
Crash is reproducible under ASAN with: tshark -i randpkt
Ping-Bug: 12183
Change-Id: Ibf1ba1102a5633aa085dc278a12ffc05a4f4a34b
Reviewed-on: https://code.wireshark.org/review/17631
Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@xxxxxxxxxxxxx>
Reviewed-by: Roland Knall <rknall@xxxxxxxxx>
Actions performed:
from b82695d WiX: Add a warning and increase compression.
adds 5831501 extcap: fix use-after-free for preferences
Summary of changes:
extcap.c | 73 ++++++++++++++++++++++++----------------
extcap.h | 4 +++
extcap_parser.h | 2 +-
rawshark.c | 16 +++------
tfshark.c | 20 +++--------
tshark.c | 20 +++--------
ui/gtk/main.c | 6 ++--
ui/qt/extcap_argument.cpp | 28 +++++++++------
ui/qt/extcap_argument_file.cpp | 6 ++--
wireshark-qt.cpp | 6 ++--
10 files changed, 87 insertions(+), 94 deletions(-)