Wireshark-commits: [Wireshark-commits] master-2.6 e1deea1: Q.931: fix use-after-free (write) of "q9
From: Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>
Date: Mon, 14 May 2018 08:04:17 +0000
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e1deea1169812ea5ccda2c2e9bd4c55c231f8430
Submitter: Peter Wu (peter@xxxxxxxxxxxxx)
Changed: branch: master-2.6
Repository: wireshark

Commits:

e1deea1 by Peter Wu (peter@xxxxxxxxxxxxx):

    Q.931: fix use-after-free (write) of "q931_pi"
    
    The dissect_q931_number_ie (and indirectly dissect_q931_cause_ie_unsafe)
    write to the "q931_pi" structure which seems private to the q931
    dissector, but can in fact be called through other dissectors (isup) as
    well. Normally this structure is initialized in "dissect_q931_pdu" and
    invalidated at the end of the function, but a malformed packet can
    prevent the cleanup. In the next packet, a different dissector can thus
    trigger a use-after-free via "dissect_q931_number_ie".
    
    Rename "dissect_q931_cause_ie_unsafe" since "unsafe" meant that external
    dissectors could not call it directly (see commit a83a87e9ca).
    
    Based on commit 197ceddab109, it seems that the intended purpose of the
    structure is to provide information to the VoIP Calls dialog, but it
    would only be used when called through dissect_q931_pdu. Dissectors like
    isup have their own routines to provide call information, but as a
    side-effect of code sharing the problematic code path was reached.
    
    Bug: 14689
    Change-Id: I871525db560f24690ade9a0b944c6d0e655ed34b
    Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6711
    Reviewed-on: https://code.wireshark.org/review/27495
    Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
    Tested-by: Petri Dish Buildbot
    Reviewed-by: Pascal Quantin <pascal.quantin@xxxxxxxxx>
    Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
    (cherry picked from commit d08a53a7b9ebf723816f224897c68aa652589050)
    Reviewed-on: https://code.wireshark.org/review/27521
    Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
    

Actions performed:

    from  b3eed07   gsm_a_gm: fix potential buffer overrun (read)
    adds  e1deea1   Q.931: fix use-after-free (write) of "q931_pi"


Summary of changes:
 epan/dissectors/packet-q931.c | 60 +++++++++++++++++++------------------------
 1 file changed, 27 insertions(+), 33 deletions(-)