Wireshark-commits: [Wireshark-commits] master 2359523: wtap: fix regression in wtap_read_packet_byt
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2359523b1a8d7df74e456c6d8a1b047a7e53c512
Submitter: "Anders Broman <a.broman58@xxxxxxxxx>"
Changed: branch: master
Repository: wireshark
Commits:
2359523 by Peter Wu (peter@xxxxxxxxxxxxx):
wtap: fix regression in wtap_read_packet_bytes
The "first_free" pointer is currently only increaseed by
ws_buffer_increase_length (unused) and ws_buffer_append (for writes).
Reading into the buffer should not reduce the available space. Otherwise
the next wtap_read_packet_bytes call will reallocate the buffer.
This reallocation is unexpected by some users of cf_read_record and
results in a use-after-free crash following these steps:
1. Open packet capture.
2. Ignore packet.
3. Open context menu, twice.
This crashes because the ByteViewText class points to the buffer which
is reallocated after calling PacketList::getFilterFromRowAndColumn.
Change-Id: I4f1264a406a28c79491dcd77c552193bf3cdf62d
Fixes: v2.9.0rc0-2001-g123bcb0362 ("Make systemd journal entries events.")
Reviewed-on: https://code.wireshark.org/review/29915
Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
Actions performed:
from 4a45ff2 ieee80211: Display always tag when it is ELEMENT_ID_EXTENSION
add 2359523 wtap: fix regression in wtap_read_packet_bytes
Summary of changes:
wiretap/wtap.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)