https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14429
Bug ID: 14429
Summary: [oss-fuzz] #6279 radius: Direct-leak in g_realloc
(dissect_attribute_value_pairs)
Product: Wireshark
Version: Git
Hardware: x86
OS: Linux
Status: UNCONFIRMED
Severity: Normal
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: darkjames...@darkjames.pl
Target Milestone: ---
Created attachment 16135
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16135&action=edit
Capture file
Build Information:
TShark (Wireshark) 2.5.1 (v2.5.1rc0-73-ge438cf2e)
Copyright 1998-2018 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) without libpcap, with GLib 2.42.2, with zlib 1.2.8, without
SMI, without c-ares, without Lua, without GnuTLS, with Gcrypt 1.6.3, without
Kerberos, without GeoIP, without nghttp2, without LZ4, without Snappy, without
libxml2.
Running on Linux 3.17.4-301.fc21.x86_64, with Intel(R) Xeon(R) CPU
E5530 @ 2.40GHz (with SSE4.2), with 24093 MB of physical memory, with locale
en_US.UTF-8, with Gcrypt 1.6.3, with zlib 1.2.8.
Built using gcc 4.9.2 20150212 (Red Hat 4.9.2-6).
--
A memleak was found by oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6279
Valgrind log:
==24834== 154 bytes in 1 blocks are definitely lost in loss record 42 of 46
==24834== at 0x4C2BB9C: realloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==24834== by 0xA7434C5: g_realloc (gmem.c:162)
==24834== by 0x7162FAB: dissect_attribute_value_pairs (packet-radius.c:1778)
==24834== by 0x71637E5: dissect_radius (packet-radius.c:2261)
==24834== by 0x6A7731A: call_dissector_through_handle (packet.c:694)
==24834== by 0x6A782B1: call_dissector_work (packet.c:779)
==24834== by 0x6A78C1E: dissector_try_uint_new (packet.c:1361)
==24834== by 0x6A78C60: dissector_try_uint (packet.c:1385)
==24834== by 0x731CB39: decode_udp_ports (packet-udp.c:666)
==24834== by 0x731D490: dissect (packet-udp.c:1127)
==24834== by 0x731D9DD: dissect_udp (packet-udp.c:1133)
==24834== by 0x6A7731A: call_dissector_through_handle (packet.c:694)
Related lines:
1775 if (eap_buffer == NULL)
1776 eap_buffer = (guint8
*)g_malloc(eap_tot_len_captured + tvb_len);
1777 else
1778 eap_buffer = (guint8
*)g_realloc(eap_buffer,
1779
eap_tot_len_captured + tvb_len);
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
