URL: 
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e9376e47307daf4dd81658b8d0c356e0936b692c
Submitter: Anders Broman (a.broma...@gmail.com)
Changed: branch: master
Repository: wireshark

Commits:

e9376e4 by Jakub Zawadzki (darkjames...@darkjames.pl):

    h225: Fix use after free.
    
    next_tvb_add_handle() allocates memory in packet scope.
    When dissecting another packet from dissect_h225_h225_RasMessage() handler 
[it don't call next_tvb_init()]
    next_tvb_add_handle() will write to freed pointer.
    
    Fix by calling next_tvb_init() after leaving scope in order to clear 
list->last pointer.
    
    ASAN report:
    ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000854f0 at 
pc 0x00000208574a bp 0x7ffca839cf00 sp 0x7ffca839cef8
    WRITE of size 8 at 0x6070000854f0 thread T0
        #0 0x2085749 in next_tvb_add_handle /src/wireshark/epan/next_tvb.c
        #1 0xef8728 in dissect_h225_ParallelH245Control_item 
/src/wireshark/epan/dissectors/./asn1/h225/h225.cnf:368:3
    (...)
        #21 0x168f460 in dissect_per_sequence 
/src/wireshark/epan/dissectors/packet-per.c:1920:12
        #22 0xef31d3 in dissect_h225_InfoRequestResponse 
/src/wireshark/epan/dissectors/./asn1/h225/h225.cnf:910:12
        #23 0x168e7db in dissect_per_choice 
/src/wireshark/epan/dissectors/packet-per.c
        #24 0xeed6e3 in dissect_h225_RasMessage 
/src/wireshark/epan/dissectors/./asn1/h225/h225.cnf:298:12
        #25 0xef97af in dissect_RasMessage_PDU 
/src/wireshark/epan/dissectors/./asn1/h225/h225.cnf:339:12
        #26 0xeef872 in dissect_h225_h225_RasMessage 
/src/wireshark/epan/dissectors/./asn1/h225/packet-h225-template.c:385:12
    
    0x6070000854f0 is located 0 bytes inside of 72-byte region 
[0x6070000854f0,0x607000085538)
    freed by thread T0 here:
        #0 0x4e2528 in __interceptor_cfree.localalias.0 
/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:76
        #1 0x21263a1 in wmem_simple_free_all 
/src/wireshark/epan/wmem/wmem_allocator_simple.c:107:9
        #2 0x205aa4d in wmem_leave_packet_scope 
/src/wireshark/epan/wmem/wmem_scopes.c:81:5
    (...)
    
    previously allocated by thread T0 here:
        #0 0x4e26e8 in __interceptor_malloc 
/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
        #1 0x225c588 in g_malloc (/out/fuzzshark_test+0x225c588)
        #2 0x20855e0 in next_tvb_add_handle /src/wireshark/epan/next_tvb.c:40:10
        #3 0xef8728 in dissect_h225_ParallelH245Control_item 
/src/wireshark/epan/dissectors/./asn1/h225/h225.cnf:368:3
    
    Found by oss-fuzz/5921
    
    Change-Id: Iea006914a9e0c433d2073f6f4c7a2973d5a33a11
    Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5921
    Reviewed-on: https://code.wireshark.org/review/25593
    Petri-Dish: Jakub Zawadzki <darkjames...@darkjames.pl>
    Tested-by: Petri Dish Buildbot
    Reviewed-by: Anders Broman <a.broma...@gmail.com>
    

Actions performed:

    from  27b571e   NBAP: copy address in pinfo->pool
    adds  e9376e4   h225: Fix use after free.


Summary of changes:
 epan/dissectors/asn1/h225/packet-h225-template.c | 12 ++++++++++++
 epan/dissectors/packet-h225.c                    | 22 +++++++++++++++++-----
 2 files changed, 29 insertions(+), 5 deletions(-)
___________________________________________________________________________
Sent via:    Wireshark-commits mailing list <wireshark-commits@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-commits
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-commits
             mailto:wireshark-commits-requ...@wireshark.org?subject=unsubscribe

Reply via email to