Jeff Morriss wrote:
> Bill Meier wrote:
>> Jeff Morriss wrote:
>>> Bill Meier wrote:
>>>> I've found at least one case wherein se_alloc'd memory
>>>> is referenced after it's been freed. (I think this case just happens
>>>> to work because the memory wasn't yet reassigned).
>>> I was contemplating adding an optional memory-scrubber to ensure that
>>> we're not doing that: just writing 0xdeadbeef to the ep_ and se_ alloc'd
>>> memory when we free it.
>>>
>> I was thinking the same thing ....
>
> I fixed a few cases of this and I'm not getting any more failures with
> the sample captures I have. Is the case you found fixed?
>
Unfortunately I don't quite remember the case I found.
Was it the "dangling pointer to se'alloc'd memory" I mentioned in bug
#4141 ? (If so I originally mis-interpreted the code in that there's no
actual reference to the already freed se_alloc'd buffer).
"Also note that currently for free_all_reassembled_fragments()
that the 'key_arg' points to se_alloc'd memory which has already
been freed."
> If so, should we turn on memory scrubbing while fuzz testing?
Seems like a reasonable idea to me. We'd need to watch to see how much
time is added to the fuzz-testing. Maybe only turn on scrubbing for one
pass ?
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
