aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGerald Combs <gerald@wireshark.org>2017-11-29 14:17:54 -0800
committerMichael Mann <mmann78@netscape.net>2017-11-30 00:15:39 +0000
commitec0ffc043fac4792ccf3055ea18190894a520577 (patch)
treed19d4c7caa0b1ee1f1d4ef35a06eada40c9219a4
parent3ed5b4fb67edc6829ece7adf542f44e9a75185af (diff)
RRC: Fixup wmem_strbuf usage.
Instead of calling wmem_strbuf_finalize, which frees the strbuf structure and makes it unsuitable for reuse, call wmem_strdup + wmem_strbuf_truncate. This fixes a heap-use-after-free. Bug: 14248 Change-Id: I498e10ed9f9afa7fa72b607eb43f68c710de777e Reviewed-on: https://code.wireshark.org/review/24650 Reviewed-by: Gerald Combs <gerald@wireshark.org> Petri-Dish: Gerald Combs <gerald@wireshark.org> Tested-by: Petri Dish Buildbot Reviewed-by: Michael Mann <mmann78@netscape.net>
-rw-r--r--epan/dissectors/asn1/rrc/rrc.cnf6
-rw-r--r--epan/dissectors/packet-rrc.c68
2 files changed, 39 insertions, 35 deletions
diff --git a/epan/dissectors/asn1/rrc/rrc.cnf b/epan/dissectors/asn1/rrc/rrc.cnf
index c871691..213c2bd 100644
--- a/epan/dissectors/asn1/rrc/rrc.cnf
+++ b/epan/dissectors/asn1/rrc/rrc.cnf
@@ -793,7 +793,8 @@ HandoverFromUTRANCommand-GSM-r6-IEs/gsm-message/single-GSM-Message single-GSM-Me
/* Extracing the string collected in the strbuf */
string_len = (guint32)wmem_strbuf_get_len(mcc_mnc_strbuf);
- mcc_mnc_string = wmem_strbuf_finalize(mcc_mnc_strbuf);
+ mcc_mnc_string = wmem_strdup(actx->pinfo->pool, wmem_strbuf_get_str(mcc_mnc_strbuf));
+ wmem_strbuf_truncate(mcc_mnc_strbuf, 0);
/* Creating TVB from extracted string*/
mcc_mnc_tvb = tvb_new_child_real_data(tvb, (guint8*)mcc_mnc_string, string_len, string_len);
@@ -821,7 +822,8 @@ HandoverFromUTRANCommand-GSM-r6-IEs/gsm-message/single-GSM-Message single-GSM-Me
/* Extracing the string collected in the strbuf */
string_len = (guint32)wmem_strbuf_get_len(imsi_strbuf);
- imsi_string = wmem_strbuf_finalize(imsi_strbuf);
+ imsi_string = wmem_strdup(actx->pinfo->pool, wmem_strbuf_get_str(imsi_strbuf));
+ wmem_strbuf_truncate(imsi_strbuf, 0);
/* Creating TVB from extracted string*/
imsi_tvb = tvb_new_child_real_data(tvb, (guint8*)imsi_string, string_len, string_len);
diff --git a/epan/dissectors/packet-rrc.c b/epan/dissectors/packet-rrc.c
index 7e6fe59..b1c694f 100644
--- a/epan/dissectors/packet-rrc.c
+++ b/epan/dissectors/packet-rrc.c
@@ -18578,7 +18578,7 @@ dissect_rrc_ActivationTime(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _
static int
dissect_rrc_RB_Identity(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 1239 "./asn1/rrc/rrc.cnf"
+#line 1241 "./asn1/rrc/rrc.cnf"
guint32 rbid;
offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index,
1U, 32U, &rbid, FALSE);
@@ -18595,7 +18595,7 @@ private_data_set_rbid(actx, rbid);
static int
dissect_rrc_RLC_SequenceNumber(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 1245 "./asn1/rrc/rrc.cnf"
+#line 1247 "./asn1/rrc/rrc.cnf"
guint32 rlc_ciphering_sqn;
offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index,
0U, 4095U, &rlc_ciphering_sqn, FALSE);
@@ -18616,7 +18616,7 @@ static const per_sequence_t RB_ActivationTimeInfo_sequence[] = {
static int
dissect_rrc_RB_ActivationTimeInfo(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 1211 "./asn1/rrc/rrc.cnf"
+#line 1213 "./asn1/rrc/rrc.cnf"
fp_info *fpinf;
rlc_info *rlcinf;
rrc_ciphering_info *ciphering_info;
@@ -18685,7 +18685,7 @@ dissect_rrc_CipheringModeInfo(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *act
static int
dissect_rrc_SRNC_Identity(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 952 "./asn1/rrc/rrc.cnf"
+#line 954 "./asn1/rrc/rrc.cnf"
tvbuff_t * s_rnc_id_tvb = NULL;
offset = dissect_per_bit_string(tvb, offset, actx, tree, hf_index,
12, 12, FALSE, &s_rnc_id_tvb, NULL);
@@ -18703,7 +18703,7 @@ dissect_rrc_SRNC_Identity(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U
static int
dissect_rrc_S_RNTI(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 959 "./asn1/rrc/rrc.cnf"
+#line 961 "./asn1/rrc/rrc.cnf"
tvbuff_t * s_rnti_tvb = NULL;
offset = dissect_per_bit_string(tvb, offset, actx, tree, hf_index,
20, 20, FALSE, &s_rnti_tvb, NULL);
@@ -18726,7 +18726,7 @@ static const per_sequence_t U_RNTI_sequence[] = {
static int
dissect_rrc_U_RNTI(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 966 "./asn1/rrc/rrc.cnf"
+#line 968 "./asn1/rrc/rrc.cnf"
private_data_set_s_rnc_id(actx, 0);
private_data_set_s_rnti(actx, 0);
guint32 s_rnc_id;
@@ -18762,7 +18762,7 @@ dissect_rrc_U_RNTI(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, prot
static int
dissect_rrc_Digit(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 834 "./asn1/rrc/rrc.cnf"
+#line 836 "./asn1/rrc/rrc.cnf"
guint32 digit;
wmem_strbuf_t* digits_strbuf; /* The string of either an IMSI or a MCC-MNC pair */
offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index,
@@ -18853,7 +18853,8 @@ dissect_rrc_PLMN_Identity(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U
/* Extracing the string collected in the strbuf */
string_len = (guint32)wmem_strbuf_get_len(mcc_mnc_strbuf);
- mcc_mnc_string = wmem_strbuf_finalize(mcc_mnc_strbuf);
+ mcc_mnc_string = wmem_strdup(actx->pinfo->pool, wmem_strbuf_get_str(mcc_mnc_strbuf));
+ wmem_strbuf_truncate(mcc_mnc_strbuf, 0);
/* Creating TVB from extracted string*/
mcc_mnc_tvb = tvb_new_child_real_data(tvb, (guint8*)mcc_mnc_string, string_len, string_len);
@@ -18871,7 +18872,7 @@ dissect_rrc_PLMN_Identity(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U
static int
dissect_rrc_NAS_SystemInformationGSM_MAP(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 920 "./asn1/rrc/rrc.cnf"
+#line 922 "./asn1/rrc/rrc.cnf"
tvbuff_t *nas_sys_info_gsm_map_tvb = NULL;
guint32 length;
enum nas_sys_info_gsm_map cn_domain;
@@ -18914,7 +18915,7 @@ dissect_rrc_NAS_SystemInformationGSM_MAP(tvbuff_t *tvb _U_, int offset _U_, asn1
static int
dissect_rrc_T_cn_CommonGSM_MAP_NAS_SysInfo(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 904 "./asn1/rrc/rrc.cnf"
+#line 906 "./asn1/rrc/rrc.cnf"
private_data_set_cn_domain(actx, RRC_NAS_SYS_INFO_CN_COMMON);
offset = dissect_rrc_NAS_SystemInformationGSM_MAP(tvb, offset, actx, tree, hf_index);
@@ -18934,7 +18935,7 @@ static const value_string rrc_CN_DomainIdentity_vals[] = {
static int
dissect_rrc_CN_DomainIdentity(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 897 "./asn1/rrc/rrc.cnf"
+#line 899 "./asn1/rrc/rrc.cnf"
guint32 nas_sys_info;
offset = dissect_per_enumerated(tvb, offset, actx, tree, hf_index,
2, &nas_sys_info, FALSE, 0, NULL);
@@ -22593,7 +22594,7 @@ dissect_rrc_SSDT_UL(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, pro
static int
dissect_rrc_CellIdentity(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 1065 "./asn1/rrc/rrc.cnf"
+#line 1067 "./asn1/rrc/rrc.cnf"
tvbuff_t * cell_id_tvb = NULL;
proto_item *temp_ti;
proto_tree *cell_identity_tree;
@@ -22818,7 +22819,7 @@ dissect_rrc_T_r3(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_
static int
dissect_rrc_H_RNTI(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 1153 "./asn1/rrc/rrc.cnf"
+#line 1155 "./asn1/rrc/rrc.cnf"
tvbuff_t *hrnti_tvb;
struct rrc_info *rrcinf;
offset = dissect_per_bit_string(tvb, offset, actx, tree, hf_index,
@@ -22827,7 +22828,7 @@ dissect_rrc_H_RNTI(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, prot
-#line 1158 "./asn1/rrc/rrc.cnf"
+#line 1160 "./asn1/rrc/rrc.cnf"
rrcinf = (struct rrc_info *)p_get_proto_data(wmem_file_scope(), actx->pinfo, proto_rrc, 0);
if (!rrcinf) {
rrcinf = wmem_new0(wmem_file_scope(), struct rrc_info);
@@ -22853,7 +22854,7 @@ dissect_rrc_E_RNTI(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, prot
static int
dissect_rrc_T_cn_CommonGSM_MAP_NAS_SysInfo_01(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 908 "./asn1/rrc/rrc.cnf"
+#line 910 "./asn1/rrc/rrc.cnf"
private_data_set_cn_domain(actx, RRC_NAS_SYS_INFO_CN_COMMON);
offset = dissect_rrc_NAS_SystemInformationGSM_MAP(tvb, offset, actx, tree, hf_index);
@@ -28327,7 +28328,7 @@ dissect_rrc_ScramblingCodeType(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *ac
static int
dissect_rrc_UL_ScramblingCode(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 1060 "./asn1/rrc/rrc.cnf"
+#line 1062 "./asn1/rrc/rrc.cnf"
guint32 scrambling_code;
offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index,
0U, 16777215U, &scrambling_code, FALSE);
@@ -39072,7 +39073,7 @@ dissect_rrc_CellChangeOrderFromUTRAN(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx
static int
dissect_rrc_C_RNTI(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 991 "./asn1/rrc/rrc.cnf"
+#line 993 "./asn1/rrc/rrc.cnf"
fp_info *fpinf = NULL;
umts_mac_info *macinf = NULL;
rlc_info *rlcinf = NULL;
@@ -46180,7 +46181,7 @@ dissect_rrc_RLC_Info_r5(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_,
static int
dissect_rrc_MAC_d_FlowIdentity(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 1150 "./asn1/rrc/rrc.cnf"
+#line 1152 "./asn1/rrc/rrc.cnf"
offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index,
0U, 7U, &flowd, FALSE);
@@ -46228,7 +46229,7 @@ static const per_choice_t DL_TransportChannelType_r5_choice[] = {
static int
dissect_rrc_DL_TransportChannelType_r5(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 1079 "./asn1/rrc/rrc.cnf"
+#line 1081 "./asn1/rrc/rrc.cnf"
/*Here we try to figure out which HS-DSCH channels are multiplexed*/
guint *flowd_p;
guint *cur_val=NULL;
@@ -49702,7 +49703,7 @@ static const per_choice_t DL_TransportChannelType_r7_choice[] = {
static int
dissect_rrc_DL_TransportChannelType_r7(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 1114 "./asn1/rrc/rrc.cnf"
+#line 1116 "./asn1/rrc/rrc.cnf"
/*Here we try to figure out which HS-DSCH channels are multiplexed*/
guint *flowd_p;
guint *cur_val=NULL;
@@ -90280,7 +90281,7 @@ static const value_string rrc_ReleaseCause_vals[] = {
static int
dissect_rrc_ReleaseCause(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 1267 "./asn1/rrc/rrc.cnf"
+#line 1269 "./asn1/rrc/rrc.cnf"
guint32 value;
offset = dissect_per_enumerated(tvb, offset, actx, tree, hf_index,
8, &value, FALSE, 0, NULL);
@@ -95943,7 +95944,7 @@ dissect_rrc_UE_ConnTimersAndConstants(tvbuff_t *tvb _U_, int offset _U_, asn1_ct
static int
dissect_rrc_T_cn_CommonGSM_MAP_NAS_SysInfo_02(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 912 "./asn1/rrc/rrc.cnf"
+#line 914 "./asn1/rrc/rrc.cnf"
private_data_set_cn_domain(actx, RRC_NAS_SYS_INFO_CN_COMMON);
offset = dissect_rrc_NAS_SystemInformationGSM_MAP(tvb, offset, actx, tree, hf_index);
@@ -98610,7 +98611,7 @@ dissect_rrc_T_r8_04(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, pro
static int
dissect_rrc_T_ims_Information(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 859 "./asn1/rrc/rrc.cnf"
+#line 861 "./asn1/rrc/rrc.cnf"
tvbuff_t *imsInformation_tvb=NULL;
offset = dissect_per_octet_string(tvb, offset, actx, tree, hf_index,
1, 32, FALSE, &imsInformation_tvb);
@@ -99800,7 +99801,7 @@ static const per_choice_t DL_DCCH_MessageType_choice[] = {
static int
dissect_rrc_DL_DCCH_MessageType(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 1250 "./asn1/rrc/rrc.cnf"
+#line 1252 "./asn1/rrc/rrc.cnf"
offset = dissect_per_choice(tvb, offset, actx, tree, hf_index,
ett_rrc_DL_DCCH_MessageType, DL_DCCH_MessageType_choice,
&msg_type);
@@ -99820,7 +99821,7 @@ static const per_sequence_t DL_DCCH_Message_sequence[] = {
static int
dissect_rrc_DL_DCCH_Message(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 1253 "./asn1/rrc/rrc.cnf"
+#line 1255 "./asn1/rrc/rrc.cnf"
offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index,
ett_rrc_DL_DCCH_Message, DL_DCCH_Message_sequence);
@@ -99834,7 +99835,7 @@ dissect_rrc_DL_DCCH_Message(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx
static int
dissect_rrc_START_Value(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 1166 "./asn1/rrc/rrc.cnf"
+#line 1168 "./asn1/rrc/rrc.cnf"
tvbuff_t * start_val;
fp_info *fpinf;
rlc_info *rlcinf;
@@ -115026,7 +115027,7 @@ static const per_sequence_t IMSI_GSM_MAP_sequence_of[1] = {
static int
dissect_rrc_IMSI_GSM_MAP(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 806 "./asn1/rrc/rrc.cnf"
+#line 807 "./asn1/rrc/rrc.cnf"
wmem_strbuf_t* imsi_strbuf;
guint32 string_len;
gchar* imsi_string;
@@ -115048,7 +115049,8 @@ dissect_rrc_IMSI_GSM_MAP(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_
/* Extracing the string collected in the strbuf */
string_len = (guint32)wmem_strbuf_get_len(imsi_strbuf);
- imsi_string = wmem_strbuf_finalize(imsi_strbuf);
+ imsi_string = wmem_strdup(actx->pinfo->pool, wmem_strbuf_get_str(imsi_strbuf));
+ wmem_strbuf_truncate(imsi_strbuf, 0);
/* Creating TVB from extracted string*/
imsi_tvb = tvb_new_child_real_data(tvb, (guint8*)imsi_string, string_len, string_len);
@@ -129618,7 +129620,7 @@ static const per_choice_t HandoverToUTRANCommand_choice[] = {
static int
dissect_rrc_HandoverToUTRANCommand(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 1256 "./asn1/rrc/rrc.cnf"
+#line 1258 "./asn1/rrc/rrc.cnf"
offset = dissect_per_choice(tvb, offset, actx, tree, hf_index,
ett_rrc_HandoverToUTRANCommand, HandoverToUTRANCommand_choice,
NULL);
@@ -129759,7 +129761,7 @@ static const per_sequence_t UE_SecurityInformation_sequence[] = {
static int
dissect_rrc_UE_SecurityInformation(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 1259 "./asn1/rrc/rrc.cnf"
+#line 1261 "./asn1/rrc/rrc.cnf"
private_data_set_cn_domain(actx, RRC_NAS_SYS_INFO_CS);
offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index,
ett_rrc_UE_SecurityInformation, UE_SecurityInformation_sequence);
@@ -130162,7 +130164,7 @@ static const per_sequence_t UE_SecurityInformation2_sequence[] = {
static int
dissect_rrc_UE_SecurityInformation2(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 1263 "./asn1/rrc/rrc.cnf"
+#line 1265 "./asn1/rrc/rrc.cnf"
private_data_set_cn_domain(actx, RRC_NAS_SYS_INFO_PS);
offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index,
ett_rrc_UE_SecurityInformation2, UE_SecurityInformation2_sequence);
@@ -150856,7 +150858,7 @@ dissect_rrc_ExtSIBTypeInfoSchedulingInfo_List3(tvbuff_t *tvb _U_, int offset _U_
static int
dissect_rrc_HNBName(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 891 "./asn1/rrc/rrc.cnf"
+#line 893 "./asn1/rrc/rrc.cnf"
tvbuff_t *hnbname_tvb = NULL;
offset = dissect_per_octet_string(tvb, offset, actx, tree, -1,
@@ -151447,7 +151449,7 @@ dissect_rrc_SIB_ReferenceList2(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *ac
static int
dissect_rrc_T_cn_CommonGSM_MAP_NAS_SysInfo_03(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 916 "./asn1/rrc/rrc.cnf"
+#line 918 "./asn1/rrc/rrc.cnf"
private_data_set_cn_domain(actx, RRC_NAS_SYS_INFO_CN_COMMON);
offset = dissect_rrc_NAS_SystemInformationGSM_MAP(tvb, offset, actx, tree, hf_index);