From 391f11a7ec16045ed5909d617edcaada1f8f9afc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stig=20Bj=C3=B8rlykke?= <stig@bjorlykke.org>
Date: Fri, 20 Nov 2015 19:39:55 +0100
Subject: epan: Free pointers to deallocated memory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When redissecting packets we call epan_free() which deallocates
wmem_file_scope memory.  Such memory may be used in proto_data for
the currently selected packet (cf->edt) and leaves pointers to
deallocated memory (cf->edt->pi.fd->pfd).  Free them after
epan_free() to avoid unintended usage in packet_list_clear().

Bug: 11740
Change-Id: Ia3bc54f3f34e644a98b8a7eb1addd19b8aeeaab9
Reviewed-on: https://code.wireshark.org/review/11996
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
 file.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'file.c')

diff --git a/file.c b/file.c
index e64cd18b7e..c552726c2e 100644
--- a/file.c
+++ b/file.c
@@ -1624,6 +1624,12 @@ rescan_packets(capture_file *cf, const char *action, const char *action_item, gb
 
     /* 'reset' dissection session */
     epan_free(cf->epan);
+    if (cf->edt && cf->edt->pi.fd) {
+      /* All pointers in "per frame proto data" for the currently selected
+         packet are allocated in wmem_file_scope() and deallocated in epan_free().
+         Free them here to avoid unintended usage in packet_list_clear(). */
+      frame_data_destroy(cf->edt->pi.fd);
+    }
     cf->epan = ws_epan_new(cf);
     cf->cinfo.epan = cf->epan;
 
-- 
cgit v1.2.3