coap: fix use-after-free of "coinfo->ctype_str"

A use-after-free is possible through the following path:

    // returns wmem_packet_scope() memory
    coinfo->ctype_str = val_to_str(coinfo->ctype_value, vals_ctype, "Unknown Type %u");
    // leaks packet scoped memory into conversation
    coap_trans = wmem_new0(wmem_file_scope(), coap_transaction);
    coap_trans->req_ctype_str = coinfo->ctype_str;  // <-- oops
    // next packet: use-after-free of packet scoped memory
    coinfo->ctype_str = coap_trans->req_ctype_str;

This could be fixed by duplicating "ctype_str" with wmem_file_scope, but
since all "ctype_str" strings are constant, make the problematic
"ctype_str" assignment also constant for unknown types (the numeric type
is also stored in "ctype_value" if necessary).

Change-Id: I6249e076fa282bbe0982b8c709788e27f6fdf86e
Fixes: v2.9.0rc0-317-g46fcf452ac ("coap: Store ctype values in transaction tracking")
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8196
Reviewed-on: https://code.wireshark.org/review/27477
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 1 insertions, 1 deletions

diff --git a/epan/dissectors/packet-coap.c b/epan/dissectors/packet-coap.c
index aa404ae0b4..ae08aba66c 100644
--- a/epan/dissectors/packet-coap.c
+++ b/epan/dissectors/packet-coap.c
@@ -574,7 +574,7 @@ dissect_coap_opt_ctype(tvbuff_t *tvb, proto_item *head_item, proto_tree *subtree
 		coinfo->ctype_value = coap_get_opt_uint(tvb, offset, opt_length);
 	}
 
-	coinfo->ctype_str = val_to_str(coinfo->ctype_value, vals_ctype, "Unknown Type %u");
+	coinfo->ctype_str = val_to_str_const(coinfo->ctype_value, vals_ctype, "Unknown Type");
 
 	proto_tree_add_string(subtree, hf, tvb, offset, opt_length, coinfo->ctype_str);