From Ed Beroset via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9246

Fix memory leaks and bad memory accesses in c1222 dissector. From me: use realloc in a handoff function since it may get called multiple times, and we only need the latest. svn path=/trunk/; revision=52497
author: Evan Huus <eapache@gmail.com> 2013-10-10 16:18:49 +0000
committer: Evan Huus <eapache@gmail.com> 2013-10-10 16:18:49 +0000
commit: a50dee3286db96e5749e21bba6f9b4bab3fb6dfc (patch)
tree: e54c24449cd5d5269bc435678e22a19309d5b61c /asn1
parent: 1370003beeecb819de990e215d65c02a8d7c3d92 (diff)
2 files changed, 24 insertions, 10 deletions
diff --git a/asn1/c1222/c1222.cnf b/asn1/c1222/c1222.cnf
index ec0e9b3704..851f40c3f5 100644
--- a/asn1/c1222/c1222.cnf
+++ b/asn1/c1222/c1222.cnf
@@ -98,4 +98,7 @@ AE-qualifier TYPE=FT_UINT32
   %(DEFAULT_BODY)s
   FILL_TABLE(iv_element);
 
+#.FN_BODY MESSAGE
+    clear_canon();
+    %(DEFAULT_BODY)s
 #.END
diff --git a/asn1/c1222/packet-c1222-template.c b/asn1/c1222/packet-c1222-template.c
index 7b9ee42f77..a467d899d3 100644
--- a/asn1/c1222/packet-c1222-template.c
+++ b/asn1/c1222/packet-c1222-template.c
@@ -305,19 +305,18 @@ static uat_t *c1222_uat;
 #define FILL_START int length, start_offset = offset;
 #define FILL_TABLE(fieldname)  \
   length = offset - start_offset; \
-  if (fieldname != NULL) g_free(fieldname); \
-  fieldname = (guint8 *)tvb_memdup(NULL, tvb, start_offset, length); \
+  fieldname = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, start_offset, length); \
   fieldname##_len = length;
 #define FILL_TABLE_TRUNCATE(fieldname, len)  \
   length = 1 + 2*(offset - start_offset); \
-  fieldname = (guint8 *)tvb_memdup(NULL, tvb, start_offset, length); \
+  fieldname = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, start_offset, length); \
   fieldname##_len = len;
 #define FILL_TABLE_APTITLE(fieldname) \
   length = offset - start_offset; \
   switch (tvb_get_guint8(tvb, start_offset)) { \
     case 0x80: /* relative OID */ \
       fieldname##_len = length + c1222_baseoid_len; \
-      fieldname = (guint8 *)wmem_alloc(NULL, fieldname##_len); \
+      fieldname = (guint8 *)wmem_alloc(wmem_packet_scope(), fieldname##_len); \
       fieldname[0] = 0x06;  /* create absolute OID tag */ \
       fieldname[1] = (fieldname##_len - 2) & 0xff;  \
       memcpy(&(fieldname[2]), c1222_baseoid, c1222_baseoid_len); \
@@ -325,7 +324,7 @@ static uat_t *c1222_uat;
       break; \
     case 0x06:  /* absolute OID */ \
     default: \
-      fieldname = (guint8 *)tvb_memdup(NULL, tvb, start_offset, length); \
+      fieldname = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, start_offset, length); \
       fieldname##_len = length; \
       break; \
   } 
@@ -673,6 +672,17 @@ static const TOP_ELEMENT_CONTROL canonifyTable[] = {
   { FALSE, FALSE, 0x0,  TRUE, NULL, NULL }
 };
 
+static void 
+clear_canon(void)
+{
+  const TOP_ELEMENT_CONTROL *t = canonifyTable;
+
+  for (t = canonifyTable; t->element != NULL; t++) {
+    *(t->length) = 0;
+    *(t->element) = NULL;
+  }
+}
+
 /**
  * Calculates the size of the passed number n as encoded as a BER length field.
  *
@@ -769,7 +779,6 @@ canonify_unencrypted_header(guchar *buff, guint32 *offset, guint32 buffsize)
       memcpy(&buff[*offset], *(t->element), len);
       (*offset) += len;
       if (t->addtag) {
-	  g_free(*(t->element));
 	  *(t->element) = NULL;
       }
     }
@@ -944,9 +953,8 @@ dissect_epsem(tvbuff_t *tvb, int offset, guint32 len, packet_info *pinfo, proto_
         return offset;
       encrypted = TRUE;
       if (c1222_decrypt) {
-	buffer = (guchar *)tvb_memdup(NULL, tvb, offset, len2);
+	buffer = (guchar *)tvb_memdup(wmem_packet_scope(), tvb, offset, len2);
 	if (!decrypt_packet(buffer, len2, TRUE)) {
-	  g_free(buffer);
 	  crypto_bad = TRUE;
 	} else {
 	  epsem_buffer = tvb_new_real_data(buffer, len2, len2);
@@ -963,7 +971,7 @@ dissect_epsem(tvbuff_t *tvb, int offset, guint32 len, packet_info *pinfo, proto_
       len2 = tvb_length_remaining(tvb, offset);
       if (len2 <= 0)
         return offset;
-      buffer = (guchar *)tvb_memdup(NULL, tvb, offset, len2);
+      buffer = (guchar *)tvb_memdup(wmem_packet_scope(), tvb, offset, len2);
       epsem_buffer = tvb_new_subset_remaining(tvb, offset);
       if (c1222_decrypt) {
 	if (!decrypt_packet(buffer, len2, FALSE)) {
@@ -1410,6 +1418,7 @@ void
 proto_reg_handoff_c1222(void)
 {
     static gboolean initialized = FALSE;
+    guint8 *temp = NULL;
 
     if( !initialized ) {
         c1222_handle = create_dissector_handle(dissect_c1222, proto_c1222);
@@ -1418,5 +1427,7 @@ proto_reg_handoff_c1222(void)
         dissector_add_uint("udp.port", global_c1222_port, c1222_udp_handle);
         initialized = TRUE;
     }
-    c1222_baseoid_len = oid_string2encoded(c1222_baseoid_str, &c1222_baseoid);
+    c1222_baseoid_len = oid_string2encoded(c1222_baseoid_str, &temp);
+    c1222_baseoid = (guint8 *)wmem_realloc(wmem_epan_scope(), c1222_baseoid, c1222_baseoid_len);
+    memcpy(c1222_baseoid, temp, c1222_baseoid_len);
 }
author	Evan Huus <eapache@gmail.com>	2013-10-10 16:18:49 +0000
committer	Evan Huus <eapache@gmail.com>	2013-10-10 16:18:49 +0000
commit	a50dee3286db96e5749e21bba6f9b4bab3fb6dfc (patch)
tree	e54c24449cd5d5269bc435678e22a19309d5b61c /asn1
parent	1370003beeecb819de990e215d65c02a8d7c3d92 (diff)