diff options
author | Ivan Nardi <nardi.ivan@gmail.com> | 2018-05-15 14:33:32 +0200 |
---|---|---|
committer | Pascal Quantin <pascal.quantin@gmail.com> | 2018-05-15 14:22:34 +0000 |
commit | 2db3db56bfd1ba38c5f42015622dbc8530ed05e9 (patch) | |
tree | d5d2b3a16f22fb3b57e6c96eb9602b06098a02c8 /epan | |
parent | 3ba56ce586dbad693f1865a7241d4cd1152cd761 (diff) |
umts_rlc, umts_mac: fix memory leaks (found via ASAN)
Such leaks are triggered by malformed packets
Change-Id: Ie392834b235cf9c5a249ede7fffb5a0dbdb360e5
Reviewed-on: https://code.wireshark.org/review/27556
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-umts_mac.c | 4 | ||||
-rw-r--r-- | epan/dissectors/packet-umts_rlc.c | 5 |
2 files changed, 4 insertions, 5 deletions
diff --git a/epan/dissectors/packet-umts_mac.c b/epan/dissectors/packet-umts_mac.c index e4128f9c1e..d18b5d8667 100644 --- a/epan/dissectors/packet-umts_mac.c +++ b/epan/dissectors/packet-umts_mac.c @@ -681,7 +681,7 @@ static void init_frag(tvbuff_t * tvb, body_parts * bp, guint length, guint offse mac_is_fragment * frag = wmem_new(wmem_file_scope(), mac_is_fragment); frag->type = type; frag->length = length; - frag->data = (guint8 *)g_malloc(length); + frag->data = (guint8 *)wmem_alloc(wmem_file_scope(), length); frag->frame_num = frame_num; frag->tsn = tsn; frag->next = NULL; @@ -711,7 +711,7 @@ static void mac_is_copy(mac_is_sdu * sdu, mac_is_fragment * frag, guint total_le memcpy(sdu->data+sdu->length, frag->data, frag->length); } sdu->length += frag->length; - g_free(frag->data); + wmem_free(wmem_file_scope(), frag->data); } /* diff --git a/epan/dissectors/packet-umts_rlc.c b/epan/dissectors/packet-umts_rlc.c index fec5c31445..a89c524379 100644 --- a/epan/dissectors/packet-umts_rlc.c +++ b/epan/dissectors/packet-umts_rlc.c @@ -470,8 +470,7 @@ rlc_frag_assign_data(struct rlc_frag *frag, tvbuff_t *tvb, guint16 offset, guint16 length) { frag->len = length; - frag->data = (guint8 *)g_malloc(length); - tvb_memcpy(tvb, frag->data, offset, length); + frag->data = (guint8 *)tvb_memdup(wmem_file_scope(), tvb, offset, length); return 0; } @@ -848,7 +847,7 @@ reassemble_data(struct rlc_channel *ch, struct rlc_sdu *sdu, struct rlc_frag *fr temp = sdu->frags; while (temp && ((offs + temp->len) <= sdu->len)) { memcpy(sdu->data + offs, temp->data, temp->len); - g_free(temp->data); + wmem_free(wmem_file_scope(), temp->data); temp->data = NULL; /* mark this fragment in reassembled table */ g_hash_table_insert(reassembled_table, temp, sdu); |