diff options
author | Jeff Morriss <jeff.morriss.ws@gmail.com> | 2013-05-17 14:38:36 +0000 |
---|---|---|
committer | Jeff Morriss <jeff.morriss.ws@gmail.com> | 2013-05-17 14:38:36 +0000 |
commit | 86744b65da543c08a35fc0df01264106696fb2b8 (patch) | |
tree | 09146aa722e7ee9e3dbf49c08da372e58f94da4e /epan | |
parent | 5c56d95afee1d00ad8a9daa3f022e9de01bf46ba (diff) |
As suggested by Jakub: don't ep_alloc buffers for TVBs, use g_malloc()'d
memory with tvb-free-callback.
Fixes one of the "read after free" warnings from Valgrind reported in
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8197 and the one reported
in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8653
svn path=/trunk/; revision=49379
Diffstat (limited to 'epan')
-rw-r--r-- | epan/tvbuff.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/epan/tvbuff.c b/epan/tvbuff.c index ca37e19f07..29799e5017 100644 --- a/epan/tvbuff.c +++ b/epan/tvbuff.c @@ -554,7 +554,6 @@ tvb_new_octet_aligned(tvbuff_t *tvb, guint32 bit_offset, gint32 no_of_bits) } DISSECTOR_ASSERT(datalen>0); - buf = (guint8 *)ep_alloc0(datalen); /* if at least one trailing byte is available, we must use the content * of that byte for the last shift (i.e. tvb_get_ptr() must use datalen + 1 @@ -563,11 +562,19 @@ tvb_new_octet_aligned(tvbuff_t *tvb, guint32 bit_offset, gint32 no_of_bits) */ if (tvb_length_remaining(tvb, byte_offset) > datalen) { data = tvb_get_ptr(tvb, byte_offset, datalen + 1); + + /* Do this allocation AFTER tvb_get_ptr() (which could throw an exception) */ + buf = (guint8 *)g_malloc(datalen); + /* shift tvb data bit_offset bits to the left */ for (i = 0; i < datalen; i++) buf[i] = (data[i] << left) | (data[i+1] >> right); } else { data = tvb_get_ptr(tvb, byte_offset, datalen); + + /* Do this allocation AFTER tvb_get_ptr() (which could throw an exception) */ + buf = (guint8 *)g_malloc(datalen); + /* shift tvb data bit_offset bits to the left */ for (i = 0; i < (datalen-1); i++) buf[i] = (data[i] << left) | (data[i+1] >> right); @@ -576,6 +583,7 @@ tvb_new_octet_aligned(tvbuff_t *tvb, guint32 bit_offset, gint32 no_of_bits) buf[datalen-1] &= left_aligned_bitmask[remaining_bits]; sub_tvb = tvb_new_child_real_data(tvb, buf, datalen, datalen); + tvb_set_free_cb(sub_tvb, g_free); return sub_tvb; } |