Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 11740] Pointers to deallocated memory when redissecting

Wireshark-bugs: [Wireshark-bugs] [Bug 11740] Pointers to deallocated memory when redissecting

Date: Fri, 20 Nov 2015 22:36:20 +0000

Comment # 2 on bug 11740 from Stig Bjørlykke

More details about one case with the memory access in packet_list_clear().

Pointers to data allocated in p_add_proto_data() for wmem_file_scope will be
stored in cf->edt->pi.fd->pfd.  This data is deallocated in epan_free() but
nothing is done with the pointers (pfd).  In
MainWindow::setMenusForSelectedTreeRow() we call this for all elements in
conv_filter_list:

  enable = conv_filter->is_filter_valid(&capture_file_.capFile()->edt->pi);

which will in one of the cases enter here:

 static gboolean
 enip_io_conv_valid(packet_info *pinfo)
 {
    enip_conn_val_t* conn =
(enip_conn_val_t*)p_get_proto_data(wmem_file_scope(), pinfo, proto_enip,
ENIP_CONNECTION_INFO);

and fetch data from the list of deallocated memory in p_get_proto_data() here:

 item = g_slist_find_custom(pinfo->fd->pfd, (gpointer *)&temp, p_compare);


==52196==ERROR: AddressSanitizer: heap-use-after-free on address 0x000126e19170
at pc 0x000104ac23c3 bp 0x7fff5fbf5340 sp 0x7fff5fbf5338
READ of size 4 at 0x000126e19170 thread T0
    #0 0x104ac23c2 in p_compare frame_data.c:54
    #1 0x112f3e08b in g_slist_find_custom
(/opt/local/lib/libglib-2.0.0.dylib+0x4608b)
    #2 0x104ac2220 in p_get_proto_data frame_data.c:107
    #3 0x102ed2127 in enip_io_conv_valid packet-enip.c:842
    #4 0x10056777e in MainWindow::setMenusForSelectedTreeRow(field_info*)
main_window_slots.cpp:1269
    #5 0x10009451f in MainWindow::qt_static_metacall(QObject*,
QMetaObject::Call, int, void**) moc_main_window.cpp:1359
    #6 0x11287544b in QMetaObject::activate(QObject*, int, int, void**)
(/opt/local/libexec/qt5/lib/QtCore.framework/Versions/5/QtCore+0x21544b)
    #7 0x1000ab613 in ProtoTree::protoItemSelected(field_info*)
moc_proto_tree.cpp:257
    #8 0x10066984e in ProtoTree::updateSelectionStatus(QTreeWidgetItem*)
proto_tree.cpp:413
    #9 0x10066898c in ProtoTree::clear() proto_tree.cpp:283
    #10 0x1005e036b in PacketList::clear() packet_list.cpp:791
    #11 0x1005e01b0 in packet_list_clear packet_list.cpp:159
    #12 0x10003146a in rescan_packets file.c:1632
    #13 0x100033c6e in cf_redissect_packets file.c:1493
    #14 0x10056ccda in MainWindow::redissectPackets()
main_window_slots.cpp:1340

You are receiving this mail because:

You are watching all bug changes.

References:
- [Wireshark-bugs] [Bug 11740] New: Pointers to deallocated memory when redissecting
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 11731] All fields in the packet detail pane of a "new packet" window are expanded by default
Next by Date: [Wireshark-bugs] [Bug 11737] Display filters arranges columns incorrectly
Previous by thread: [Wireshark-bugs] [Bug 11740] Pointers to deallocated memory when redissecting
Next by thread: [Wireshark-bugs] [Bug 11740] Pointers to deallocated memory when redissecting
Index(es):
- Date
- Thread