Wireshark-commits: [Wireshark-commits] master a8b6820: packet: duplicate short_name to fix UAF in w
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a8b68205a448688c5ad9d29379eab55065fcffd1
Submitter: Peter Wu (peter@xxxxxxxxxxxxx)
Changed: branch: master
Repository: wireshark
Commits:
a8b6820 by Peter Wu (peter@xxxxxxxxxxxxx):
packet: duplicate short_name to fix UAF in wslua
The "short_name" parameter of heur_dissector_add is defined as const
(and was assumed to be a string literal). This was no longer the case
though since a change in Lua where "short_name" is a dynamically
allocated string.
This "simple" fix clones the memory for internal use to avoid a
heap-use-after-free when heur_dissector_delete tries to access
"short_name".
An alternative option is to make Proto_register_heuristic track the
memory, but since there are multiple possible heuristics lists for a
protocol, the Proto (struct _wslua_field_t) structure is not
appropriate. A possible working alternative is to store the string into
lua_heur_dissectors_table_ref (replacing the value (function) by a tuple
{function,short_name}).
Change-Id: I6c6b393f4d304dd847e864da6ad17b54c8cd80e2
Fixes: v2.3.0rc0-1474-g7f2a838922 ("lua: Allow proto:register_heuristic to be used on multiple list names")
Reviewed-on: https://code.wireshark.org/review/19365
Petri-Dish: Michael Mann <mmann78@xxxxxxxxxxxx>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@xxxxxxxxxxxxx>
Reviewed-by: Franklin Mathieu <snaipe@xxxxxxxxxxxx>
Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
Actions performed:
from 92cd2c3 X-Rite i1 Display Pro USB protocol dissector.
adds a8b6820 packet: duplicate short_name to fix UAF in wslua
Summary of changes:
epan/packet.c | 7 ++++---
epan/packet.h | 2 +-
2 files changed, 5 insertions(+), 4 deletions(-)
