Wireshark-commits: [Wireshark-commits] master d08a53a: Q.931: fix use-after-free (write) of "q931_p
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d08a53a7b9ebf723816f224897c68aa652589050
Submitter: Anders Broman (a.broman58@xxxxxxxxx)
Changed: branch: master
Repository: wireshark
Commits:
d08a53a by Peter Wu (peter@xxxxxxxxxxxxx):
Q.931: fix use-after-free (write) of "q931_pi"
The dissect_q931_number_ie (and indirectly dissect_q931_cause_ie_unsafe)
write to the "q931_pi" structure which seems private to the q931
dissector, but can in fact be called through other dissectors (isup) as
well. Normally this structure is initialized in "dissect_q931_pdu" and
invalidated at the end of the function, but a malformed packet can
prevent the cleanup. In the next packet, a different dissector can thus
trigger a use-after-free via "dissect_q931_number_ie".
Rename "dissect_q931_cause_ie_unsafe" since "unsafe" meant that external
dissectors could not call it directly (see commit a83a87e9ca).
Based on commit 197ceddab109, it seems that the intended purpose of the
structure is to provide information to the VoIP Calls dialog, but it
would only be used when called through dissect_q931_pdu. Dissectors like
isup have their own routines to provide call information, but as a
side-effect of code sharing the problematic code path was reached.
Bug: 14689
Change-Id: I871525db560f24690ade9a0b944c6d0e655ed34b
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6711
Reviewed-on: https://code.wireshark.org/review/27495
Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@xxxxxxxxx>
Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
Actions performed:
from 52f4a2c mac-nr: check that control elements happen in the appropriate place
adds d08a53a Q.931: fix use-after-free (write) of "q931_pi"
Summary of changes:
epan/dissectors/packet-q931.c | 60 +++++++++++++++++++------------------------
1 file changed, 27 insertions(+), 33 deletions(-)