Wireshark-commits: [Wireshark-commits] master-2.4 5f7ba27: wsutil: fix crash due to corruption of t
From: Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>
Date: Wed, 02 Jan 2019 11:55:19 +0000
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5f7ba271eccca43b7ef6663f4c8960556f84676c
Submitter: "Peter Wu <peter@xxxxxxxxxxxxx>"
Changed: branch: master-2.4
Repository: wireshark

Commits:

5f7ba27 by Peter Wu (peter@xxxxxxxxxxxxx):

    wsutil: fix crash due to corruption of the "small_buffers" array
    
    Gracefully handle repeated calls of ws_buffer_free on the same buffer to
    avoid strange crashes in other new users that allocate a "small" buffer.
    
    The first call to ws_buffer_free would store data pointer in the
    'small_buffers' array for reuse and set the pointer to NULL. Result:
    
        (gdb) p cfile.rec.options_buf
        $2 = {
          data = 0x0,
          allocated = 2048,     // Oops, not modified!
          start = 0,
          first_free = 0
        }
    
    All users of Buffer (including ws_buffer_free) however asssume that
    'allocated' reflects the actual size of 'data'. If this is not the case
    (if ws_buffer_free is called again), then a data pointer (NULL!) will be
    stored and the next ws_buffer_init request for a "small buffer" will
    result in unexpected behavior (including crashes).
    
    Fix the issue by clearing the 'allocated' field as well. Add assertions
    to catch such issues earlier rather than crashing at random users of
    these buffers (such as frame_tvbuff).
    
    Bug: 15263
    Change-Id: I0b491c3fccac8c6fddd43779629343d721638ca9
    Reviewed-on: https://code.wireshark.org/review/31278
    Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
    Tested-by: Petri Dish Buildbot
    Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
    (cherry picked from commit ae2a75233cec4e1286964963e6ac4ba936322cb1)
    Reviewed-on: https://code.wireshark.org/review/31302
    Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
    

Actions performed:

    from  cf10756   Happy New Year 2019!
     add  5f7ba27   wsutil: fix crash due to corruption of the "small_buffers" array


Summary of changes:
 wsutil/buffer.c | 3 +++
 1 file changed, 3 insertions(+)