Use the pinfo pool for adding data sources in the h245 dissector. The…

… packet pool is freed before the packet is displayed or otherwise processed, so adding data sources from it leads to use-after-free errors. Not sure why this wasn't showing up in the fuzz-bot valgrind step, there are lots of h245 captures in the menagerie... svn path=/trunk/; revision=50897
CTSRD-SOAAP · Jul 25, 2013 · 8441fff · 8441fff
1 parent a05f55b
commit 8441fff
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 10 deletions.
diff --git a/asn1/h245/h245.cnf b/asn1/h245/h245.cnf
@@ -775,7 +775,7 @@ if (h245_pi != NULL)
 %(DEFAULT_BODY)s
   gefx = gef_ctx_get(actx->private_data);
   if (gefx) {
-    buf = wmem_new(wmem_packet_scope(), guint8);
+    buf = wmem_new(actx->pinfo->pool, guint8);
     buf[0] = value;
     value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint8), sizeof(guint8));
     /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %%s", gefx->key);*/
@@ -792,7 +792,7 @@ if (h245_pi != NULL)
 %(DEFAULT_BODY)s
   gefx = gef_ctx_get(actx->private_data);
   if (gefx) {
-    buf = (guint8 *)wmem_new(wmem_packet_scope(), guint16);
+    buf = (guint8 *)wmem_new(actx->pinfo->pool, guint16);
     phtons(buf, value);
     value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint16), sizeof(guint16));
     /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %%s", gefx->key);*/
@@ -809,7 +809,7 @@ if (h245_pi != NULL)
 %(DEFAULT_BODY)s
   gefx = gef_ctx_get(actx->private_data);
   if (gefx) {
-    buf = (guint8 *)wmem_new(wmem_packet_scope(), guint16);
+    buf = (guint8 *)wmem_new(actx->pinfo->pool, guint16);
     phtons(buf, value);
     value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint16), sizeof(guint16));
     /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %%s", gefx->key);*/
@@ -826,7 +826,7 @@ if (h245_pi != NULL)
 %(DEFAULT_BODY)s
   gefx = gef_ctx_get(actx->private_data);
   if (gefx) {
-    buf = (guint8 *)wmem_new(wmem_packet_scope(), guint32);
+    buf = (guint8 *)wmem_new(actx->pinfo->pool, guint32);
     phtonl(buf, value);
     value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint32), sizeof(guint32));
     /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %%s", gefx->key);*/
@@ -843,7 +843,7 @@ if (h245_pi != NULL)
 %(DEFAULT_BODY)s
   gefx = gef_ctx_get(actx->private_data);
   if (gefx) {
-    buf = (guint8 *)wmem_new(wmem_packet_scope(), guint32);
+    buf = (guint8 *)wmem_new(actx->pinfo->pool, guint32);
     phtonl(buf, value);
     value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint32), sizeof(guint32));
     /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %%s", gefx->key);*/

diff --git a/epan/dissectors/packet-h245.c b/epan/dissectors/packet-h245.c
@@ -3709,7 +3709,7 @@ dissect_h245_T_booleanArray(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx
 
   gefx = gef_ctx_get(actx->private_data);
   if (gefx) {
-    buf = wmem_new(wmem_packet_scope(), guint8);
+    buf = wmem_new(actx->pinfo->pool, guint8);
     buf[0] = value;
     value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint8), sizeof(guint8));
     /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %s", gefx->key);*/
@@ -3736,7 +3736,7 @@ dissect_h245_T_unsignedMin(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _
 
   gefx = gef_ctx_get(actx->private_data);
   if (gefx) {
-    buf = (guint8 *)wmem_new(wmem_packet_scope(), guint16);
+    buf = (guint8 *)wmem_new(actx->pinfo->pool, guint16);
     phtons(buf, value);
     value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint16), sizeof(guint16));
     /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %s", gefx->key);*/
@@ -3763,7 +3763,7 @@ dissect_h245_T_unsignedMax(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _
 
   gefx = gef_ctx_get(actx->private_data);
   if (gefx) {
-    buf = (guint8 *)wmem_new(wmem_packet_scope(), guint16);
+    buf = (guint8 *)wmem_new(actx->pinfo->pool, guint16);
     phtons(buf, value);
     value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint16), sizeof(guint16));
     /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %s", gefx->key);*/
@@ -3790,7 +3790,7 @@ dissect_h245_T_unsigned32Min(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx
 
   gefx = gef_ctx_get(actx->private_data);
   if (gefx) {
-    buf = (guint8 *)wmem_new(wmem_packet_scope(), guint32);
+    buf = (guint8 *)wmem_new(actx->pinfo->pool, guint32);
     phtonl(buf, value);
     value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint32), sizeof(guint32));
     /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %s", gefx->key);*/
@@ -3817,7 +3817,7 @@ dissect_h245_T_unsigned32Max(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx
 
   gefx = gef_ctx_get(actx->private_data);
   if (gefx) {
-    buf = (guint8 *)wmem_new(wmem_packet_scope(), guint32);
+    buf = (guint8 *)wmem_new(actx->pinfo->pool, guint32);
     phtonl(buf, value);
     value_tvb = tvb_new_child_real_data(tvb, buf, sizeof(guint32), sizeof(guint32));
     /* DEBUG */ /*proto_tree_add_text(tree, tvb, offset>>3, 0, "*** DEBUG dissector_try_string: %s", gefx->key);*/