1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
From 6fd3af5e999c71df67c2cdcefb96d0dc4afa5341 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Wed, 6 Mar 2024 20:40:42 -0500
Subject: [PATCH] t38: Allocate forced defragmented memory in correct scope
Fragment data can't be allocated in pinfo->pool scope, as it
outlives the frame. Set it to be freed when the associated tvb
is freed, as done in the main reassemble.c code.
Fix #19695
CVE: CVE-2024-2955
Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/6fd3af5e999c71df67c2cdcefb96d0dc4afa5341]
Signed-off-by: Ashish Sharma <asharma@mvista.com>
epan/dissectors/asn1/t38/packet-t38-template.c | 3 ++-
epan/dissectors/packet-t38.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/epan/dissectors/asn1/t38/packet-t38-template.c b/epan/dissectors/asn1/t38/packet-t38-template.c
index 7b856626865..526b313d054 100644
--- a/epan/dissectors/asn1/t38/packet-t38-template.c
+++ b/epan/dissectors/asn1/t38/packet-t38-template.c
@@ -325,8 +325,9 @@ force_reassemble_seq(reassembly_table *table, packet_info *pinfo, guint32 id)
last_fd=fd_i;
}
- data = (guint8 *) wmem_alloc(pinfo->pool, size);
+ data = (guint8 *) g_malloc(size);
fd_head->tvb_data = tvb_new_real_data(data, size, size);
+ tvb_set_free_cb(fd_head->tvb_data, g_free);
fd_head->len = size; /* record size for caller */
/* add all data fragments */
diff --git a/epan/dissectors/packet-t38.c b/epan/dissectors/packet-t38.c
index ca95ae8b64e..5083c936c5a 100644
--- a/epan/dissectors/packet-t38.c
+++ b/epan/dissectors/packet-t38.c
@@ -355,8 +355,9 @@ force_reassemble_seq(reassembly_table *table, packet_info *pinfo, guint32 id)
last_fd=fd_i;
}
- data = (guint8 *) wmem_alloc(pinfo->pool, size);
+ data = (guint8 *) g_malloc(size);
fd_head->tvb_data = tvb_new_real_data(data, size, size);
+ tvb_set_free_cb(fd_head->tvb_data, g_free);
fd_head->len = size; /* record size for caller */
/* add all data fragments */
--
GitLab
|
