From 3c8be14c827f1587da3c2b3bb0d9c04faff57413 Mon Sep 17 00:00:00 2001 From: John Thacker Date: Sun, 19 Mar 2023 15:16:39 -0400 Subject: [PATCH] RPCoRDMA: Frame end cleanup for global write offsets Add a frame end routine for a global which is assigned to packet scoped memory. It really should be made proto data, but is used in a function in the header (that doesn't take the packet info struct as an argument) and this fix needs to be made in stable branches. Fix #18852 Upstream-Status: Backport [https://gitlab.com/colin.mcinnes/wireshark/-/commit/3c8be14c827f1587da3c2b3bb0d9c04faff5741] CVE: CVE-2023-1992 Signed-off-by: Vivek Kumbhar --- epan/dissectors/packet-rpcrdma.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/epan/dissectors/packet-rpcrdma.c b/epan/dissectors/packet-rpcrdma.c index 76085c7..9d57bae 100644 --- a/epan/dissectors/packet-rpcrdma.c +++ b/epan/dissectors/packet-rpcrdma.c @@ -24,6 +24,7 @@ #include #include "packet-rpcrdma.h" +#include "packet-frame.h" #include "packet-infiniband.h" #include "packet-iwarp-ddp-rdmap.h" @@ -270,6 +271,18 @@ void rpcrdma_insert_offset(gint offset) wmem_array_append_one(gp_rdma_write_offsets, offset); } +/* + * Reset the array of write offsets at the end of the frame. These + * are packet scoped, so they don't need to be freed, but we want + * to ensure that the global doesn't point to no longer allocated + * memory in a later packet. + */ +static void +reset_write_offsets(void) +{ + gp_rdma_write_offsets = NULL; +} + /* Get conversation state, it is created if it does not exist */ static rdma_conv_info_t *get_rdma_conv_info(packet_info *pinfo) { @@ -1392,6 +1405,7 @@ dissect_rpcrdma(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data if (write_size > 0 && !pinfo->fd->visited) { /* Initialize array of write chunk offsets */ gp_rdma_write_offsets = wmem_array_new(wmem_packet_scope(), sizeof(gint)); + register_frame_end_routine(pinfo, reset_write_offsets); TRY { /* * Call the upper layer dissector to get a list of offsets -- 2.40.1