From b1e0cb01b33d1e6798e5f3b2f649b2359874c622 Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Sun, 13 May 2018 00:27:03 +0200 Subject: coap: fix use-after-free of "coinfo->ctype_str" A use-after-free is possible through the following path: // returns wmem_packet_scope() memory coinfo->ctype_str = val_to_str(coinfo->ctype_value, vals_ctype, "Unknown Type %u"); // leaks packet scoped memory into conversation coap_trans = wmem_new0(wmem_file_scope(), coap_transaction); coap_trans->req_ctype_str = coinfo->ctype_str; // <-- oops // next packet: use-after-free of packet scoped memory coinfo->ctype_str = coap_trans->req_ctype_str; This could be fixed by duplicating "ctype_str" with wmem_file_scope, but since all "ctype_str" strings are constant, make the problematic "ctype_str" assignment also constant for unknown types (the numeric type is also stored in "ctype_value" if necessary). Change-Id: I6249e076fa282bbe0982b8c709788e27f6fdf86e Fixes: v2.9.0rc0-317-g46fcf452ac ("coap: Store ctype values in transaction tracking") Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8196 Reviewed-on: https://code.wireshark.org/review/27477 Petri-Dish: Peter Wu Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman --- epan/dissectors/packet-coap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/epan/dissectors/packet-coap.c b/epan/dissectors/packet-coap.c index aa404ae0b4..ae08aba66c 100644 --- a/epan/dissectors/packet-coap.c +++ b/epan/dissectors/packet-coap.c @@ -574,7 +574,7 @@ dissect_coap_opt_ctype(tvbuff_t *tvb, proto_item *head_item, proto_tree *subtree coinfo->ctype_value = coap_get_opt_uint(tvb, offset, opt_length); } - coinfo->ctype_str = val_to_str(coinfo->ctype_value, vals_ctype, "Unknown Type %u"); + coinfo->ctype_str = val_to_str_const(coinfo->ctype_value, vals_ctype, "Unknown Type"); proto_tree_add_string(subtree, hf, tvb, offset, opt_length, coinfo->ctype_str); -- cgit v1.2.3