• Peter Wu's avatar
    extcap: fix use-after-free for preferences · 58315019
    Peter Wu authored
    In commit v2.3.0rc0-117-g485bc456 (backported to v2.2.0rc0-44-g66721ca),
    extcap_prefs_dynamic_vals and extcap_cleanup were added in an attempt to
    address dangling pointers.
    
    Unfortunately it is not sufficient:
    
     - A pointer to the preference value is stored in extcap_arg and passed
       to the prefs API, but this extcap_arg structure can become invalid
       which result in use-after-free whenever the preference is accessed.
     - On exit, a use-after-free occurs in prefs_cleanup when the preference
       value is being checked.
    
    As the preference subsystem actually manages the memory for the string
    value and consumers should only provide a pointer where the value can be
    stored, convert the char* field in extcap to char**. This has as
    additional benefit that values are not limited to 256 bytes anymore.
    
    extcap_cleanup is moved after epan_cleanup to ensure that prefs_cleanup
    does not operate on dangling pointers.
    
    Crash is reproducible under ASAN with: tshark -i randpkt
    
    Ping-Bug: 12183
    Change-Id: Ibf1ba1102a5633aa085dc278a12ffc05a4f4a34b
    Reviewed-on: https://code.wireshark.org/review/17631
    Petri-Dish: Peter Wu <peter@lekensteyn.nl>
    Tested-by: 's avatarPetri Dish Buildbot <buildbot-no-reply@wireshark.org>
    Reviewed-by: 's avatarRoland Knall <rknall@gmail.com>
    58315019
extcap_parser.h 5.32 KB