extcap: fix use-after-free for preferences
authorPeter Wu <peter@lekensteyn.nl>
Sat, 10 Sep 2016 23:16:24 +0000 (01:16 +0200)
committerRoland Knall <rknall@gmail.com>
Sun, 11 Sep 2016 08:33:42 +0000 (08:33 +0000)
commit583150198b78c84d043455b0afcca58a9659eab3
treee3ec231548eaf1b8a2de10ff75bf218d7f17169b
parentb82695d9976ebed00f34bfc45f0358db095e0670
extcap: fix use-after-free for preferences

In commit v2.3.0rc0-117-g485bc45 (backported to v2.2.0rc0-44-g66721ca),
extcap_prefs_dynamic_vals and extcap_cleanup were added in an attempt to
address dangling pointers.

Unfortunately it is not sufficient:

 - A pointer to the preference value is stored in extcap_arg and passed
   to the prefs API, but this extcap_arg structure can become invalid
   which result in use-after-free whenever the preference is accessed.
 - On exit, a use-after-free occurs in prefs_cleanup when the preference
   value is being checked.

As the preference subsystem actually manages the memory for the string
value and consumers should only provide a pointer where the value can be
stored, convert the char* field in extcap to char**. This has as
additional benefit that values are not limited to 256 bytes anymore.

extcap_cleanup is moved after epan_cleanup to ensure that prefs_cleanup
does not operate on dangling pointers.

Crash is reproducible under ASAN with: tshark -i randpkt

Ping-Bug: 12183
Change-Id: Ibf1ba1102a5633aa085dc278a12ffc05a4f4a34b
Reviewed-on: https://code.wireshark.org/review/17631
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Roland Knall <rknall@gmail.com>
extcap.c
extcap.h
extcap_parser.h
rawshark.c
tfshark.c
tshark.c
ui/gtk/main.c
ui/qt/extcap_argument.cpp
ui/qt/extcap_argument_file.cpp
wireshark-qt.cpp