From 6fd3af5e999c71df67c2cdcefb96d0dc4afa5341 Mon Sep 17 00:00:00 2001 From: John Thacker Date: Wed, 6 Mar 2024 20:40:42 -0500 Subject: [PATCH] t38: Allocate forced defragmented memory in correct scope Fragment data can't be allocated in pinfo->pool scope, as it outlives the frame. Set it to be freed when the associated tvb is freed, as done in the main reassemble.c code. Fix #19695 CVE: CVE-2024-2955 Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/6fd3af5e999c71df67c2cdcefb96d0dc4afa5341] Signed-off-by: Ashish Sharma epan/dissectors/asn1/t38/packet-t38-template.c | 3 ++- epan/dissectors/packet-t38.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/epan/dissectors/asn1/t38/packet-t38-template.c b/epan/dissectors/asn1/t38/packet-t38-template.c index 7b856626865..526b313d054 100644 --- a/epan/dissectors/asn1/t38/packet-t38-template.c +++ b/epan/dissectors/asn1/t38/packet-t38-template.c @@ -325,8 +325,9 @@ force_reassemble_seq(reassembly_table *table, packet_info *pinfo, guint32 id) last_fd=fd_i; } - data = (guint8 *) wmem_alloc(pinfo->pool, size); + data = (guint8 *) g_malloc(size); fd_head->tvb_data = tvb_new_real_data(data, size, size); + tvb_set_free_cb(fd_head->tvb_data, g_free); fd_head->len = size; /* record size for caller */ /* add all data fragments */ diff --git a/epan/dissectors/packet-t38.c b/epan/dissectors/packet-t38.c index ca95ae8b64e..5083c936c5a 100644 --- a/epan/dissectors/packet-t38.c +++ b/epan/dissectors/packet-t38.c @@ -355,8 +355,9 @@ force_reassemble_seq(reassembly_table *table, packet_info *pinfo, guint32 id) last_fd=fd_i; } - data = (guint8 *) wmem_alloc(pinfo->pool, size); + data = (guint8 *) g_malloc(size); fd_head->tvb_data = tvb_new_real_data(data, size, size); + tvb_set_free_cb(fd_head->tvb_data, g_free); fd_head->len = size; /* record size for caller */ /* add all data fragments */ -- GitLab