diff options
| author | Gerald Combs <gerald@wireshark.org> | 2012-08-09 00:32:22 +0000 |
|---|---|---|
| committer | Gerald Combs <gerald@wireshark.org> | 2012-08-09 00:32:22 +0000 |
| commit | 86f13eb1e555c564a7ba628d5abd01a9c9c1a1d3 (patch) | |
| tree | 584159b8140f7065597da7c6bd7f4b4c975b79bc | |
| parent | 73abbb663c5cdcbc25d13caa71b1dd9fde29bcbe (diff) | |
| download | wireshark-86f13eb1e555c564a7ba628d5abd01a9c9c1a1d3.tar.gz wireshark-86f13eb1e555c564a7ba628d5abd01a9c9c1a1d3.tar.bz2 wireshark-86f13eb1e555c564a7ba628d5abd01a9c9c1a1d3.zip | |
Copy over r44366 from the trunk:
------------------------------------------------------------------------
r44366 | gerald | 2012-08-08 17:20:18 -0700 (Wed, 08 Aug 2012) | 4 lines
Changed paths:
M /trunk/epan/dissectors/packet-stun.c
se_tree_lookup32_array() can destroy its key. Make sure we refresh it
before passing it to se_tree_insert32_array(). Fixes bug 7569 reported
by Laurent Butti.
------------------------------------------------------------------------
Update the release notes.
svn path=/trunk-1.4/; revision=44369
| -rw-r--r-- | docbook/release-notes.xml | 19 | ||||
| -rw-r--r-- | epan/dissectors/packet-stun.c | 6 |
2 files changed, 25 insertions, 0 deletions
diff --git a/docbook/release-notes.xml b/docbook/release-notes.xml index 3a4b042fd0..e20e449337 100644 --- a/docbook/release-notes.xml +++ b/docbook/release-notes.xml @@ -131,6 +131,25 @@ Wireshark Info </para> --> </listitem> + <listitem> + <para> + <ulink url="http://www.wireshark.org/security/wnpa-sec-2012-21.html">wnpa-sec-2012-21</ulink> + </para> + <para> + The STUN dissector could crash. Reported by Laurent Butti. + <!-- Fixed in trunk: r44366 --> + <!-- Fixed in trunk-1.8: r44367 --> + <!-- Fixed in trunk-1.6: r44368 --> + <!-- Fixed in trunk-1.4: r44369 --> + (<ulink url="https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7569">Bug + 7569</ulink>) + </para> + <para>Versions affected: 1.4.0 to 1.4.14, 1.6.0 to 1.6.9, 1.8.0 to 1.8.1.</para> + <!-- <para> + <ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-????">CVE-2012-????</ulink> + </para> --> + </listitem> + </itemizedlist> </para> diff --git a/epan/dissectors/packet-stun.c b/epan/dissectors/packet-stun.c index 49cde99273..679e8b3516 100644 --- a/epan/dissectors/packet-stun.c +++ b/epan/dissectors/packet-stun.c @@ -508,6 +508,12 @@ dissect_stun_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) if ((stun_trans = se_tree_lookup32_array(stun_info->transaction_pdus, transaction_id_key)) == NULL) { + + transaction_id_key[0].length = 3; + transaction_id_key[0].key = transaction_id; + transaction_id_key[1].length = 0; + transaction_id_key[1].key = NULL; + stun_trans=se_alloc(sizeof(stun_transaction_t)); stun_trans->req_frame=0; stun_trans->rep_frame=0; |