wtap: fix regression in wtap_read_packet_bytes

The "first_free" pointer is currently only increaseed by
ws_buffer_increase_length (unused) and ws_buffer_append (for writes).
Reading into the buffer should not reduce the available space. Otherwise
the next wtap_read_packet_bytes call will reallocate the buffer.

This reallocation is unexpected by some users of cf_read_record and
results in a use-after-free crash following these steps:
1. Open packet capture.
2. Ignore packet.
3. Open context menu, twice.

This crashes because the ByteViewText class points to the buffer which
is reallocated after calling PacketList::getFilterFromRowAndColumn.

Change-Id: I4f1264a406a28c79491dcd77c552193bf3cdf62d
Fixes: v2.9.0rc0-2001-g123bcb0362 ("Make systemd journal entries events.")
Reviewed-on: https://code.wireshark.org/review/29915
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 2 insertions, 6 deletions

diff --git a/wiretap/wtap.c b/wiretap/wtap.c
index bac88d8be2..1944c4ce11 100644
--- a/wiretap/wtap.c
+++ b/wiretap/wtap.c
@@ -1366,12 +1366,8 @@ wtap_read_packet_bytes(FILE_T fh, Buffer *buf, guint length, int *err,
     gchar **err_info)
 {
 	ws_buffer_assure_space(buf, length);
-	if (wtap_read_bytes(fh, ws_buffer_start_ptr(buf), length, err,
-	    err_info)) {
-		ws_buffer_increase_length(buf, length);
-		return TRUE;
-	}
-	return FALSE;
+	return wtap_read_bytes(fh, ws_buffer_start_ptr(buf), length, err,
+	    err_info);
 }
 
 /*