wireshark/fix-hash-table-key-memory-corruption.patch

From bbc327f73b2afb1d21c138d9e838c671e2378ab8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tomasz=20Mo=C5=84?= <desowin@gmail.com>
Date: Sun, 25 Aug 2019 20:28:47 +0200
Subject: [PATCH] NFS: Fix hash table key memory corruption
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When the same (as determined by key_equal_func) key gets added to the
GHashTable, old value gets freed and replaced with the new one. This is
fine for hash tables where the key validity is not tightly coupled to
the actual data.

In the nfs_name_snoop_matched hash table the key becomes invalid once
the value gets destroyed (because it shares the data pointed to by fh,
which gets freed once the value is destroyed).

A problematic capture includes packets such that the matching fh gets
added twice to the nfs_name_snoop_matched hash table. Prior to this
change the hash table would end up in a state where the new value is
associated with the old key (which contains pointer to already freed
memory). According to the nfs_name_snoop_matched_equal(), the old key
was equal to the key intended for new value *at the time* of insertion.

This change fixes the bug by using g_hash_table_replace() which does
update the key in case it already exists in the GHashTable.

Bug: 16017
Bug: 16019
Change-Id: Ib3943f1e27e82c05d9abaa1e436554b37a98488e
Reviewed-on: https://code.wireshark.org/review/34360
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
(cherry picked from commit efe2926a66d3d7187a260226678daeb2aa6e4832)
Reviewed-on: https://code.wireshark.org/review/34362
Reviewed-by: Tomasz Moń <desowin@gmail.com>
---
 epan/dissectors/packet-nfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/epan/dissectors/packet-nfs.c b/epan/dissectors/packet-nfs.c
index 489d61afc5..715ee8294b 100644
--- a/epan/dissectors/packet-nfs.c
+++ b/epan/dissectors/packet-nfs.c
@@ -1196,7 +1196,7 @@ nfs_name_snoop_add_fh(int xid, tvbuff_t *tvb, int fh_offset, int fh_length)
 	key->fh = nns->fh;
 
 	g_hash_table_steal(nfs_name_snoop_unmatched, GINT_TO_POINTER(xid));
-	g_hash_table_insert(nfs_name_snoop_matched, key, nns);
+	g_hash_table_replace(nfs_name_snoop_matched, key, nns);
 }
fix CVE-2020-13164 2020-07-21 20:41:59 +08:00			`From bbc327f73b2afb1d21c138d9e838c671e2378ab8 Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Tomasz=20Mo=C5=84?= <desowin@gmail.com>`
			`Date: Sun, 25 Aug 2019 20:28:47 +0200`
			`Subject: [PATCH] NFS: Fix hash table key memory corruption`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`When the same (as determined by key_equal_func) key gets added to the`
			`GHashTable, old value gets freed and replaced with the new one. This is`
			`fine for hash tables where the key validity is not tightly coupled to`
			`the actual data.`

			`In the nfs_name_snoop_matched hash table the key becomes invalid once`
			`the value gets destroyed (because it shares the data pointed to by fh,`
			`which gets freed once the value is destroyed).`

			`A problematic capture includes packets such that the matching fh gets`
			`added twice to the nfs_name_snoop_matched hash table. Prior to this`
			`change the hash table would end up in a state where the new value is`
			`associated with the old key (which contains pointer to already freed`
			`memory). According to the nfs_name_snoop_matched_equal(), the old key`
			`was equal to the key intended for new value at the time of insertion.`

			`This change fixes the bug by using g_hash_table_replace() which does`
			`update the key in case it already exists in the GHashTable.`

			`Bug: 16017`
			`Bug: 16019`
			`Change-Id: Ib3943f1e27e82c05d9abaa1e436554b37a98488e`
			`Reviewed-on: https://code.wireshark.org/review/34360`
			`Reviewed-by: Michael Mann <mmann78@netscape.net>`
			`Petri-Dish: Michael Mann <mmann78@netscape.net>`
			`Tested-by: Petri Dish Buildbot`
			`Reviewed-by: Anders Broman <a.broman58@gmail.com>`
			`(cherry picked from commit efe2926a66d3d7187a260226678daeb2aa6e4832)`
			`Reviewed-on: https://code.wireshark.org/review/34362`
			`Reviewed-by: Tomasz Moń <desowin@gmail.com>`
			`---`
			`epan/dissectors/packet-nfs.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/epan/dissectors/packet-nfs.c b/epan/dissectors/packet-nfs.c`
			`index 489d61afc5..715ee8294b 100644`
			`--- a/epan/dissectors/packet-nfs.c`
			`+++ b/epan/dissectors/packet-nfs.c`
			`@@ -1196,7 +1196,7 @@ nfs_name_snoop_add_fh(int xid, tvbuff_t *tvb, int fh_offset, int fh_length)`
			`key->fh = nns->fh;`

			`g_hash_table_steal(nfs_name_snoop_unmatched, GINT_TO_POINTER(xid));`
			`- g_hash_table_insert(nfs_name_snoop_matched, key, nns);`
			`+ g_hash_table_replace(nfs_name_snoop_matched, key, nns);`
			`}`