GSM RLC/MAC: fix global-buffer-overflow error reported by ASAN

After a M_NEXT_EXIST(), you should always have another variable (like
M_UINT, M_TYPE, ...) and not immediately end the structure with
CSN_DESCR_END.
Note that this is a workaround as the current description does not allow
a proper parsing anyway (as the structure is reentrant). But at least it
solves the buffer overflow.

Bug: 13692
Change-Id: I8e607aadcced2d8cc636dc10f9690c5c679ad581
Reviewed-on: https://code.wireshark.org/review/21585
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 4 insertions, 1 deletions

diff --git a/epan/dissectors/packet-gsm_rlcmac.c b/epan/dissectors/packet-gsm_rlcmac.c
index 972380fc62..6946d546d6 100644
--- a/epan/dissectors/packet-gsm_rlcmac.c
+++ b/epan/dissectors/packet-gsm_rlcmac.c
@@ -3027,7 +3027,10 @@ CSN_DESCR_BEGIN(IU_Mode_Channel_Request_Desk_t)
   M_NEXT_EXIST (IU_Mode_Channel_Request_Desk_t, Exist_RLC_BLOCK_COUNT, 1, &hf_egprs_prr_additionsr5_rlc_block_count_exist),
   M_UINT       (IU_Mode_Channel_Request_Desk_t,  RLC_BLOCK_COUNT,  8, &hf_egprs_prr_additionsr5_rlc_block_count),
 
-  M_NEXT_EXIST (IU_Mode_Channel_Request_Desk_t, Exist_Iu_Mode_ChRequestDesk, 1, &hf_iu_mode_chrequest_exist), /* Don't use M_REC_TARRAY as we don't support multiple TBFs */
+  /* Don't use M_REC_TARRAY as we don't support multiple TBFs
+  M_NEXT_EXIST (IU_Mode_Channel_Request_Desk_t, Exist_Iu_Mode_ChRequestDesk, 1, &hf_iu_mode_chrequest_exist),
+  M_TYPE       (IU_Mode_Channel_Request_Desk1, IU_Mode_Channel_Request_Desk_t),*/
+  M_UINT       (IU_Mode_Channel_Request_Desk_t, Exist_Iu_Mode_ChRequestDesk, 1, &hf_iu_mode_chrequest_exist),
 
 CSN_DESCR_END  (IU_Mode_Channel_Request_Desk_t)