Reassemble: fix premature free

Fix a memory error found by the buildbot and valgrind in my recent patch Bug: 13100 Change-Id: Ieb21aa25e048f90ce7192546b0ad3d4718ff07df Reviewed-on: https://code.wireshark.org/review/18877 Petri-Dish: Michael Mann <mmann78@netscape.net> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
author: John A. Thacker <johnthacker@gmail.com> 2016-11-18 18:35:28 -0500
committer: Michael Mann <mmann78@netscape.net> 2016-11-19 22:58:08 +0000
commit: abf802baf77bca3c0b4f94e81e8308b4c2d527fb (patch)
tree: 64612355d33869d061927438b72c9da1e70ade11
parent: 4eb61deedc79c8c446e6a162a1dc8ebea6e7353f (diff)
1 files changed, 17 insertions, 13 deletions
diff --git a/epan/reassemble.c b/epan/reassemble.c
index e18da27431..62fb9519c0 100644
--- a/epan/reassemble.c
+++ b/epan/reassemble.c
@@ -2212,11 +2212,6 @@ fragment_add_seq_single_work(reassembly_table *table, tvbuff_t *tvb,
 					}
 				}
 				prev_fd->next = NULL;
-				if (new_fh->next == NULL) {
-					old_tvb_data = fragment_delete(table, pinfo, id-frag_number, data);
-					if (old_tvb_data)
-						tvb_free(old_tvb_data);
-				}
 				break;
 			}
 		}
@@ -2230,14 +2225,23 @@ fragment_add_seq_single_work(reassembly_table *table, tvbuff_t *tvb,
 				}
 			}
 			MERGE_FRAG(fh, fd);
-			/* If we've moved a Last packet, change the datalen.
-			 * Second part of this test should be unnecessary. */
-			if (new_fh->flags & FD_DATALEN_SET &&
-			    new_fh->datalen >= frag_number) {
-				fh->flags |= FD_DATALEN_SET;
-				fh->datalen = new_fh->datalen - frag_number;
-				new_fh->flags &= ~FD_DATALEN_SET;
-				new_fh->datalen = 0;
+			if (new_fh != NULL) {
+				/* If we've moved a Last packet, change datalen.
+			         * Second part of this test prob. redundant? */
+				if (new_fh->flags & FD_DATALEN_SET &&
+				    new_fh->datalen >= frag_number) {
+					fh->flags |= FD_DATALEN_SET;
+					fh->datalen = new_fh->datalen - frag_number;
+					new_fh->flags &= ~FD_DATALEN_SET;
+					new_fh->datalen = 0;
+				}
+				/* If we've moved all the fragments,
+				 * delete the old head */
+				if (new_fh->next == NULL) {
+					old_tvb_data = fragment_delete(table, pinfo, id-frag_number, data);
+					if (old_tvb_data)
+						tvb_free(old_tvb_data);
+				}
 			} else {
 			/* Look forward and take off the next (this is
 			 * necessary in some edge cases where max_frags
author	John A. Thacker <johnthacker@gmail.com>	2016-11-18 18:35:28 -0500
committer	Michael Mann <mmann78@netscape.net>	2016-11-19 22:58:08 +0000
commit	abf802baf77bca3c0b4f94e81e8308b4c2d527fb (patch)
tree	64612355d33869d061927438b72c9da1e70ade11
parent	4eb61deedc79c8c446e6a162a1dc8ebea6e7353f (diff)