Fix the fuzz failure reported in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8941 :

Storing 2 different structures on the fd proto_data (with the same key) isn't
safe: use different keys to keep them separate.  I do wonder if both are
really necessary...

This fix can be back-ported to trunk-1.10 but not trunk-1.8 (which lacks the
key identifier for proto_data's).

svn path=/trunk/; revision=50734

1 files changed, 10 insertions, 8 deletions

diff --git a/epan/dissectors/packet-ntlmssp.c b/epan/dissectors/packet-ntlmssp.c
index b99ba3ae05..da8bd38467 100644
--- a/epan/dissectors/packet-ntlmssp.c
+++ b/epan/dissectors/packet-ntlmssp.c
@@ -273,6 +273,7 @@ typedef struct _ntlmssp_blob {
   guint8  contents[MAX_BLOB_SIZE];
 } ntlmssp_blob;
 
+#define NTLMSSP_CONV_INFO_KEY 0
 /* Used in the conversation function */
 typedef struct _ntlmssp_info {
   guint32          flags;
@@ -289,6 +290,7 @@ typedef struct _ntlmssp_info {
   ntlmssp_blob     lm_response;
 } ntlmssp_info;
 
+#define NTLMSSP_PACKET_INFO_KEY 1
 /* If this struct exists in the payload_decrypt, then we have already
    decrypted it once */
 typedef struct _ntlmssp_packet_info {
@@ -1631,7 +1633,7 @@ dissect_ntlmssp_auth (tvbuff_t *tvb, packet_info *pinfo, int offset,
    *      - has the AUTHENTICATE message in a second TCP connection;
    *        (The authentication aparently succeeded).
    */
-  conv_ntlmssp_info = (ntlmssp_info *)p_get_proto_data(pinfo->fd, proto_ntlmssp, 0);
+  conv_ntlmssp_info = (ntlmssp_info *)p_get_proto_data(pinfo->fd, proto_ntlmssp, NTLMSSP_CONV_INFO_KEY);
   if (conv_ntlmssp_info == NULL) {
     /*
      * There isn't any.  Is there any from this conversation?  If so,
@@ -1650,7 +1652,7 @@ dissect_ntlmssp_auth (tvbuff_t *tvb, packet_info *pinfo, int offset,
     /* XXX: The *conv_ntlmssp_info struct attached to the frame is the
             same as the one attached to the conversation. That is: *both* point to
             the exact same struct in memory.  Is this what is indended ?  */
-    p_add_proto_data(pinfo->fd, proto_ntlmssp, 0, conv_ntlmssp_info);
+    p_add_proto_data(pinfo->fd, proto_ntlmssp, NTLMSSP_CONV_INFO_KEY, conv_ntlmssp_info);
   }
 
   if (conv_ntlmssp_info != NULL) {
@@ -1999,11 +2001,11 @@ decrypt_data_payload(tvbuff_t *tvb, int offset, guint32 encrypted_block_length,
   ntlmssp_packet_info *stored_packet_ntlmssp_info = NULL;
 
   /* Check to see if we already have state for this packet */
-  packet_ntlmssp_info = (ntlmssp_packet_info *)p_get_proto_data(pinfo->fd, proto_ntlmssp, 0);
+  packet_ntlmssp_info = (ntlmssp_packet_info *)p_get_proto_data(pinfo->fd, proto_ntlmssp, NTLMSSP_PACKET_INFO_KEY);
   if (packet_ntlmssp_info == NULL) {
     /* We don't have any packet state, so create one */
     packet_ntlmssp_info = se_new0(ntlmssp_packet_info);
-    p_add_proto_data(pinfo->fd, proto_ntlmssp, 0, packet_ntlmssp_info);
+    p_add_proto_data(pinfo->fd, proto_ntlmssp, NTLMSSP_PACKET_INFO_KEY, packet_ntlmssp_info);
   }
   if (!packet_ntlmssp_info->payload_decrypted) {
     conversation_t *conversation;
@@ -2223,7 +2225,7 @@ decrypt_verifier(tvbuff_t *tvb, int offset, guint32 encrypted_block_length,
   int                  sequence            = 0;
   ntlmssp_packet_info *stored_packet_ntlmssp_info = NULL;
 
-  packet_ntlmssp_info = (ntlmssp_packet_info *)p_get_proto_data(pinfo->fd, proto_ntlmssp, 0);
+  packet_ntlmssp_info = (ntlmssp_packet_info *)p_get_proto_data(pinfo->fd, proto_ntlmssp, NTLMSSP_PACKET_INFO_KEY);
   if (packet_ntlmssp_info == NULL) {
     /* We don't have data for this packet */
     return;
@@ -2535,11 +2537,11 @@ dissect_ntlmssp_encrypted_payload(tvbuff_t *data_tvb,
 
   fprintf(stderr, "Called dissect_ntlmssp_encrypted_payload\n");
   /* Check to see if we already have state for this packet */
-  packet_ntlmssp_info = p_get_proto_data(pinfo->fd, proto_ntlmssp, 0);
+  packet_ntlmssp_info = p_get_proto_data(pinfo->fd, proto_ntlmssp, NTLMSSP_PACKET_INFO_KEY);
   if (packet_ntlmssp_info == NULL) {
     /* We don't have any packet state, so create one */
-    packet_ntlmssp_info = se_alloc0(sizeof(ntlmssp_packet_info));
-    p_add_proto_data(pinfo->fd, proto_ntlmssp, packet_ntlmssp_info);
+    packet_ntlmssp_info = se_new0(ntlmssp_packet_info);
+    p_add_proto_data(pinfo->fd, proto_ntlmssp, NTLMSSP_PACKET_INFO_KEY, packet_ntlmssp_info);
   }
 
   if (!packet_ntlmssp_info->payload_decrypted) {