diff options
author | Pascal Quantin <pascal.quantin@gmail.com> | 2016-12-22 15:14:47 +0100 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2016-12-22 16:17:24 +0000 |
commit | 8c70558d1651df0502e57f0b3bd56e1f70bc522b (patch) | |
tree | 542f89911f733140886786b5403ef444dac27afe /epan | |
parent | 541beaad6e99c8efc8a57a8e87fd5e8c3d56056a (diff) |
RPC: fix crash when using "Dissect unknown RPC program numbers" option
When using this option, rpc_prog_info_value structure is not fully initialized.
Depending on the memory allocator used, this can lead to a NULL pointer
dereference or an access to a random memory block.
Ensure that the structure if fully initialized and test pointer before
dereferencing it.
Bug: 13266
Change-Id: Ifdc54b31c8dd3b2b6220dbe9ee27272758ff60ca
Reviewed-on: https://code.wireshark.org/review/19385
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-rpc.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/epan/dissectors/packet-rpc.c b/epan/dissectors/packet-rpc.c index cac55c1119..abe76c5c1b 100644 --- a/epan/dissectors/packet-rpc.c +++ b/epan/dissectors/packet-rpc.c @@ -2083,9 +2083,7 @@ looks_like_rpc_call(tvbuff_t *tvb, int offset) if (version > 10) return NULL; - rpc_prog = wmem_new(wmem_packet_scope(), rpc_prog_info_value); - rpc_prog->proto = NULL; - rpc_prog->proto_id = 0; + rpc_prog = wmem_new0(wmem_packet_scope(), rpc_prog_info_value); rpc_prog->ett = ett_rpc_unknown_program; rpc_prog->progname = wmem_strdup_printf(wmem_packet_scope(), "Unknown RPC program %u", rpc_prog_key); } @@ -2847,7 +2845,7 @@ dissect_rpc_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, tmp_item=proto_tree_add_uint(ptree, hf_rpc_programversion, tvb, 0, 0, vers); PROTO_ITEM_SET_GENERATED(tmp_item); - if (rpc_prog && (rpc_prog->procedure_hfs->len > vers) ) + if (rpc_prog && rpc_prog->procedure_hfs && (rpc_prog->procedure_hfs->len > vers) ) procedure_hf = g_array_index(rpc_prog->procedure_hfs, int, vers); else { /* |