RPC: fix crash when using "Dissect unknown RPC program numbers" option

When using this option, rpc_prog_info_value structure is not fully initialized.
Depending on the memory allocator used, this can lead to a NULL pointer
dereference or an access to a random memory block.
Ensure that the structure if fully initialized and test pointer before
dereferencing it.

Bug: 13266
Change-Id: Ifdc54b31c8dd3b2b6220dbe9ee27272758ff60ca
Reviewed-on: https://code.wireshark.org/review/19385
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 2 insertions, 4 deletions

diff --git a/epan/dissectors/packet-rpc.c b/epan/dissectors/packet-rpc.c
index cac55c1119..abe76c5c1b 100644
--- a/epan/dissectors/packet-rpc.c
+++ b/epan/dissectors/packet-rpc.c
@@ -2083,9 +2083,7 @@ looks_like_rpc_call(tvbuff_t *tvb, int offset)
 		if (version > 10)
 			return NULL;
 
-		rpc_prog = wmem_new(wmem_packet_scope(), rpc_prog_info_value);
-		rpc_prog->proto = NULL;
-		rpc_prog->proto_id = 0;
+		rpc_prog = wmem_new0(wmem_packet_scope(), rpc_prog_info_value);
 		rpc_prog->ett = ett_rpc_unknown_program;
 		rpc_prog->progname = wmem_strdup_printf(wmem_packet_scope(), "Unknown RPC program %u", rpc_prog_key);
 	}
@@ -2847,7 +2845,7 @@ dissect_rpc_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
 		tmp_item=proto_tree_add_uint(ptree,
 				hf_rpc_programversion, tvb, 0, 0, vers);
 		PROTO_ITEM_SET_GENERATED(tmp_item);
-		if (rpc_prog && (rpc_prog->procedure_hfs->len > vers) )
+		if (rpc_prog && rpc_prog->procedure_hfs && (rpc_prog->procedure_hfs->len > vers) )
 			procedure_hf = g_array_index(rpc_prog->procedure_hfs, int, vers);
 		else {
 			/*