From 89084852466dd2abcec94bf00e6a58d3d55e3abe Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Fri, 6 May 2011 19:39:47 +0000
Subject: Huzaifa Sidhpurwala of Red Hat Security Response Team discovered that
 we could dereferene a NULL pointer if we had a corrupted Diameter dictionary.

Additionally, it was possible to push an invalid input buffer onto the
include stack.

svn path=/trunk/; revision=37011
---
 epan/diam_dict.l | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'epan/diam_dict.l')

diff --git a/epan/diam_dict.l b/epan/diam_dict.l
index 4de9c88a9f..bdcfc2b8a5 100644
--- a/epan/diam_dict.l
+++ b/epan/diam_dict.l
@@ -269,9 +269,6 @@ description_attr description=\042
 		yyterminate();
 	}
 
-	include_stack[include_stack_ptr++] = YY_CURRENT_BUFFER;
-
-
 	for (e = ents.next; e; e = e->next) {
 		if (strcmp(e->name,yytext) == 0) {
 			yyin = ddict_open(sys_dir,e->file);
@@ -282,6 +279,7 @@ description_attr description=\042
 					yyterminate();
 				}
 			} else {
+				include_stack[include_stack_ptr++] = YY_CURRENT_BUFFER;
 				yy_switch_to_buffer(yy_create_buffer( yyin, YY_BUF_SIZE ) );
 				BEGIN LOADING;
 			}
@@ -290,7 +288,7 @@ description_attr description=\042
 	}
 
 	if (!e) {
-		fprintf(stderr, "Could not find entity: '%s'", e->name );
+		fprintf(stderr, "Could not find entity: '%s'\n", yytext );
 		yyterminate();
 	}
 
-- 
cgit v1.2.3