From 83f3aa6e082bea11de6bfe7c9c8ede419a2aff55 Mon Sep 17 00:00:00 2001 From: Gerald Combs Date: Sat, 16 Apr 2005 21:54:32 +0000 Subject: Add an extra_info_type field to smb_extra_info_t so that we can make sure we're not referencing a fid when we think we're referencing an smb_nt_transact_info_t pointer. (A fuzzed capture I have triggers this behavior). svn path=/trunk/; revision=14107 --- epan/dissectors/packet-smb-pipe.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'epan/dissectors/packet-smb-pipe.c') diff --git a/epan/dissectors/packet-smb-pipe.c b/epan/dissectors/packet-smb-pipe.c index bc1ffea3ed..875a3a5b3b 100644 --- a/epan/dissectors/packet-smb-pipe.c +++ b/epan/dissectors/packet-smb-pipe.c @@ -438,9 +438,12 @@ add_detail_level(tvbuff_t *tvb, int offset, int count _U_, packet_info *pinfo, proto_tree *tree, int convert _U_, int hf_index) { struct smb_info *smb_info = pinfo->private_data; - smb_transact_info_t *trp = smb_info->sip->extra_info; + smb_transact_info_t *trp = NULL; guint16 level; + if (smb_info->sip->extra_info_type == SMB_EI_TRI) + trp = smb_info->sip->extra_info; + level = tvb_get_letohs(tvb, offset); if (!pinfo->fd->flags.visited) trp->info_level = level; /* remember this for the response */ @@ -2459,7 +2462,7 @@ dissect_response_data(tvbuff_t *tvb, packet_info *pinfo, int convert, const struct lanman_desc *lanman, gboolean has_ent_count, guint16 ent_count) { - smb_transact_info_t *trp = smb_info->sip->extra_info; + smb_transact_info_t *trp = NULL; const item_list_t *resp_data_list; int offset, start_offset; const char *label; @@ -2472,6 +2475,9 @@ dissect_response_data(tvbuff_t *tvb, packet_info *pinfo, int convert, guint i, j; guint16 aux_count; + if (smb_info->sip->extra_info_type == SMB_EI_TRI) + trp = smb_info->sip->extra_info; + /* * Find the item table for the matching request's detail level. */ @@ -2607,7 +2613,7 @@ dissect_pipe_lanman(tvbuff_t *pd_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb, packet_info *pinfo, proto_tree *parent_tree) { smb_info_t *smb_info = pinfo->private_data; - smb_transact_info_t *trp = smb_info->sip->extra_info; + smb_transact_info_t *trp = NULL; int offset = 0, start_offset; guint16 cmd; guint16 status; @@ -2624,6 +2630,9 @@ dissect_pipe_lanman(tvbuff_t *pd_tvb, tvbuff_t *p_tvb, tvbuff_t *d_tvb, proto_item *data_item; proto_tree *data_tree; + if (smb_info->sip->extra_info_type == SMB_EI_TRI) + trp = smb_info->sip->extra_info; + if (!proto_is_protocol_enabled(find_protocol_by_id(proto_smb_lanman))) return FALSE; if (smb_info->request && p_tvb == NULL) { @@ -3536,7 +3545,7 @@ dissect_pipe_smb(tvbuff_t *sp_tvb, tvbuff_t *s_tvb, tvbuff_t *pd_tvb, smb_info->request ? "Request" : "Response"); } - if (smb_info->sip != NULL) + if (smb_info->sip != NULL && smb_info->sip->extra_info_type == SMB_EI_TRI) tri = smb_info->sip->extra_info; else tri = NULL; -- cgit v1.2.3