RLC: always initialize LI length, even when it is malformed

Bug: 13162 Change-Id: Ie0938611b4c90fd54e7ccda0ee5f3d791078be06 Reviewed-on: https://code.wireshark.org/review/18918 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
author: Pascal Quantin <pascal.quantin@gmail.com> 2016-11-22 07:16:17 +0100
committer: Alexis La Goutte <alexis.lagoutte@gmail.com> 2016-11-22 07:42:06 +0000
commit: 7617286f32135051800998cb3a4b07badc8c6719 (patch)
tree: 5f515b3372544e30b910e87963f1bba5cf6a42b8
parent: 4a3a6b1bbb30a0bf0d154e2f1abaf771e880be68 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/epan/dissectors/packet-rlc.c b/epan/dissectors/packet-rlc.c
index 037ca6010c..4fef95627d 100644
--- a/epan/dissectors/packet-rlc.c
+++ b/epan/dissectors/packet-rlc.c
@@ -1751,9 +1751,9 @@ rlc_decode_li(enum rlc_mode mode, tvbuff_t *tvb, packet_info *pinfo, proto_tree
                 case 0x7ffa: /* contains exactly one SDU (minus last byte), UM only */
                 case 0x7ffc: /* start of a new SDU, UM only */
                 case 0x7ffd: /* contains exactly one SDU, UM only */
+                    li[num_li].len = 0;
                     if (mode == RLC_UM) {
                         /* valid for UM */
-                        li[num_li].len = 0;
                         break;
                     }
                     /*invalid for AM */
@@ -1769,6 +1769,7 @@ rlc_decode_li(enum rlc_mode mode, tvbuff_t *tvb, packet_info *pinfo, proto_tree
                     if (((li[num_li].li > total_len) && !global_rlc_headers_expected)
                         || (li[num_li].li < prev_li)) {
                         /* add malformed LI for investigation */
+                        li[num_li].len = 0;
                         malformed = tree_add_li(mode, &li[num_li], num_li, li_offs, li_on_2_bytes, tvb, tree);
                         expert_add_info(pinfo, malformed, &ei_rlc_li_incorrect_warn);
                         return -1; /* just give up on this */
@@ -1785,9 +1786,9 @@ rlc_decode_li(enum rlc_mode mode, tvbuff_t *tvb, packet_info *pinfo, proto_tree
                     break;
                 case 0x7c: /* start of a new SDU, UM only */
                 case 0x7d: /* contains exactly one SDU, UM only */
+                    li[num_li].len = 0;
                     if (mode == RLC_UM) {
                         /* valid for UM */
-                        li[num_li].len = 0;
                         break;
                     }
                     /*invalid for AM */
@@ -1804,6 +1805,7 @@ rlc_decode_li(enum rlc_mode mode, tvbuff_t *tvb, packet_info *pinfo, proto_tree
                     if (((li[num_li].li > total_len) && !global_rlc_headers_expected)
                         || (li[num_li].li < prev_li)) {
                         /* add malformed LI for investigation */
+                        li[num_li].len = 0;
                         malformed = tree_add_li(mode, &li[num_li], num_li, li_offs, li_on_2_bytes, tvb, tree);
                         expert_add_info_format(pinfo, malformed, &ei_rlc_li_incorrect_mal, "Incorrect LI value 0x%x", li[num_li].li);
                         return -1; /* just give up on this */
author	Pascal Quantin <pascal.quantin@gmail.com>	2016-11-22 07:16:17 +0100
committer	Alexis La Goutte <alexis.lagoutte@gmail.com>	2016-11-22 07:42:06 +0000
commit	7617286f32135051800998cb3a4b07badc8c6719 (patch)
tree	5f515b3372544e30b910e87963f1bba5cf6a42b8
parent	4a3a6b1bbb30a0bf0d154e2f1abaf771e880be68 (diff)