diff options
author | John Thacker <johnthacker@gmail.com> | 2020-10-12 07:37:14 -0400 |
---|---|---|
committer | AndersBroman <a.broman58@gmail.com> | 2020-10-14 03:31:48 +0000 |
commit | 824eec89ca319698f02102e5e10a043887bd5440 (patch) | |
tree | 2f7ac706f977a4e9300739993379d658be258d47 | |
parent | 7b5b6501f0a3d18ab4ec6f5cf46801ca2e34565f (diff) |
eassembly: Fix check for no data to prevent NULL deference
There's a check for adding a zero length fragment to a reassembly in progress,
but it accidentally checks fd_head->tvb_data (the reassembly in progress)
instead of fd_i->tvb_data (the new fragment) before calling tvb_get_data() on
fd_i->tvb_data. (Note that data / fd_head->tvb_data is created based on the
sum of the lengths of all the fd_i->tvb_data, so the former can only be NULL
if all the latter are, but it's possible for one fragment to be zero length
but not the entire reassembly. Thus this is the necessary and sufficient check.)
Fixes #15569
-rw-r--r-- | epan/reassemble.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/epan/reassemble.c b/epan/reassemble.c index 4b77b0e9fd..cc0924e4eb 100644 --- a/epan/reassemble.c +++ b/epan/reassemble.c @@ -1242,7 +1242,7 @@ fragment_add_work(fragment_head *fd_head, tvbuff_t *tvb, const int offset, fd_head->error = "dfpos < offset"; } else if (dfpos - fd_i->offset > fd_i->len) fd_head->error = "dfpos - offset > len"; - else if (!fd_head->tvb_data) + else if (!fd_i->tvb_data) fd_head->error = "no data"; else { fraglen = fd_i->len; |