Fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8880 :

Check actx->private_data validity before using it

svn path=/trunk/; revision=50338

1 files changed, 118 insertions, 101 deletions

diff --git a/asn1/lte-rrc/lte-rrc.cnf b/asn1/lte-rrc/lte-rrc.cnf
index 2d48e1c7c5..d5d63e385d 100644
--- a/asn1/lte-rrc/lte-rrc.cnf
+++ b/asn1/lte-rrc/lte-rrc.cnf
@@ -82,7 +82,7 @@ SI-OrPSI-GERAN TYPE_PREFIX
   }
 
 #.FN_BODY UE-CapabilityRAT-Container
-  actx->private_data = GUINT_TO_POINTER(-1);
+  actx->private_data = NULL;
 %(DEFAULT_BODY)s
 
 #.FN_BODY RAT-Type VAL_PTR = &rat_type
@@ -126,51 +126,54 @@ if(ue_cap_tvb){
   proto_tree *subtree, *subtree2;
   guint8 byte;
   subtree = proto_item_add_subtree(actx->created_item, ett_lte_rrc_UE_CapabilityRAT_Container);
-  switch(GPOINTER_TO_UINT(actx->private_data)){
-  case RAT_Type_eutra:
-    /* eutra */
-    dissect_lte_rrc_UE_EUTRA_Capability_PDU(ue_cap_tvb, actx->pinfo, subtree, NULL);
-    break;
-  case RAT_Type_utra:
-    /* utra */
-    dissect_rrc_InterRATHandoverInfo_PDU(ue_cap_tvb, actx->pinfo, subtree, NULL);
-    break;
-  case RAT_Type_geran_cs:
-    /* geran-cs */
-    /* Mobile Station Classmark 2 is formatted as TLV with the two first bytes set to 0x33 0x03 */
-    item = proto_tree_add_text(subtree, ue_cap_tvb, 0, 5, "Mobile Station Classmark 2");
-    subtree2 = proto_item_add_subtree(item, ett_lte_rrc_UE_CapabilityRAT_Container);
-    byte = tvb_get_guint8(ue_cap_tvb, 0);
-    if (byte != 0x33) {
-      expert_add_info_format_text(actx->pinfo, item, &ei_lte_rrc_unexpected_type_value,
-                             "Unexpected type value (found 0x%02X)", byte);
-    }
-    byte = tvb_get_guint8(ue_cap_tvb, 1);
-    if (byte != 0x03) {
-      expert_add_info_format_text(actx->pinfo, item, &ei_lte_rrc_unexpected_length_value,
-                             "Unexpected length value (found %d)", byte);
+  if (actx->private_data) {
+    switch(GPOINTER_TO_UINT(actx->private_data)){
+    case RAT_Type_eutra:
+      /* eutra */
+      dissect_lte_rrc_UE_EUTRA_Capability_PDU(ue_cap_tvb, actx->pinfo, subtree, NULL);
+      break;
+    case RAT_Type_utra:
+      /* utra */
+      dissect_rrc_InterRATHandoverInfo_PDU(ue_cap_tvb, actx->pinfo, subtree, NULL);
+      break;
+    case RAT_Type_geran_cs:
+      /* geran-cs */
+      /* Mobile Station Classmark 2 is formatted as TLV with the two first bytes set to 0x33 0x03 */
+      item = proto_tree_add_text(subtree, ue_cap_tvb, 0, 5, "Mobile Station Classmark 2");
+      subtree2 = proto_item_add_subtree(item, ett_lte_rrc_UE_CapabilityRAT_Container);
+      byte = tvb_get_guint8(ue_cap_tvb, 0);
+      if (byte != 0x33) {
+        expert_add_info_format_text(actx->pinfo, item, &ei_lte_rrc_unexpected_type_value,
+                               "Unexpected type value (found 0x%02X)", byte);
+      }
+      byte = tvb_get_guint8(ue_cap_tvb, 1);
+      if (byte != 0x03) {
+        expert_add_info_format_text(actx->pinfo, item, &ei_lte_rrc_unexpected_length_value,
+                               "Unexpected length value (found %d)", byte);
+      }
+      de_ms_cm_2(ue_cap_tvb, subtree2, actx->pinfo, 2, 3, NULL, 0);
+      /* Mobile Station Classmark 3 is formatted as V */
+      length = tvb_ensure_length_remaining(ue_cap_tvb, 5);
+      item = proto_tree_add_text(subtree, ue_cap_tvb, 5, length, "Mobile Station Classmark 3");
+      subtree2 = proto_item_add_subtree(item, ett_lte_rrc_UE_CapabilityRAT_Container);
+      de_ms_cm_3(ue_cap_tvb, subtree2, actx->pinfo, 5, length, NULL, 0);
+      break;
+    case RAT_Type_geran_ps:
+      /* geran-ps */
+      /* MS Radio Access Capability is formatted as V */
+      length = tvb_length(ue_cap_tvb);
+      item = proto_tree_add_text(subtree, ue_cap_tvb, 0, length, "MS Radio Access Capability");
+      subtree2 = proto_item_add_subtree(item, ett_lte_rrc_UE_CapabilityRAT_Container);
+      de_gmm_ms_radio_acc_cap(ue_cap_tvb, subtree2, actx->pinfo, 0, length, NULL, 0);
+      break;
+    case RAT_Type_cdma2000_1XRTT:
+      /* cdma2000-1XRTT */
+      /* dissection of "A21 Mobile Subscription Information" could be added to packet-ansi_a.c */
+      break;
+    default:
+      break;
     }
-    de_ms_cm_2(ue_cap_tvb, subtree2, actx->pinfo, 2, 3, NULL, 0);
-    /* Mobile Station Classmark 3 is formatted as V */
-    length = tvb_ensure_length_remaining(ue_cap_tvb, 5);
-    item = proto_tree_add_text(subtree, ue_cap_tvb, 5, length, "Mobile Station Classmark 3");
-    subtree2 = proto_item_add_subtree(item, ett_lte_rrc_UE_CapabilityRAT_Container);
-    de_ms_cm_3(ue_cap_tvb, subtree2, actx->pinfo, 5, length, NULL, 0);
-    break;
-  case RAT_Type_geran_ps:
-    /* geran-ps */
-    /* MS Radio Access Capability is formatted as V */
-    length = tvb_length(ue_cap_tvb);
-    item = proto_tree_add_text(subtree, ue_cap_tvb, 0, length, "MS Radio Access Capability");
-    subtree2 = proto_item_add_subtree(item, ett_lte_rrc_UE_CapabilityRAT_Container);
-    de_gmm_ms_radio_acc_cap(ue_cap_tvb, subtree2, actx->pinfo, 0, length, NULL, 0);
-    break;
-  case RAT_Type_cdma2000_1XRTT:
-    /* cdma2000-1XRTT */
-    /* dissection of "A21 Mobile Subscription Information" could be added to packet-ansi_a.c */
-    break;
-  default:
-    break;
+    actx->private_data = NULL;
   }
 }
 
@@ -223,7 +226,7 @@ if(ue_cap_tvb){
   }
 
 #.FN_BODY Handover
-  actx->private_data = GUINT_TO_POINTER(-1);
+  actx->private_data = NULL;
 %(DEFAULT_BODY)s
 
 #.FN_BODY Handover/targetRAT-Type VAL_PTR = &target_rat_type
@@ -238,33 +241,36 @@ if(ue_cap_tvb){
     guint8 byte;
     proto_tree *subtree;
     subtree = proto_item_add_subtree(actx->created_item, ett_lte_rrc_targetRAT_MessageContainer);
-    switch(GPOINTER_TO_UINT(actx->private_data)){
-    case T_targetRAT_Type_utra:
-      /* utra */
-      if (rrc_irat_ho_to_utran_cmd_handle)
-        call_dissector(rrc_irat_ho_to_utran_cmd_handle, target_rat_msg_cont_tvb, actx->pinfo, subtree);
-      break;
-    case T_targetRAT_Type_geran:
-      /* geran */
-      byte = tvb_get_guint8(target_rat_msg_cont_tvb, 0);
-      if (byte == 0x06) {
-        if (gsm_a_dtap_handle) {
-          call_dissector(gsm_a_dtap_handle, target_rat_msg_cont_tvb, actx->pinfo, subtree);
-        }
-      } else {
-        if (gsm_rlcmac_dl_handle) {
-          call_dissector(gsm_rlcmac_dl_handle, target_rat_msg_cont_tvb, actx->pinfo, subtree);
+    if (actx->private_data) {
+      switch(GPOINTER_TO_UINT(actx->private_data)){
+      case T_targetRAT_Type_utra:
+        /* utra */
+        if (rrc_irat_ho_to_utran_cmd_handle)
+          call_dissector(rrc_irat_ho_to_utran_cmd_handle, target_rat_msg_cont_tvb, actx->pinfo, subtree);
+        break;
+      case T_targetRAT_Type_geran:
+        /* geran */
+        byte = tvb_get_guint8(target_rat_msg_cont_tvb, 0);
+        if (byte == 0x06) {
+          if (gsm_a_dtap_handle) {
+            call_dissector(gsm_a_dtap_handle, target_rat_msg_cont_tvb, actx->pinfo, subtree);
+          }
+        } else {
+          if (gsm_rlcmac_dl_handle) {
+            call_dissector(gsm_rlcmac_dl_handle, target_rat_msg_cont_tvb, actx->pinfo, subtree);
+          }
         }
+        break;
+      case T_targetRAT_Type_cdma2000_1XRTT:
+        /* cdma2000-1XRTT */
+        break;
+      case T_targetRAT_Type_cdma2000_HRPD:
+        /* cdma2000-HRPD */
+        break;
+      default:
+        break;
       }
-      break;
-    case T_targetRAT_Type_cdma2000_1XRTT:
-      /* cdma2000-1XRTT */
-      break;
-    case T_targetRAT_Type_cdma2000_HRPD:
-      /* cdma2000-HRPD */
-      break;
-    default:
-      break;
+      actx->private_data = NULL;
     }
   }
 
@@ -307,21 +313,24 @@ if(ue_cap_tvb){
 %(DEFAULT_BODY)s
   if (sys_info_list_tvb) {
     subtree = proto_item_add_subtree(actx->created_item, ett_lte_rrc_siPsiSibContainer);
-    switch (GPOINTER_TO_UINT(actx->private_data)) {
-    case SI_OrPSI_GERAN_si:
-      /* SI message */
-      if (gsm_a_dtap_handle) {
-        call_dissector(gsm_a_dtap_handle, sys_info_list_tvb, actx->pinfo, subtree);
-      }
-      break;
-    case SI_OrPSI_GERAN_psi:
-      /* PSI message */
-      if (gsm_rlcmac_dl_handle) {
-        call_dissector(gsm_rlcmac_dl_handle, sys_info_list_tvb, actx->pinfo, subtree);
+    if (actx->private_data) {
+      switch (GPOINTER_TO_UINT(actx->private_data)) {
+      case SI_OrPSI_GERAN_si:
+        /* SI message */
+        if (gsm_a_dtap_handle) {
+          call_dissector(gsm_a_dtap_handle, sys_info_list_tvb, actx->pinfo, subtree);
+        }
+        break;
+      case SI_OrPSI_GERAN_psi:
+        /* PSI message */
+        if (gsm_rlcmac_dl_handle) {
+          call_dissector(gsm_rlcmac_dl_handle, sys_info_list_tvb, actx->pinfo, subtree);
+        }
+        break;
+      default:
+        break;
       }
-      break;
-    default:
-      break;
+      actx->private_data = NULL;
     }
   }
 
@@ -544,7 +553,7 @@ SystemInformationBlockType11/messageIdentifier TYPE=FT_UINT16 DISPLAY=BASE_DEC|B
 #.FN_FTR SystemInformationBlockType11/serialNumber
   if (serial_nb_tvb) {
     proto_tree *subtree;
-    actx->private_data = GUINT_TO_POINTER(GPOINTER_TO_UINT(actx->private_data) | tvb_get_ntohs(serial_nb_tvb, 0));
+    actx->private_data = GUINT_TO_POINTER((actx->private_data ? GPOINTER_TO_UINT(actx->private_data) : 0) | tvb_get_ntohs(serial_nb_tvb, 0));
     subtree = proto_item_add_subtree(actx->created_item, ett_lte_rrc_serialNumber);
     proto_tree_add_item(subtree, hf_lte_rrc_serialNumber_gs, serial_nb_tvb, 0, 2, ENC_BIG_ENDIAN);
     proto_tree_add_item(subtree, hf_lte_rrc_serialNumber_msg_code, serial_nb_tvb, 0, 2, ENC_BIG_ENDIAN);
@@ -561,8 +570,10 @@ SystemInformationBlockType11/messageIdentifier TYPE=FT_UINT16 DISPLAY=BASE_DEC|B
     guint32 dataCodingScheme;
     subtree = proto_item_add_subtree(actx->created_item, ett_lte_rrc_dataCodingScheme);
     dataCodingScheme = dissect_cbs_data_coding_scheme(data_coding_scheme_tvb, actx->pinfo, subtree, 0);
-    g_hash_table_insert(lte_rrc_etws_cmas_dcs_hash, actx->private_data,
-                        GUINT_TO_POINTER(dataCodingScheme));
+    if (actx->private_data) {
+      g_hash_table_insert(lte_rrc_etws_cmas_dcs_hash, actx->private_data,
+                          GUINT_TO_POINTER(dataCodingScheme));
+    }
   }
 
 #.FN_BODY SystemInformationBlockType11/warningMessageSegment VAL_PTR=&warning_msg_seg_tvb
@@ -571,11 +582,13 @@ SystemInformationBlockType11/messageIdentifier TYPE=FT_UINT16 DISPLAY=BASE_DEC|B
 %(DEFAULT_BODY)s
 
 #.FN_FTR SystemInformationBlockType11/warningMessageSegment
-  p_dcs = g_hash_table_lookup(lte_rrc_etws_cmas_dcs_hash, actx->private_data);
-  if (warning_msg_seg_tvb && p_dcs) {
-    proto_tree *subtree;
-    subtree = proto_item_add_subtree(actx->created_item, ett_lte_rrc_warningMessageSegment);
-    dissect_lte_rrc_warningMessageSegment(warning_msg_seg_tvb, subtree, actx->pinfo, GPOINTER_TO_UINT(p_dcs));
+  if (actx->private_data) {
+    p_dcs = g_hash_table_lookup(lte_rrc_etws_cmas_dcs_hash, actx->private_data);
+    if (warning_msg_seg_tvb && p_dcs) {
+      proto_tree *subtree;
+      subtree = proto_item_add_subtree(actx->created_item, ett_lte_rrc_warningMessageSegment);
+      dissect_lte_rrc_warningMessageSegment(warning_msg_seg_tvb, subtree, actx->pinfo, GPOINTER_TO_UINT(p_dcs));
+    }
   }
 
 #.TYPE_ATTR
@@ -598,7 +611,7 @@ SystemInformationBlockType12-r9/messageIdentifier-r9 TYPE=FT_UINT16 DISPLAY=BASE
 #.FN_FTR SystemInformationBlockType12-r9/serialNumber-r9
   if (serial_nb_tvb) {
     proto_tree *subtree;
-    actx->private_data = GUINT_TO_POINTER(GPOINTER_TO_UINT(actx->private_data) | tvb_get_ntohs(serial_nb_tvb, 0));
+    actx->private_data = GUINT_TO_POINTER((actx->private_data ? GPOINTER_TO_UINT(actx->private_data) : 0) | tvb_get_ntohs(serial_nb_tvb, 0));
     subtree = proto_item_add_subtree(actx->created_item, ett_lte_rrc_serialNumber);
     proto_tree_add_item(subtree, hf_lte_rrc_serialNumber_gs, serial_nb_tvb, 0, 2, ENC_BIG_ENDIAN);
     proto_tree_add_item(subtree, hf_lte_rrc_serialNumber_msg_code, serial_nb_tvb, 0, 2, ENC_BIG_ENDIAN);
@@ -615,8 +628,10 @@ SystemInformationBlockType12-r9/messageIdentifier-r9 TYPE=FT_UINT16 DISPLAY=BASE
     guint32 dataCodingScheme;
     subtree = proto_item_add_subtree(actx->created_item, ett_lte_rrc_dataCodingScheme);
     dataCodingScheme = dissect_cbs_data_coding_scheme(data_coding_scheme_tvb, actx->pinfo, subtree, 0);
-    g_hash_table_insert(lte_rrc_etws_cmas_dcs_hash, actx->private_data,
-                        GUINT_TO_POINTER(dataCodingScheme));
+    if (actx->private_data) {
+      g_hash_table_insert(lte_rrc_etws_cmas_dcs_hash, actx->private_data,
+                          GUINT_TO_POINTER(dataCodingScheme));
+    }
   }
 
 #.FN_BODY SystemInformationBlockType12-r9/warningMessageSegment-r9 VAL_PTR=&warning_msg_seg_tvb
@@ -625,11 +640,13 @@ SystemInformationBlockType12-r9/messageIdentifier-r9 TYPE=FT_UINT16 DISPLAY=BASE
 %(DEFAULT_BODY)s
 
 #.FN_FTR SystemInformationBlockType12-r9/warningMessageSegment-r9
-  p_dcs = g_hash_table_lookup(lte_rrc_etws_cmas_dcs_hash, actx->private_data);
-  if (warning_msg_seg_tvb && p_dcs) {
-    proto_tree *subtree;
-    subtree = proto_item_add_subtree(actx->created_item, ett_lte_rrc_warningMessageSegment);
-    dissect_lte_rrc_warningMessageSegment(warning_msg_seg_tvb, subtree, actx->pinfo, GPOINTER_TO_UINT(p_dcs));
+  if (actx->private_data) {
+    p_dcs = g_hash_table_lookup(lte_rrc_etws_cmas_dcs_hash, actx->private_data);
+    if (warning_msg_seg_tvb && p_dcs) {
+      proto_tree *subtree;
+      subtree = proto_item_add_subtree(actx->created_item, ett_lte_rrc_warningMessageSegment);
+      dissect_lte_rrc_warningMessageSegment(warning_msg_seg_tvb, subtree, actx->pinfo, GPOINTER_TO_UINT(p_dcs));
+    }
   }
 
 #.TYPE_ATTR