hip: fix infinite loop in dissect_hip_tlv

We can't use tree_item == NULL to determine which branch of the previous if was
hit, since proto_tree_add_item can return NULL when run without tree, which was
leading to an infinite loop since we were never advancing the offset. Use the
actual locator_type instead.

Introduced by either g3635d7bed70 or gebff85fdbb although neither of them
directly touch this code path. I'm guess that g3635d7bed70 removed an if (tree)
guard in some calling function which would have prevented this, but I haven't
checked. The bug would still have been there before, it just wouldn't have been
hit because it's only present with a NULL tree. Somebody more familiar with the
protocol should probably go over a capture or two and make sure this isn't a
symptom of some other decoding gone awry in the recent changes.

Change-Id: Ie1ce89b16ef667b437c0d99c25e3f3cb2504347d
Reviewed-on: https://code.wireshark.org/review/3564
Reviewed-by: Evan Huus <eapache@gmail.com>

1 files changed, 1 insertions, 1 deletions

diff --git a/epan/dissectors/packet-hip.c b/epan/dissectors/packet-hip.c
index 71d67178c3..d87c39ff1b 100644
--- a/epan/dissectors/packet-hip.c
+++ b/epan/dissectors/packet-hip.c
@@ -662,7 +662,7 @@ dissect_hip_tlv(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_item *ti, i
                                 newoffset += (1 + tvb_get_guint8(tvb, newoffset + 2));
                                 tlv_len -= (1 + tvb_get_guint8(tvb, newoffset + 2));
                         }
-                        if (ti_loc) {
+                        if (locator_type <= 2) {
                                 ti_loc = proto_item_add_subtree(ti_loc, ett_hip_locator_data);
                                 /* Traffic type */
                                 proto_tree_add_item(ti_loc, hf_hip_tlv_locator_traffic_type, tvb,