UMTS FP: do not try to compute CRC on payload when no payload is present

A call to tvb_memdup() with a 0 length triggers a UBSan warning

Change-Id: I6c99ef85050cd2219d2135f64f747961a8be6927
Ping-Bug: 13871
Reviewed-on: https://code.wireshark.org/review/22521
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>

1 files changed, 7 insertions, 3 deletions

diff --git a/epan/dissectors/packet-umts_fp.c b/epan/dissectors/packet-umts_fp.c
index 5db371cc2b..4f9512709e 100644
--- a/epan/dissectors/packet-umts_fp.c
+++ b/epan/dissectors/packet-umts_fp.c
@@ -1058,12 +1058,16 @@ dissect_spare_extension_and_crc(tvbuff_t *tvb, packet_info *pinfo,
     }
 
     if (crc_size) {
-     proto_item * pi = proto_tree_add_item(tree, hf_fp_payload_crc, tvb, offset, crc_size,
+        proto_item * pi = proto_tree_add_item(tree, hf_fp_payload_crc, tvb, offset, crc_size,
                             ENC_BIG_ENDIAN);
         if (preferences_payload_checksum) {
             guint16 calc_crc, read_crc;
-            guint8 * data = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, header_length, offset-header_length);
-            calc_crc = crc16_8005_noreflect_noxor(data, offset-header_length);
+            if ((guint)offset > header_length) {
+                guint8 * data = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, header_length, offset-header_length);
+                calc_crc = crc16_8005_noreflect_noxor(data, offset-header_length);
+            } else {
+                calc_crc = 0;
+            }
             read_crc = tvb_get_bits16(tvb, offset*8, 16, ENC_BIG_ENDIAN);
 
             if (calc_crc == read_crc) {