diff options
author | Darien Spencer <cusneud@mail.com> | 2017-07-10 18:39:49 +0300 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2017-07-10 19:19:21 +0000 |
commit | 3affd3c905f1b22274b09a9ea5b3e9eef711a1be (patch) | |
tree | 4fdb4c8c4c23cf73670834e66b9c1d2783ee12dc /epan/dissectors | |
parent | 7b68744cfd8b5feb5576e441b314ad7319263e05 (diff) |
UMTS FP: Fix access violation in PCH heuristic dissector
The dissector was accessing NULL if the first frame in the PCH stream was a control FP.
Change-Id: Icdf2fae57436fe59e16ebe0a5233675e7599f5f4
Reviewed-on: https://code.wireshark.org/review/22578
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'epan/dissectors')
-rw-r--r-- | epan/dissectors/packet-umts_fp.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/epan/dissectors/packet-umts_fp.c b/epan/dissectors/packet-umts_fp.c index 84568e3d74..af79c4fe0f 100644 --- a/epan/dissectors/packet-umts_fp.c +++ b/epan/dissectors/packet-umts_fp.c @@ -4013,7 +4013,7 @@ generate_ue_id_for_heur(packet_info *pinfo) /* Fills common PCH information in a 'fp conversation info' object */ /* Should only be used in heuristic dissectors! */ static void -fill_pch_coversation_info_for_heur(umts_fp_conversation_info_t* umts_fp_conversation_info ,packet_info *pinfo) +fill_pch_conversation_info_for_heur(umts_fp_conversation_info_t* umts_fp_conversation_info ,packet_info *pinfo) { umts_fp_conversation_info->iface_type = IuB_Interface; umts_fp_conversation_info->division = Division_FDD; @@ -4429,6 +4429,7 @@ heur_dissect_fp_pch(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *d umts_fp_conversation_info_t* umts_fp_conversation_info = NULL; fp_pch_channel_info_t* fp_pch_channel_info = NULL; struct fp_info *p_fp_info; + gboolean conversation_initialized = FALSE; guint32 captured_length; guint32 reported_length; guint8 frame_type; @@ -4457,6 +4458,7 @@ heur_dissect_fp_pch(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *d fp_pch_channel_info = (fp_pch_channel_info_t*)umts_fp_conversation_info->channel_specific_info; /* Making sure this conversation type is "PCH" and the PCH channel info is present */ if (umts_fp_conversation_info->channel == CHANNEL_PCH && fp_pch_channel_info != NULL) { + conversation_initialized = TRUE; pi_length_found = fp_pch_channel_info->paging_indications != 0; tb_size_found = umts_fp_conversation_info->fp_dch_channel_info[0].dl_chan_tf_size[1] != 0; if (pi_length_found && tb_size_found) { @@ -4549,8 +4551,10 @@ heur_dissect_fp_pch(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *d } if (!umts_fp_conversation_info) { umts_fp_conversation_info = wmem_new0(wmem_file_scope(), umts_fp_conversation_info_t); - fill_pch_coversation_info_for_heur(umts_fp_conversation_info, pinfo); set_both_sides_umts_fp_conv_data(pinfo, umts_fp_conversation_info); + } + if(!conversation_initialized) { + fill_pch_conversation_info_for_heur(umts_fp_conversation_info, pinfo); fp_pch_channel_info = (fp_pch_channel_info_t*)umts_fp_conversation_info->channel_specific_info; } fp_pch_channel_info->paging_indications = pi_bit_length; @@ -4562,7 +4566,9 @@ heur_dissect_fp_pch(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *d if (!umts_fp_conversation_info) { umts_fp_conversation_info = wmem_new0(wmem_file_scope(), umts_fp_conversation_info_t); set_both_sides_umts_fp_conv_data(pinfo, umts_fp_conversation_info); - fill_pch_coversation_info_for_heur(umts_fp_conversation_info, pinfo); + } + if(!conversation_initialized) { + fill_pch_conversation_info_for_heur(umts_fp_conversation_info, pinfo); } tb_byte_length = (reported_length - (pi_byte_length + 6)); /* Removing header length (4), footer length (2) and PI bitmap length*/ /* Possible TB lengths for PCH is 10 or 30 bytes ( See 3GPP TR 25.944 / 4.1.1.2 ) */ @@ -4583,9 +4589,11 @@ heur_dissect_fp_pch(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *d /* TB present and PI bitmap is missing. Can calculate TB length.*/ if (!umts_fp_conversation_info) { umts_fp_conversation_info = wmem_new0(wmem_file_scope(), umts_fp_conversation_info_t); - fill_pch_coversation_info_for_heur(umts_fp_conversation_info, pinfo); set_both_sides_umts_fp_conv_data(pinfo, umts_fp_conversation_info); } + if(!conversation_initialized) { + fill_pch_conversation_info_for_heur(umts_fp_conversation_info, pinfo); + } tb_byte_length = (reported_length - 6); /* Removing header length (4), footer length (2) */ /* Possible TB lengths for PCH is 10 or 30 bytes ( See 3GPP TR 25.944 / 4.1.1.2 ) */ if (tb_byte_length == 10 || tb_byte_length == 30) { |