diff options
author | John A. Thacker <johnthacker@gmail.com> | 2016-11-18 18:35:28 -0500 |
---|---|---|
committer | Michael Mann <mmann78@netscape.net> | 2016-11-19 22:58:08 +0000 |
commit | abf802baf77bca3c0b4f94e81e8308b4c2d527fb (patch) | |
tree | 64612355d33869d061927438b72c9da1e70ade11 /epan | |
parent | 4eb61deedc79c8c446e6a162a1dc8ebea6e7353f (diff) |
Reassemble: fix premature free
Fix a memory error found by the buildbot and valgrind in my recent patch
Bug: 13100
Change-Id: Ieb21aa25e048f90ce7192546b0ad3d4718ff07df
Reviewed-on: https://code.wireshark.org/review/18877
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Diffstat (limited to 'epan')
-rw-r--r-- | epan/reassemble.c | 30 |
1 files changed, 17 insertions, 13 deletions
diff --git a/epan/reassemble.c b/epan/reassemble.c index e18da27431..62fb9519c0 100644 --- a/epan/reassemble.c +++ b/epan/reassemble.c @@ -2212,11 +2212,6 @@ fragment_add_seq_single_work(reassembly_table *table, tvbuff_t *tvb, } } prev_fd->next = NULL; - if (new_fh->next == NULL) { - old_tvb_data = fragment_delete(table, pinfo, id-frag_number, data); - if (old_tvb_data) - tvb_free(old_tvb_data); - } break; } } @@ -2230,14 +2225,23 @@ fragment_add_seq_single_work(reassembly_table *table, tvbuff_t *tvb, } } MERGE_FRAG(fh, fd); - /* If we've moved a Last packet, change the datalen. - * Second part of this test should be unnecessary. */ - if (new_fh->flags & FD_DATALEN_SET && - new_fh->datalen >= frag_number) { - fh->flags |= FD_DATALEN_SET; - fh->datalen = new_fh->datalen - frag_number; - new_fh->flags &= ~FD_DATALEN_SET; - new_fh->datalen = 0; + if (new_fh != NULL) { + /* If we've moved a Last packet, change datalen. + * Second part of this test prob. redundant? */ + if (new_fh->flags & FD_DATALEN_SET && + new_fh->datalen >= frag_number) { + fh->flags |= FD_DATALEN_SET; + fh->datalen = new_fh->datalen - frag_number; + new_fh->flags &= ~FD_DATALEN_SET; + new_fh->datalen = 0; + } + /* If we've moved all the fragments, + * delete the old head */ + if (new_fh->next == NULL) { + old_tvb_data = fragment_delete(table, pinfo, id-frag_number, data); + if (old_tvb_data) + tvb_free(old_tvb_data); + } } else { /* Look forward and take off the next (this is * necessary in some edge cases where max_frags |