From 824eec89ca319698f02102e5e10a043887bd5440 Mon Sep 17 00:00:00 2001 From: John Thacker Date: Mon, 12 Oct 2020 07:37:14 -0400 Subject: eassembly: Fix check for no data to prevent NULL deference There's a check for adding a zero length fragment to a reassembly in progress, but it accidentally checks fd_head->tvb_data (the reassembly in progress) instead of fd_i->tvb_data (the new fragment) before calling tvb_get_data() on fd_i->tvb_data. (Note that data / fd_head->tvb_data is created based on the sum of the lengths of all the fd_i->tvb_data, so the former can only be NULL if all the latter are, but it's possible for one fragment to be zero length but not the entire reassembly. Thus this is the necessary and sufficient check.) Fixes #15569 --- epan/reassemble.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/epan/reassemble.c b/epan/reassemble.c index 4b77b0e9fd..cc0924e4eb 100644 --- a/epan/reassemble.c +++ b/epan/reassemble.c @@ -1242,7 +1242,7 @@ fragment_add_work(fragment_head *fd_head, tvbuff_t *tvb, const int offset, fd_head->error = "dfpos < offset"; } else if (dfpos - fd_i->offset > fd_i->len) fd_head->error = "dfpos - offset > len"; - else if (!fd_head->tvb_data) + else if (!fd_i->tvb_data) fd_head->error = "no data"; else { fraglen = fd_i->len; -- cgit v1.2.3