From 5bf565690ad9f0771196d8fa237aa37fae3bb7cc Mon Sep 17 00:00:00 2001 From: Pascal Quantin Date: Sat, 17 Oct 2015 13:28:19 +0200 Subject: NBAP: avoid dereferencing a NULL pointer Bug: 11602 Change-Id: I56b9db19eca416c288f36c1f3a4faa7e22b38c8f Reviewed-on: https://code.wireshark.org/review/11109 Reviewed-by: Pascal Quantin Petri-Dish: Pascal Quantin Tested-by: Petri Dish Buildbot Reviewed-by: Alexis La Goutte --- asn1/nbap/nbap.cnf | 7 +++-- epan/dissectors/packet-nbap.c | 71 ++++++++++++++++++++++--------------------- 2 files changed, 42 insertions(+), 36 deletions(-) diff --git a/asn1/nbap/nbap.cnf b/asn1/nbap/nbap.cnf index f7b62c22c9..aa829a0c66 100644 --- a/asn1/nbap/nbap.cnf +++ b/asn1/nbap/nbap.cnf @@ -1243,7 +1243,7 @@ dch_id = 0xFFFFFFFF; #.FN_BODY RL-Specific-E-DCH-Information-Item address dst_addr, null_addr; conversation_t *conversation; -umts_fp_conversation_info_t *umts_fp_conversation_info; +umts_fp_conversation_info_t *umts_fp_conversation_info = NULL; nbap_edch_port_info_t *old_info = NULL; transportLayerAddress_ipv4 = 0; @@ -1263,11 +1263,14 @@ BindingID_port = 0; conversation = find_conversation(actx->pinfo->fd->num,&dst_addr, &null_addr, PT_UDP, BindingID_port, 0, NO_ADDR_B|NO_PORT_B); + if (conversation) { + umts_fp_conversation_info = (umts_fp_conversation_info_t*)conversation_get_proto_data(conversation, proto_fp); + } /* We must also check if this port is about to be overriden, if that's the case we * might already have a DCH entry on this port which should be overwritten */ - if (conversation == NULL || ((umts_fp_conversation_info_t*)conversation_get_proto_data(conversation, proto_fp))->channel == CHANNEL_DCH) { + if ((conversation == NULL) || (umts_fp_conversation_info && umts_fp_conversation_info->channel == CHANNEL_DCH)) { diff --git a/epan/dissectors/packet-nbap.c b/epan/dissectors/packet-nbap.c index 5055a53b5d..49dc4a700a 100644 --- a/epan/dissectors/packet-nbap.c +++ b/epan/dissectors/packet-nbap.c @@ -10027,7 +10027,7 @@ dissect_nbap_AddorDeleteIndicator(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t static int dissect_nbap_CFN(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 2143 "../../asn1/nbap/nbap.cnf" +#line 2146 "../../asn1/nbap/nbap.cnf" offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, 0U, 255U, &cfn, FALSE); @@ -10280,7 +10280,7 @@ dissect_nbap_AvailabilityStatus(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *a static int dissect_nbap_HSDSCH_RNTI(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 2108 "../../asn1/nbap/nbap.cnf" +#line 2111 "../../asn1/nbap/nbap.cnf" umts_fp_conversation_info_t *umts_fp_conversation_info = NULL; address null_addr; conversation_t *conversation = NULL; @@ -11502,7 +11502,7 @@ dissect_nbap_Common_E_DCH_Resource_Combination_InfoList(tvbuff_t *tvb _U_, int o static int dissect_nbap_Common_MACFlow_ID(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1967 "../../asn1/nbap/nbap.cnf" +#line 1970 "../../asn1/nbap/nbap.cnf" offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, 0U, maxNrOfCommonMACFlows_1, &common_macdflow_id, FALSE); @@ -11636,7 +11636,7 @@ dissect_nbap_E_DCH_MACdFlow_Multiplexing_List(tvbuff_t *tvb _U_, int offset _U_, static int dissect_nbap_LogicalChannelID(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1620 "../../asn1/nbap/nbap.cnf" +#line 1623 "../../asn1/nbap/nbap.cnf" /* Set logical channel id for this entry*/ offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, 1U, 15U, &logical_channel_id, FALSE); @@ -11655,7 +11655,7 @@ dissect_nbap_LogicalChannelID(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *act static int dissect_nbap_MAC_PDU_SizeExtended(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1723 "../../asn1/nbap/nbap.cnf" +#line 1726 "../../asn1/nbap/nbap.cnf" offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, 1U, 1504U, NULL, TRUE); @@ -12078,7 +12078,7 @@ static const per_sequence_t CommonMACFlow_Specific_InfoItem_sequence[] = { static int dissect_nbap_CommonMACFlow_Specific_InfoItem(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1974 "../../asn1/nbap/nbap.cnf" +#line 1977 "../../asn1/nbap/nbap.cnf" address dst_addr; transportLayerAddress_ipv4 = 0; BindingID_port = 0; @@ -12123,7 +12123,7 @@ dissect_nbap_CommonMACFlow_Specific_InfoList(tvbuff_t *tvb _U_, int offset _U_, static int dissect_nbap_MACdPDU_Size(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1611 "../../asn1/nbap/nbap.cnf" +#line 1614 "../../asn1/nbap/nbap.cnf" offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, 1U, 5000U, &MACdPDU_Size, TRUE); @@ -13343,7 +13343,7 @@ dissect_nbap_CriticalityDiagnostics(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_ static int dissect_nbap_CRNC_CommunicationContextID(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 2082 "../../asn1/nbap/nbap.cnf" +#line 2085 "../../asn1/nbap/nbap.cnf" offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, 0U, 1048575U, &com_context_id, FALSE); @@ -18027,7 +18027,7 @@ dissect_nbap_E_DCH_HARQ_Combining_Capability(tvbuff_t *tvb _U_, int offset _U_, static int dissect_nbap_E_DCH_DDI_Value(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1601 "../../asn1/nbap/nbap.cnf" +#line 1604 "../../asn1/nbap/nbap.cnf" offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, 0U, 62U, &e_dch_ddi_value, FALSE); @@ -18161,7 +18161,7 @@ static const per_sequence_t E_DCH_LogicalChannelInformationItem_sequence[] = { static int dissect_nbap_E_DCH_LogicalChannelInformationItem(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1598 "../../asn1/nbap/nbap.cnf" +#line 1601 "../../asn1/nbap/nbap.cnf" num_items++; @@ -18178,7 +18178,7 @@ static const per_sequence_t E_DCH_LogicalChannelInformation_sequence_of[1] = { static int dissect_nbap_E_DCH_LogicalChannelInformation(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1591 "../../asn1/nbap/nbap.cnf" +#line 1594 "../../asn1/nbap/nbap.cnf" num_items = 0; offset = dissect_per_constrained_sequence_of(tvb, offset, actx, tree, hf_index, @@ -18211,7 +18211,7 @@ static const per_sequence_t E_DCH_MACdFlow_Specific_InfoItem_sequence[] = { static int dissect_nbap_E_DCH_MACdFlow_Specific_InfoItem(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1353 "../../asn1/nbap/nbap.cnf" +#line 1356 "../../asn1/nbap/nbap.cnf" umts_fp_conversation_info_t *p_conv_data = NULL; address null_addr; conversation_t *p_conv; @@ -18394,7 +18394,7 @@ static const per_sequence_t E_DCH_LogicalChannelToModifyItem_sequence[] = { static int dissect_nbap_E_DCH_LogicalChannelToModifyItem(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1586 "../../asn1/nbap/nbap.cnf" +#line 1589 "../../asn1/nbap/nbap.cnf" offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index, ett_nbap_E_DCH_LogicalChannelToModifyItem, E_DCH_LogicalChannelToModifyItem_sequence); @@ -18469,7 +18469,7 @@ static const per_sequence_t E_DCH_MACdFlow_Specific_InfoItem_to_Modify_sequence[ static int dissect_nbap_E_DCH_MACdFlow_Specific_InfoItem_to_Modify(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1494 "../../asn1/nbap/nbap.cnf" +#line 1497 "../../asn1/nbap/nbap.cnf" guint32 no_ddi_entries, i; address null_addr; nbap_edch_port_info_t *old_info; @@ -18611,7 +18611,7 @@ static const per_sequence_t E_DCH_FDD_Information_to_Modify_sequence[] = { static int dissect_nbap_E_DCH_FDD_Information_to_Modify(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1406 "../../asn1/nbap/nbap.cnf" +#line 1409 "../../asn1/nbap/nbap.cnf" address dst_addr, null_addr; conversation_t *conversation,*old_conversation = NULL; @@ -23303,7 +23303,7 @@ static const per_sequence_t HSDSCH_Common_System_InformationFDD_sequence[] = { static int dissect_nbap_HSDSCH_Common_System_InformationFDD(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1994 "../../asn1/nbap/nbap.cnf" +#line 1997 "../../asn1/nbap/nbap.cnf" /* * 5.1.6 High Speed Downlink Shared Channels * The Data Transfer procedure is used to transfer a HS-DSCH DATA FRAME (TYPE 1, TYPE 2 [FDD and 1.28Mcps @@ -23464,7 +23464,7 @@ static const per_sequence_t HSDSCH_MACdFlow_Specific_InfoItem_sequence[] = { static int dissect_nbap_HSDSCH_MACdFlow_Specific_InfoItem(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1701 "../../asn1/nbap/nbap.cnf" +#line 1704 "../../asn1/nbap/nbap.cnf" address dst_addr; @@ -23567,7 +23567,7 @@ static const value_string nbap_RLC_Mode_vals[] = { static int dissect_nbap_RLC_Mode(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1628 "../../asn1/nbap/nbap.cnf" +#line 1631 "../../asn1/nbap/nbap.cnf" guint32 rlc_mode; offset = dissect_per_enumerated(tvb, offset, actx, tree, hf_index, @@ -23608,7 +23608,7 @@ static const per_sequence_t PriorityQueue_InfoItem_sequence[] = { static int dissect_nbap_PriorityQueue_InfoItem(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1692 "../../asn1/nbap/nbap.cnf" +#line 1695 "../../asn1/nbap/nbap.cnf" num_items++; @@ -23642,7 +23642,7 @@ static const per_sequence_t HSDSCH_MACdFlows_Information_sequence[] = { static int dissect_nbap_HSDSCH_MACdFlows_Information(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1652 "../../asn1/nbap/nbap.cnf" +#line 1655 "../../asn1/nbap/nbap.cnf" int protocol_ie_id; guint32 i; @@ -23686,7 +23686,7 @@ dissect_nbap_HSDSCH_MACdFlows_Information(tvbuff_t *tvb _U_, int offset _U_, asn static int dissect_nbap_T_hSDSCH_Physical_Layer_Category(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1645 "../../asn1/nbap/nbap.cnf" +#line 1648 "../../asn1/nbap/nbap.cnf" guint32 hsdsch_physical_layer_category; offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index, @@ -23754,7 +23754,7 @@ static const per_sequence_t HSDSCH_FDD_Information_sequence[] = { static int dissect_nbap_HSDSCH_FDD_Information(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1753 "../../asn1/nbap/nbap.cnf" +#line 1756 "../../asn1/nbap/nbap.cnf" /* * Collect the information about the HSDSCH MACdFlows set up conversation(s) and set the conversation data. */ @@ -23891,7 +23891,7 @@ static const per_sequence_t HSDSCH_MACdFlow_Specific_InfoItem_to_Modify_sequence static int dissect_nbap_HSDSCH_MACdFlow_Specific_InfoItem_to_Modify(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1842 "../../asn1/nbap/nbap.cnf" +#line 1845 "../../asn1/nbap/nbap.cnf" address dst_addr; transportLayerAddress_ipv4 = 0; BindingID_port = 0; @@ -23949,7 +23949,7 @@ static const per_sequence_t PriorityQueue_InfoItem_to_Add_sequence[] = { static int dissect_nbap_PriorityQueue_InfoItem_to_Add(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1695 "../../asn1/nbap/nbap.cnf" +#line 1698 "../../asn1/nbap/nbap.cnf" num_items = 1; @@ -24084,7 +24084,7 @@ static const per_sequence_t HSDSCH_Information_to_Modify_sequence[] = { static int dissect_nbap_HSDSCH_Information_to_Modify(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1862 "../../asn1/nbap/nbap.cnf" +#line 1865 "../../asn1/nbap/nbap.cnf" /* * This is pretty much the same like if we setup a previous flow */ @@ -24206,7 +24206,7 @@ static const value_string nbap_HSDSCH_MACdPDUSizeFormat_vals[] = { static int dissect_nbap_HSDSCH_MACdPDUSizeFormat(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1730 "../../asn1/nbap/nbap.cnf" +#line 1733 "../../asn1/nbap/nbap.cnf" /* * Removed 10 Aug. 2012, I'm not sure if this was right, it wrongfully * set some packets as type 2 for HSDHCH modified items. @@ -24317,7 +24317,7 @@ static const per_sequence_t HSDSCH_MACdFlow_Specific_InformationResp_Item_sequen static int dissect_nbap_HSDSCH_MACdFlow_Specific_InformationResp_Item(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1698 "../../asn1/nbap/nbap.cnf" +#line 1701 "../../asn1/nbap/nbap.cnf" num_items++; @@ -24733,7 +24733,7 @@ static const per_sequence_t HSDSCH_Paging_System_InformationFDD_sequence[] = { static int dissect_nbap_HSDSCH_Paging_System_InformationFDD(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 2072 "../../asn1/nbap/nbap.cnf" +#line 2075 "../../asn1/nbap/nbap.cnf" /* g_warning("HS-DSCH Type 3 NOT Implemented!"); */ @@ -24927,7 +24927,7 @@ static const per_sequence_t HSDSCH_MACdFlows_to_Delete_Item_sequence[] = { static int dissect_nbap_HSDSCH_MACdFlows_to_Delete_Item(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1689 "../../asn1/nbap/nbap.cnf" +#line 1692 "../../asn1/nbap/nbap.cnf" num_items++; @@ -24944,7 +24944,7 @@ static const per_sequence_t HSDSCH_MACdFlows_to_Delete_sequence_of[1] = { static int dissect_nbap_HSDSCH_MACdFlows_to_Delete(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 1684 "../../asn1/nbap/nbap.cnf" +#line 1687 "../../asn1/nbap/nbap.cnf" num_items = 0; @@ -28046,7 +28046,7 @@ dissect_nbap_NI_Information(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx static int dissect_nbap_NodeB_CommunicationContextID(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) { -#line 2086 "../../asn1/nbap/nbap.cnf" +#line 2089 "../../asn1/nbap/nbap.cnf" /*Set up and map that maps Node-B ids to CRNC ids, since often you only have one of them present in nbap*/ nbap_com_context_id_t *cur_val; @@ -28780,7 +28780,7 @@ dissect_nbap_RL_Specific_E_DCH_Information_Item(tvbuff_t *tvb _U_, int offset _U #line 1244 "../../asn1/nbap/nbap.cnf" address dst_addr, null_addr; conversation_t *conversation; -umts_fp_conversation_info_t *umts_fp_conversation_info; +umts_fp_conversation_info_t *umts_fp_conversation_info = NULL; nbap_edch_port_info_t *old_info = NULL; transportLayerAddress_ipv4 = 0; @@ -28802,11 +28802,14 @@ BindingID_port = 0; conversation = find_conversation(actx->pinfo->fd->num,&dst_addr, &null_addr, PT_UDP, BindingID_port, 0, NO_ADDR_B|NO_PORT_B); + if (conversation) { + umts_fp_conversation_info = (umts_fp_conversation_info_t*)conversation_get_proto_data(conversation, proto_fp); + } /* We must also check if this port is about to be overriden, if that's the case we * might already have a DCH entry on this port which should be overwritten */ - if (conversation == NULL || ((umts_fp_conversation_info_t*)conversation_get_proto_data(conversation, proto_fp))->channel == CHANNEL_DCH) { + if ((conversation == NULL) || (umts_fp_conversation_info && umts_fp_conversation_info->channel == CHANNEL_DCH)) { @@ -41060,7 +41063,7 @@ col_set_str(actx->pinfo->cinfo, COL_INFO,"RadioLinkReconfigurationCommit "); actx->pinfo->link_dir=P2P_DIR_DL; -#line 2135 "../../asn1/nbap/nbap.cnf" +#line 2138 "../../asn1/nbap/nbap.cnf" /* * Here we need to signal the CFN value, down to FP so * that lowert layers know when a reconfiguration becomes active -- cgit v1.2.1