GSM CBCH: fix an out of bounds access

As explained by Guy, we should use new_slots[i] and not new_slots[k] Bug: 12278 Change-Id: Ifae44f9d5948bed5c4ee0442510724016e307dee Reviewed-on: https://code.wireshark.org/review/14678 Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com> Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2016-03-28 16:30:55 +02:00 · 2016-03-28 16:30:55 +02:00 · 0fe522dfc6
parent 0aa0fb25e0
commit 0fe522dfc6
1 changed files with 6 additions and 6 deletions
--- a/epan/dissectors/packet-gsm_cbch.c
+++ b/epan/dissectors/packet-gsm_cbch.c
@ -253,22 +253,22 @@ dissect_schedule_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *top_tree
                else if (octet1 == 0x40)
                {
                    /* MDT 010000000 */
-                    proto_tree_add_uint_format_value(sched_subtree, hf_gsm_cbch_slot, tvb, offset++, 1, new_slots[k],
-                                    "%d Free Message Slot, optional reading", new_slots[k]);
+                    proto_tree_add_uint_format_value(sched_subtree, hf_gsm_cbch_slot, tvb, offset++, 1, new_slots[i],
+                                    "%d Free Message Slot, optional reading", new_slots[i]);
                    other_slots[new_slots[i] - 1] = 0xFFFE;
                }
                else if (octet1 == 0x41)
                {
                    /* MDT 010000001 */
-                    proto_tree_add_uint_format_value(sched_subtree, hf_gsm_cbch_slot, tvb, offset++, 1, new_slots[k],
-                                     "%d Free Message Slot, reading advised", new_slots[k]);
+                    proto_tree_add_uint_format_value(sched_subtree, hf_gsm_cbch_slot, tvb, offset++, 1, new_slots[i],
+                                     "%d Free Message Slot, reading advised", new_slots[i]);
                    other_slots[new_slots[i] - 1] = 0xFFFE;
                }
                else
                {
                    /* reserved MDT */
-                    proto_tree_add_uint_format_value(sched_subtree, hf_gsm_cbch_slot, tvb, offset, 1, new_slots[k],
-                                     "%d reserved MDT: %x", new_slots[k], octet1);
+                    proto_tree_add_uint_format_value(sched_subtree, hf_gsm_cbch_slot, tvb, offset, 1, new_slots[i],
+                                     "%d reserved MDT: %x", new_slots[i], octet1);
                    other_slots[new_slots[i] - 1] = 0xFFFE;
                }
            }