btavctp: rework the reassemble routine (CID 1355682).

The CID is about the lack of check of wmem_tree_lookup32_le() return value, but the old code worths a bit of rework. Change-Id: I3adb868d2baa1c8aea3f914f7fb9fdf75f222960 Reviewed-on: https://code.wireshark.org/review/17322 Petri-Dish: Dario Lombardo <lomato@gmail.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Anders Broman <a.broman58@gmail.com>
2016-08-25 10:18:11 +02:00 · 2016-08-25 10:18:11 +02:00 · 2ddb46dbee
parent f01190ca90
commit 2ddb46dbee
1 changed files with 6 additions and 13 deletions
--- a/epan/dissectors/packet-btavctp.c
+++ b/epan/dissectors/packet-btavctp.c
@ -329,7 +329,6 @@ dissect_btavctp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
            call_data_dissector(next_tvb, pinfo, tree);

        } else if (packet_type == PACKET_TYPE_END) {
-            guint    i_length = 0;

            fragments = (fragments_t *)wmem_tree_lookup32_array_le(reassembling, key);
            if (!(fragments && fragments->interface_id == interface_id &&
@ -375,22 +374,16 @@ dissect_btavctp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
                expert_add_info(pinfo, pitem, &ei_btavctp_unexpected_frame);
                call_data_dissector(next_tvb, pinfo, tree);
            } else {
-                guint8   *reassembled;
+                guint8   *reassembled = NULL;
                bluetooth_uuid_t  uuid;

                for (i_frame = 1; i_frame <= fragments->count; ++i_frame) {
                    fragment = (fragment_t *)wmem_tree_lookup32_le(fragments->fragment, i_frame);
-                    length += fragment->length;
-                }
-
-                reassembled = (guint8 *) wmem_alloc(pinfo->pool, length);
-
-                for (i_frame = 1; i_frame <= fragments->count; ++i_frame) {
-                    fragment = (fragment_t *)wmem_tree_lookup32_le(fragments->fragment, i_frame);
-                    memcpy(reassembled + i_length,
-                            fragment->data,
-                            fragment->length);
-                    i_length += fragment->length;
+                    if (fragment) {
+                        reassembled = (guint8*)wmem_realloc(pinfo->pool, reassembled, length + fragment->length);
+                        memcpy(reassembled + length, fragment->data, fragment->length);
+                        length += fragment->length;
+                    }
                }

                next_tvb = tvb_new_child_real_data(tvb, reassembled, length, length);