osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

[NBAP] Prevent crash. 

If no previous conversation exists, a memcpy will try to copy from NULL destination.

Bug: 11835
Change-Id: I445480bb425834c5a918f1ffa148cb83d6c9750c
Reviewed-on: https://code.wireshark.org/review/12326
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
Michael Mann 2015-11-30 23:42:33 -05:00 committed by Anders Broman
parent 79f7edba15
commit 5b4ada1772
2 changed files with 36 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
asn1/nbap/nbap.cnf
View File

@ -1453,8 +1453,9 @@ BindingID_port = 0;
conversation_set_dissector(conversation, fp_handle);
if(actx->pinfo->link_dir==P2P_DIR_DL){
umts_fp_conversation_info = wmem_new0(wmem_file_scope(), umts_fp_conversation_info_t);
/*Steal the old informatoin*/
memcpy(umts_fp_conversation_info,conversation_get_proto_data(old_conversation, proto_fp),sizeof(umts_fp_conversation_info_t));
/* Steal the old information */
if (old_conversation)
memcpy(umts_fp_conversation_info,conversation_get_proto_data(old_conversation, proto_fp),sizeof(umts_fp_conversation_info_t));
/* Overwrite the data */
umts_fp_conversation_info->iface_type = IuB_Interface;

65
epan/dissectors/packet-nbap.c
View File

@ -10027,7 +10027,7 @@ dissect_nbap_AddorDeleteIndicator(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t
static int
dissect_nbap_CFN(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 2146 "../../asn1/nbap/nbap.cnf"
#line 2147 "../../asn1/nbap/nbap.cnf"
offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index,
0U, 255U, &cfn, FALSE);
@ -10280,7 +10280,7 @@ dissect_nbap_AvailabilityStatus(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *a
static int
dissect_nbap_HSDSCH_RNTI(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 2111 "../../asn1/nbap/nbap.cnf"
#line 2112 "../../asn1/nbap/nbap.cnf"
umts_fp_conversation_info_t *umts_fp_conversation_info = NULL;
address null_addr;
conversation_t *conversation = NULL;
@ -11502,7 +11502,7 @@ dissect_nbap_Common_E_DCH_Resource_Combination_InfoList(tvbuff_t *tvb _U_, int o
static int
dissect_nbap_Common_MACFlow_ID(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1970 "../../asn1/nbap/nbap.cnf"
#line 1971 "../../asn1/nbap/nbap.cnf"
offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index,
0U, maxNrOfCommonMACFlows_1, &common_macdflow_id, FALSE);
@ -11636,7 +11636,7 @@ dissect_nbap_E_DCH_MACdFlow_Multiplexing_List(tvbuff_t *tvb _U_, int offset _U_,
static int
dissect_nbap_LogicalChannelID(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1623 "../../asn1/nbap/nbap.cnf"
#line 1624 "../../asn1/nbap/nbap.cnf"
/* Set logical channel id for this entry*/
offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index,
1U, 15U, &logical_channel_id, FALSE);
@ -11655,7 +11655,7 @@ dissect_nbap_LogicalChannelID(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *act
static int
dissect_nbap_MAC_PDU_SizeExtended(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1726 "../../asn1/nbap/nbap.cnf"
#line 1727 "../../asn1/nbap/nbap.cnf"
offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index,
1U, 1504U, NULL, TRUE);
@ -12078,7 +12078,7 @@ static const per_sequence_t CommonMACFlow_Specific_InfoItem_sequence[] = {
static int
dissect_nbap_CommonMACFlow_Specific_InfoItem(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1977 "../../asn1/nbap/nbap.cnf"
#line 1978 "../../asn1/nbap/nbap.cnf"
address dst_addr;
transportLayerAddress_ipv4 = 0;
BindingID_port = 0;
@ -12123,7 +12123,7 @@ dissect_nbap_CommonMACFlow_Specific_InfoList(tvbuff_t *tvb _U_, int offset _U_,
static int
dissect_nbap_MACdPDU_Size(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1614 "../../asn1/nbap/nbap.cnf"
#line 1615 "../../asn1/nbap/nbap.cnf"
offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index,
1U, 5000U, &MACdPDU_Size, TRUE);
@ -13343,7 +13343,7 @@ dissect_nbap_CriticalityDiagnostics(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_
static int
dissect_nbap_CRNC_CommunicationContextID(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 2085 "../../asn1/nbap/nbap.cnf"
#line 2086 "../../asn1/nbap/nbap.cnf"
offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index,
0U, 1048575U, &com_context_id, FALSE);
@ -18027,7 +18027,7 @@ dissect_nbap_E_DCH_HARQ_Combining_Capability(tvbuff_t *tvb _U_, int offset _U_,
static int
dissect_nbap_E_DCH_DDI_Value(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1604 "../../asn1/nbap/nbap.cnf"
#line 1605 "../../asn1/nbap/nbap.cnf"
offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index,
0U, 62U, &e_dch_ddi_value, FALSE);
@ -18161,7 +18161,7 @@ static const per_sequence_t E_DCH_LogicalChannelInformationItem_sequence[] = {
static int
dissect_nbap_E_DCH_LogicalChannelInformationItem(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1601 "../../asn1/nbap/nbap.cnf"
#line 1602 "../../asn1/nbap/nbap.cnf"
num_items++;
@ -18178,7 +18178,7 @@ static const per_sequence_t E_DCH_LogicalChannelInformation_sequence_of[1] = {
static int
dissect_nbap_E_DCH_LogicalChannelInformation(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1594 "../../asn1/nbap/nbap.cnf"
#line 1595 "../../asn1/nbap/nbap.cnf"
num_items = 0;
offset = dissect_per_constrained_sequence_of(tvb, offset, actx, tree, hf_index,
@ -18394,7 +18394,7 @@ static const per_sequence_t E_DCH_LogicalChannelToModifyItem_sequence[] = {
static int
dissect_nbap_E_DCH_LogicalChannelToModifyItem(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1589 "../../asn1/nbap/nbap.cnf"
#line 1590 "../../asn1/nbap/nbap.cnf"
offset = dissect_per_sequence(tvb, offset, actx, tree, hf_index,
ett_nbap_E_DCH_LogicalChannelToModifyItem, E_DCH_LogicalChannelToModifyItem_sequence);
@ -18469,7 +18469,7 @@ static const per_sequence_t E_DCH_MACdFlow_Specific_InfoItem_to_Modify_sequence[
static int
dissect_nbap_E_DCH_MACdFlow_Specific_InfoItem_to_Modify(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1497 "../../asn1/nbap/nbap.cnf"
#line 1498 "../../asn1/nbap/nbap.cnf"
guint32 no_ddi_entries, i;
address null_addr;
nbap_edch_port_info_t *old_info;
@ -18661,8 +18661,9 @@ BindingID_port = 0;
conversation_set_dissector(conversation, fp_handle);
if(actx->pinfo->link_dir==P2P_DIR_DL){
umts_fp_conversation_info = wmem_new0(wmem_file_scope(), umts_fp_conversation_info_t);
/*Steal the old informatoin*/
memcpy(umts_fp_conversation_info,conversation_get_proto_data(old_conversation, proto_fp),sizeof(umts_fp_conversation_info_t));
/* Steal the old information */
if (old_conversation)
memcpy(umts_fp_conversation_info,conversation_get_proto_data(old_conversation, proto_fp),sizeof(umts_fp_conversation_info_t));
/* Overwrite the data */
umts_fp_conversation_info->iface_type = IuB_Interface;
@ -23303,7 +23304,7 @@ static const per_sequence_t HSDSCH_Common_System_InformationFDD_sequence[] = {
static int
dissect_nbap_HSDSCH_Common_System_InformationFDD(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1997 "../../asn1/nbap/nbap.cnf"
#line 1998 "../../asn1/nbap/nbap.cnf"
/*
* 5.1.6 High Speed Downlink Shared Channels
* The Data Transfer procedure is used to transfer a HS-DSCH DATA FRAME (TYPE 1, TYPE 2 [FDD and 1.28Mcps
@ -23464,7 +23465,7 @@ static const per_sequence_t HSDSCH_MACdFlow_Specific_InfoItem_sequence[] = {
static int
dissect_nbap_HSDSCH_MACdFlow_Specific_InfoItem(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1704 "../../asn1/nbap/nbap.cnf"
#line 1705 "../../asn1/nbap/nbap.cnf"
address dst_addr;
@ -23567,7 +23568,7 @@ static const value_string nbap_RLC_Mode_vals[] = {
static int
dissect_nbap_RLC_Mode(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1631 "../../asn1/nbap/nbap.cnf"
#line 1632 "../../asn1/nbap/nbap.cnf"
guint32 rlc_mode;
offset = dissect_per_enumerated(tvb, offset, actx, tree, hf_index,
@ -23608,7 +23609,7 @@ static const per_sequence_t PriorityQueue_InfoItem_sequence[] = {
static int
dissect_nbap_PriorityQueue_InfoItem(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1695 "../../asn1/nbap/nbap.cnf"
#line 1696 "../../asn1/nbap/nbap.cnf"
num_items++;
@ -23642,7 +23643,7 @@ static const per_sequence_t HSDSCH_MACdFlows_Information_sequence[] = {
static int
dissect_nbap_HSDSCH_MACdFlows_Information(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1655 "../../asn1/nbap/nbap.cnf"
#line 1656 "../../asn1/nbap/nbap.cnf"
int protocol_ie_id;
guint32 i;
@ -23686,7 +23687,7 @@ dissect_nbap_HSDSCH_MACdFlows_Information(tvbuff_t *tvb _U_, int offset _U_, asn
static int
dissect_nbap_T_hSDSCH_Physical_Layer_Category(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1648 "../../asn1/nbap/nbap.cnf"
#line 1649 "../../asn1/nbap/nbap.cnf"
guint32 hsdsch_physical_layer_category;
offset = dissect_per_constrained_integer(tvb, offset, actx, tree, hf_index,
@ -23754,7 +23755,7 @@ static const per_sequence_t HSDSCH_FDD_Information_sequence[] = {
static int
dissect_nbap_HSDSCH_FDD_Information(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1756 "../../asn1/nbap/nbap.cnf"
#line 1757 "../../asn1/nbap/nbap.cnf"
/*
* Collect the information about the HSDSCH MACdFlows set up conversation(s) and set the conversation data.
*/
@ -23891,7 +23892,7 @@ static const per_sequence_t HSDSCH_MACdFlow_Specific_InfoItem_to_Modify_sequence
static int
dissect_nbap_HSDSCH_MACdFlow_Specific_InfoItem_to_Modify(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1845 "../../asn1/nbap/nbap.cnf"
#line 1846 "../../asn1/nbap/nbap.cnf"
address dst_addr;
transportLayerAddress_ipv4 = 0;
BindingID_port = 0;
@ -23949,7 +23950,7 @@ static const per_sequence_t PriorityQueue_InfoItem_to_Add_sequence[] = {
static int
dissect_nbap_PriorityQueue_InfoItem_to_Add(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1698 "../../asn1/nbap/nbap.cnf"
#line 1699 "../../asn1/nbap/nbap.cnf"
num_items = 1;
@ -24084,7 +24085,7 @@ static const per_sequence_t HSDSCH_Information_to_Modify_sequence[] = {
static int
dissect_nbap_HSDSCH_Information_to_Modify(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1865 "../../asn1/nbap/nbap.cnf"
#line 1866 "../../asn1/nbap/nbap.cnf"
/*
* This is pretty much the same like if we setup a previous flow
*/
@ -24206,7 +24207,7 @@ static const value_string nbap_HSDSCH_MACdPDUSizeFormat_vals[] = {
static int
dissect_nbap_HSDSCH_MACdPDUSizeFormat(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1733 "../../asn1/nbap/nbap.cnf"
#line 1734 "../../asn1/nbap/nbap.cnf"
/*
* Removed 10 Aug. 2012, I'm not sure if this was right, it wrongfully
* set some packets as type 2 for HSDHCH modified items.
@ -24317,7 +24318,7 @@ static const per_sequence_t HSDSCH_MACdFlow_Specific_InformationResp_Item_sequen
static int
dissect_nbap_HSDSCH_MACdFlow_Specific_InformationResp_Item(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1701 "../../asn1/nbap/nbap.cnf"
#line 1702 "../../asn1/nbap/nbap.cnf"
num_items++;
@ -24733,7 +24734,7 @@ static const per_sequence_t HSDSCH_Paging_System_InformationFDD_sequence[] = {
static int
dissect_nbap_HSDSCH_Paging_System_InformationFDD(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 2075 "../../asn1/nbap/nbap.cnf"
#line 2076 "../../asn1/nbap/nbap.cnf"
/*
g_warning("HS-DSCH Type 3 NOT Implemented!");
*/
@ -24927,7 +24928,7 @@ static const per_sequence_t HSDSCH_MACdFlows_to_Delete_Item_sequence[] = {
static int
dissect_nbap_HSDSCH_MACdFlows_to_Delete_Item(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1692 "../../asn1/nbap/nbap.cnf"
#line 1693 "../../asn1/nbap/nbap.cnf"
num_items++;
@ -24944,7 +24945,7 @@ static const per_sequence_t HSDSCH_MACdFlows_to_Delete_sequence_of[1] = {
static int
dissect_nbap_HSDSCH_MACdFlows_to_Delete(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 1687 "../../asn1/nbap/nbap.cnf"
#line 1688 "../../asn1/nbap/nbap.cnf"
num_items = 0;
@ -28046,7 +28047,7 @@ dissect_nbap_NI_Information(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx
static int
dissect_nbap_NodeB_CommunicationContextID(tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
#line 2089 "../../asn1/nbap/nbap.cnf"
#line 2090 "../../asn1/nbap/nbap.cnf"
/*Set up and map that maps Node-B ids to CRNC ids, since often you only have one of them present in nbap*/
nbap_com_context_id_t *cur_val;
@ -41063,7 +41064,7 @@ col_set_str(actx->pinfo->cinfo, COL_INFO,"RadioLinkReconfigurationCommit ");
actx->pinfo->link_dir=P2P_DIR_DL;
#line 2138 "../../asn1/nbap/nbap.cnf"
#line 2139 "../../asn1/nbap/nbap.cnf"
/*
* Here we need to signal the CFN value, down to FP so
* that lowert layers know when a reconfiguration becomes active