osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

RPC: fix crash when using "Dissect unknown RPC program numbers" option 

When using this option, rpc_prog_info_value structure is not fully initialized.
Depending on the memory allocator used, this can lead to a NULL pointer
dereference or an access to a random memory block.
Ensure that the structure if fully initialized and test pointer before
dereferencing it.

Bug: 13266
Change-Id: Ifdc54b31c8dd3b2b6220dbe9ee27272758ff60ca
Reviewed-on: https://code.wireshark.org/review/19385
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
Pascal Quantin 2016-12-22 15:14:47 +01:00 committed by Anders Broman
parent 541beaad6e
commit 8c70558d16
1 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
epan/dissectors/packet-rpc.c
View File

@ -2083,9 +2083,7 @@ looks_like_rpc_call(tvbuff_t *tvb, int offset)
if (version > 10)
return NULL;
rpc_prog = wmem_new(wmem_packet_scope(), rpc_prog_info_value);
rpc_prog->proto = NULL;
rpc_prog->proto_id = 0;
rpc_prog = wmem_new0(wmem_packet_scope(), rpc_prog_info_value);
rpc_prog->ett = ett_rpc_unknown_program;
rpc_prog->progname = wmem_strdup_printf(wmem_packet_scope(), "Unknown RPC program %u", rpc_prog_key);
}
@ -2847,7 +2845,7 @@ dissect_rpc_message(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
tmp_item=proto_tree_add_uint(ptree,
hf_rpc_programversion, tvb, 0, 0, vers);
PROTO_ITEM_SET_GENERATED(tmp_item);
if (rpc_prog && (rpc_prog->procedure_hfs->len > vers) )
if (rpc_prog && rpc_prog->procedure_hfs && (rpc_prog->procedure_hfs->len > vers) )
procedure_hf = g_array_index(rpc_prog->procedure_hfs, int, vers);
else {
/*