_lookup_extended takes a pointer to the key-pointer since it has to set the old

key pointer value. _insert just takes the key-pointer, not a pointer to it. Passing a pointer-to-a-pointer causes the outer pointer to be dereferenced as a struct (when it in fact points to a pointer to struct) and leads to incorrect behaviour and uninitialized/out-of-bounds memory accesses. Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9139 svn path=/trunk/; revision=52036
2013-09-14 13:15:31 +00:00 · 2013-09-14 13:15:31 +00:00 · ef101edfa1
parent 9b5ab5c3e1
commit ef101edfa1
1 changed files with 2 additions and 2 deletions
--- a/epan/dissectors/packet-ieee802154.c
+++ b/epan/dissectors/packet-ieee802154.c
@ -2252,7 +2252,7 @@ ieee802154_map_rec *ieee802154_addr_update(ieee802154_map_tab_t *au_ieee802154_m
    /* link new mapping record to addr hash tables */
    if ( g_hash_table_lookup_extended(au_ieee802154_map->short_table, &addr16, &old_key, NULL) ) {
        /* update short addr hash table, reusing pointer to old key */
-        g_hash_table_insert(au_ieee802154_map->short_table, &old_key, p_map_rec);
+        g_hash_table_insert(au_ieee802154_map->short_table, old_key, p_map_rec);
    } else {
        /* create new hash entry */
        g_hash_table_insert(au_ieee802154_map->short_table, se_memdup(&addr16, sizeof(addr16)), p_map_rec);
@ -2260,7 +2260,7 @@ ieee802154_map_rec *ieee802154_addr_update(ieee802154_map_tab_t *au_ieee802154_m

    if ( g_hash_table_lookup_extended(au_ieee802154_map->long_table, &long_addr, &old_key, NULL) ) {
        /* update long addr hash table, reusing pointer to old key */
-        g_hash_table_insert(au_ieee802154_map->long_table, &old_key, p_map_rec);
+        g_hash_table_insert(au_ieee802154_map->long_table, old_key, p_map_rec);
    } else {
        /* create new hash entry */
        g_hash_table_insert(au_ieee802154_map->long_table, se_memdup(&long_addr, sizeof(long_addr)), p_map_rec);