Wireshark-commits: [Wireshark-commits] master 4eb5b53: DOCSIS: fix null-pointer crash in OPT-RSP TL
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>
Date: Mon, 16 Jul 2018 05:50:17 +0000
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=4eb5b535ecb9cea390cc3ebad2097400f303b9ba
Submitter: Anders Broman (a.broman58@xxxxxxxxx)
Changed: branch: master
Repository: wireshark

Commits:

4eb5b53 by Peter Wu (peter@xxxxxxxxxxxxx):

    DOCSIS: fix null-pointer crash in OPT-RSP TLVs decoding
    
    "tmp_fh->next" is NULL on the initial visit and thus
    "tvb_get_guint8(tmp_fh->tvb_data,1)" crashes.
    
    It is not entirely clear to me how reassembly should work in this DOCSIS
    message, but based on the description in "6.4.45 OFDM Downstream Profile
    Test Response (OPT-RSP)" in the DOCSIS MAC and Upper Layer Protocols
    Interface Specification (CM-SP-MULPIv3.1-I07-150910), I suppose that it
    was trying to support decoding of (a sequence of) TLVs where the value
    is too large for a single frame.
    
    Bug: 14954
    Change-Id: I2eec91d0ca6356b2af61bfe55381c300c8872039
    Fixes: v2.9.0rc0-1171-g738818fe4d ("DOCSIS: Added decoding for OPT (OFDM Downstream Profile Test) messages")
    Reviewed-on: https://code.wireshark.org/review/28712
    Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
    Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
    

Actions performed:

    from  118017e   Supply a 0s/0ns value for invalid time value lengths.
    adds  4eb5b53   DOCSIS: fix null-pointer crash in OPT-RSP TLVs decoding


Summary of changes:
 epan/dissectors/packet-docsis-macmgmt.c | 24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)