summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Klauser <tklauser@distanz.ch>2013-05-12 12:33:53 +0200
committerTobias Klauser <tklauser@distanz.ch>2013-05-12 12:33:53 +0200
commit10a80a61d67516c0ba4c13a7c07e9ebfa6fab9c5 (patch)
treef69e0c17e7170477a01e2f73c3d90483f4e4d46a
parent21adfd2ba4324bb8575b17ecd76c0f3b3988246e (diff)
dissector: lldp: NULL check before dereference
Check return value of pkt_pull before dereferencing it (even though we check the packet length before and pkt_pull _should_ never return NULL). This was discovered by the coverity scanner. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
-rw-r--r--proto_lldp.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/proto_lldp.c b/proto_lldp.c
index 22b7684..4e33048 100644
--- a/proto_lldp.c
+++ b/proto_lldp.c
@@ -163,7 +163,11 @@ static void lldp(struct pkt_buff *pkt)
tprintf(" [ LLDP ");
while (len >= sizeof(tlv_hdr)) {
- tlv_hdr = EXTRACT_16BIT(pkt_pull(pkt, sizeof(tlv_hdr)));
+ uint8_t *data = pkt_pull(pkt, sizeof(tlv_hdr));
+ if (data == NULL)
+ goto out_invalid;
+
+ tlv_hdr = EXTRACT_16BIT(data);
tlv_type = LLDP_TLV_TYPE(tlv_hdr);
tlv_len = LLDP_TLV_LENGTH(tlv_hdr);
@@ -442,7 +446,11 @@ static void lldp_less(struct pkt_buff *pkt)
len = pkt_len(pkt);
while (len >= sizeof(tlv_hdr)) {
- tlv_hdr = EXTRACT_16BIT(pkt_pull(pkt, sizeof(tlv_hdr)));
+ uint8_t *data = pkt_pull(pkt, sizeof(tlv_hdr));
+ if (data == NULL)
+ break;
+
+ tlv_hdr = EXTRACT_16BIT(data);
tlv_type = LLDP_TLV_TYPE(tlv_hdr);
tlv_len = LLDP_TLV_LENGTH(tlv_hdr);