From 10a80a61d67516c0ba4c13a7c07e9ebfa6fab9c5 Mon Sep 17 00:00:00 2001 From: Tobias Klauser Date: Sun, 12 May 2013 12:33:53 +0200 Subject: dissector: lldp: NULL check before dereference Check return value of pkt_pull before dereferencing it (even though we check the packet length before and pkt_pull _should_ never return NULL). This was discovered by the coverity scanner. Signed-off-by: Tobias Klauser --- proto_lldp.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/proto_lldp.c b/proto_lldp.c index 22b7684..4e33048 100644 --- a/proto_lldp.c +++ b/proto_lldp.c @@ -163,7 +163,11 @@ static void lldp(struct pkt_buff *pkt) tprintf(" [ LLDP "); while (len >= sizeof(tlv_hdr)) { - tlv_hdr = EXTRACT_16BIT(pkt_pull(pkt, sizeof(tlv_hdr))); + uint8_t *data = pkt_pull(pkt, sizeof(tlv_hdr)); + if (data == NULL) + goto out_invalid; + + tlv_hdr = EXTRACT_16BIT(data); tlv_type = LLDP_TLV_TYPE(tlv_hdr); tlv_len = LLDP_TLV_LENGTH(tlv_hdr); @@ -442,7 +446,11 @@ static void lldp_less(struct pkt_buff *pkt) len = pkt_len(pkt); while (len >= sizeof(tlv_hdr)) { - tlv_hdr = EXTRACT_16BIT(pkt_pull(pkt, sizeof(tlv_hdr))); + uint8_t *data = pkt_pull(pkt, sizeof(tlv_hdr)); + if (data == NULL) + break; + + tlv_hdr = EXTRACT_16BIT(data); tlv_type = LLDP_TLV_TYPE(tlv_hdr); tlv_len = LLDP_TLV_LENGTH(tlv_hdr); -- cgit v1.2.3-54-g00ecf