From a723f99244edfa7e9c9cfc61130570584128ccf4 Mon Sep 17 00:00:00 2001 From: Tobias Klauser Date: Sun, 12 May 2013 12:28:45 +0200 Subject: dissector: ip_ipv6_mobility_hdr: NULL check before dereference Check return value of pkt_pull before dereferencing it. This was discovered by the coverity scanner. Signed-off-by: Tobias Klauser --- proto_ipv6_mobility_hdr.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/proto_ipv6_mobility_hdr.c b/proto_ipv6_mobility_hdr.c index 549d4f0..57e587f 100644 --- a/proto_ipv6_mobility_hdr.c +++ b/proto_ipv6_mobility_hdr.c @@ -164,9 +164,11 @@ static void dissect_mobilityhdr_type_6(struct pkt_buff *pkt, struct bind_ack_msg *type_6; type_6 = (struct bind_ack_msg *) pkt_pull(pkt, sizeof(*type_6)); + if (type_6 == NULL) + return; + *message_data_len -= sizeof(*type_6); - if (type_6 == NULL || *message_data_len > pkt_len(pkt) || - *message_data_len < 0) + if (*message_data_len > pkt_len(pkt) || *message_data_len < 0) return; tprintf("Status (0x%x) ", type_6->status); @@ -185,10 +187,12 @@ static void dissect_mobilityhdr_type_7(struct pkt_buff *pkt, struct bind_err_msg *type_7; type_7 = (struct bind_err_msg *) pkt_pull(pkt, sizeof(*type_7)); + if (type_7 == NULL) + return; + *message_data_len -= sizeof(*type_7); addr = ntohll(type_7->home_addr); - if (type_7 == NULL || *message_data_len > pkt_len(pkt) || - *message_data_len < 0) + if (*message_data_len > pkt_len(pkt) || *message_data_len < 0) return; tprintf("Status (0x%x) ", type_7->status); -- cgit v1.2.3-54-g00ecf