From 843735e0efe03f601ed69f69e5295974aad927b2 Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Sun, 13 May 2018 16:27:27 +0200
Subject: dns: fix null pointer deref for empty name in SRV record

Per RFC 2782, the name should follow the "_Service._Proto.Name" format.
If a malformed packet does not adhere to this and provides a zero-length
name, then wmem_strsplit returns NULL.

Bug: 14681
Change-Id: I7b9935238a9800a1526c8b694fd2c63d3b488d0b
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7416
Reviewed-on: https://code.wireshark.org/review/27499
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
 epan/dissectors/packet-dns.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/epan/dissectors/packet-dns.c b/epan/dissectors/packet-dns.c
index 8e619fcf3d..efc2fd199b 100644
--- a/epan/dissectors/packet-dns.c
+++ b/epan/dissectors/packet-dns.c
@@ -1504,11 +1504,9 @@ add_rr_to_tree(proto_tree  *rr_tree, tvbuff_t *tvb, int offset,
   proto_item *ttl_item;
   gchar      **srv_rr_info;
 
-  if (type == T_SRV) {
+  if (type == T_SRV && name[0]) {
     srv_rr_info = wmem_strsplit(wmem_packet_scope(), name, ".", 3);
 
-    /* The + 1 on the strings is to skip the leading '_' */
-
     proto_tree_add_string(rr_tree, hf_dns_srv_service, tvb, offset,
                           namelen, srv_rr_info[0]);
 
-- 
cgit v1.2.3