(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-lapd.c) |
| |
| 205 | | | dissect_lapd_bitstream(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) |
| 206 | | | { |
| 207 | | | guint8 byte, full_byte = 0x00, bit_offset = 0; |
| 208 | | | gboolean bit; |
| 209 | | | guint8 i, ones = 0, data[MAX_LAPD_PACKET_LEN]; |
| 210 | | | int data_len = 0; |
| 211 | | | guint offset = 0, last_packet_end_offset = 0, available; |
| 212 | | | guint8 *buff; |
| 213 | | | tvbuff_t *new_tvb; |
| 214 | | | |
| 215 | | | enum lapd_bitstream_states state = OUT_OF_SYNC; |
| 216 | | | lapd_ppi_t *lapd_ppi; |
| 217 | | | conversation_t *conversation = NULL; |
| 218 | | | lapd_convo_data_t *convo_data = NULL; |
| 219 | | | lapd_byte_state_t *lapd_byte_state, *prev_byte_state = NULL; |
| 220 | | | gboolean forward_stream = TRUE; |
Event 1:
!0 evaluates to true.
hide
|
|
| 221 | | | |
| 222 | | | |
| 223 | | | conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, |
| 224 | | | pinfo->ptype, pinfo->srcport, pinfo->destport, 0); |
| 225 | | | lapd_ppi = (lapd_ppi_t*)p_get_proto_data(pinfo->fd, proto_lapd); |
| 226 | | | if (lapd_ppi) { |
Event 2:
Taking false branch. lapd_ppi evaluates to false.
hide
|
|
| 227 | | | prev_byte_state = &lapd_ppi->start_byte_state; |
| 228 | | | if (prev_byte_state) { |
| 229 | | | state = prev_byte_state->state; |
| 230 | | | full_byte = prev_byte_state->full_byte; |
| 231 | | | bit_offset = prev_byte_state->bit_offset; |
| 232 | | | ones = prev_byte_state->ones; |
| 233 | | | } |
| 234 | | | |
| 235 | | | } else if (conversation) { |
Event 3:
Taking true branch. conversation evaluates to true.
hide
|
|
| 236 | | | convo_data = (lapd_convo_data_t*)conversation_get_proto_data(conversation, proto_lapd); |
| 237 | | | if (NULL != convo_data) { |
Event 4:
Taking true branch. (void *)0 != convo_data evaluates to true.
hide
|
|
| 238 | | | if (ADDRESSES_EQUAL(&convo_data->addr_a, &pinfo->src)
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
92 | #define ADDRESSES_EQUAL(addr1, addr2) \ |
93 | ( \ |
94 | (addr1)->type == (addr2)->type && \ |
95 | ( \ |
96 | (addr1)->type == AT_NONE || \ |
97 | ( \ |
98 | (addr1)->len == (addr2)->len && \ |
99 | memcmp((addr1)->data, (addr2)->data, (addr1)->len) == 0 \ |
100 | ) \ |
101 | ) \ |
102 | ) |
| |
|
Event 5:
Taking false branch. (&convo_data->addr_a)->type == (&pinfo->src)->type evaluates to false.
hide
|
|
| 239 | | | && ADDRESSES_EQUAL(&convo_data->addr_b, &pinfo->dst)
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
92 | #define ADDRESSES_EQUAL(addr1, addr2) \ |
93 | ( \ |
94 | (addr1)->type == (addr2)->type && \ |
95 | ( \ |
96 | (addr1)->type == AT_NONE || \ |
97 | ( \ |
98 | (addr1)->len == (addr2)->len && \ |
99 | memcmp((addr1)->data, (addr2)->data, (addr1)->len) == 0 \ |
100 | ) \ |
101 | ) \ |
102 | ) |
| |
|
| 240 | | | && convo_data-> port_a == pinfo->srcport |
| 241 | | | && convo_data-> port_b == pinfo->destport) { |
| 242 | | | |
| 243 | | | forward_stream = TRUE; |
| 244 | | | prev_byte_state = convo_data->byte_state_a; |
| 245 | | | } else if (ADDRESSES_EQUAL(&convo_data-> addr_b, &pinfo->src)
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
92 | #define ADDRESSES_EQUAL(addr1, addr2) \ |
93 | ( \ |
94 | (addr1)->type == (addr2)->type && \ |
95 | ( \ |
96 | (addr1)->type == AT_NONE || \ |
97 | ( \ |
98 | (addr1)->len == (addr2)->len && \ |
99 | memcmp((addr1)->data, (addr2)->data, (addr1)->len) == 0 \ |
100 | ) \ |
101 | ) \ |
102 | ) |
| |
|
Event 6:
Skipping " if". - (&convo_data->addr_b)->type == (&pinfo->src)->type evaluates to true.
- (&convo_data->addr_b)->type == AT_NONE evaluates to true.
- (&convo_data->addr_a)->type == (&pinfo->dst)->type evaluates to true.
- (&convo_data->addr_a)->type == AT_NONE evaluates to false.
- (&convo_data->addr_a)->len == (&pinfo->dst)->len evaluates to true.
- memcmp(...) == 0 evaluates to false.
hide
|
|
| 246 | | | && ADDRESSES_EQUAL(&convo_data->addr_a, &pinfo->dst)
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
92 | #define ADDRESSES_EQUAL(addr1, addr2) \ |
93 | ( \ |
94 | (addr1)->type == (addr2)->type && \ |
95 | ( \ |
96 | (addr1)->type == AT_NONE || \ |
97 | ( \ |
98 | (addr1)->len == (addr2)->len && \ |
99 | memcmp((addr1)->data, (addr2)->data, (addr1)->len) == 0 \ |
100 | ) \ |
101 | ) \ |
102 | ) |
| |
|
| 247 | | | && convo_data-> port_b == pinfo->srcport |
| 248 | | | && convo_data-> port_a == pinfo->destport) { |
| 249 | | | |
| 250 | | | forward_stream = FALSE; |
| 251 | | | prev_byte_state = convo_data->byte_state_b; |
| 252 | | | } |
| 253 | | | } |
| 254 | | | if (prev_byte_state) { |
Event 8:
Skipping " if". prev_byte_state evaluates to false.
hide
|
|
| 255 | | | state = prev_byte_state->state; |
| 256 | | | full_byte = prev_byte_state->full_byte; |
| 257 | | | bit_offset = prev_byte_state->bit_offset; |
| 258 | | | ones = prev_byte_state->ones; |
| 259 | | | } |
| 260 | | | } |
| 261 | | | |
| 262 | | | |
| 263 | | | available = tvb_length_remaining(tvb, offset); |
| 264 | | | while (offset < available) { |
Event 9:
Leaving loop. offset < available evaluates to false.
hide
|
|
| 265 | | | byte = tvb_get_guint8(tvb,offset); |
| 266 | | | offset++; |
| 267 | | | for (i=0; i < 8; i++) { |
| 268 | | | bit = byte & (0x80 >> i) ? TRUE : FALSE; |
| 269 | | | |
| 270 | | | |
| 271 | | | if (bit) { |
| 272 | | | ones++; |
| 273 | | | full_byte |= (1 << bit_offset++); |
| 274 | | | } else { |
| 275 | | | if (ones == 5 && state == DATA) { |
| 276 | | | |
| 277 | | | } else if (ones == 6 && state == DATA) { |
| 278 | | | buff = g_memdup(data, data_len); |
| 279 | | | |
| 280 | | | new_tvb = tvb_new_child_real_data(tvb, buff, data_len, data_len); |
| 281 | | | tvb_set_free_cb(new_tvb, g_free); |
| 282 | | | add_new_data_source(pinfo, new_tvb, "Decoded LAPD bitstream"); |
| 283 | | | dissect_lapd(new_tvb, pinfo, tree); |
| 284 | | | last_packet_end_offset = offset -1; |
| 285 | | | data_len = 0; |
| 286 | | | state = FLAGS; |
| 287 | | | bit_offset++; |
| 288 | | | } else if (ones >= 7) { |
| 289 | | | data_len = 0; |
| 290 | | | state = OUT_OF_SYNC; |
| 291 | | | bit_offset++; |
| 292 | | | } else { |
| 293 | | | bit_offset++; |
| 294 | | | } |
| 295 | | | ones = 0; |
| 296 | | | } |
| 297 | | | |
| 298 | | | if (bit_offset == 8) { |
| 299 | | | switch (state) { |
| 300 | | | case OUT_OF_SYNC: |
| 301 | | | if (full_byte == 0x7E) { |
| 302 | | | state = FLAGS; |
| 303 | | | full_byte = 0x00; |
| 304 | | | bit_offset = 0; |
| 305 | | | } else { |
| 306 | | | full_byte = (full_byte >> 1) & 0x7F; |
| 307 | | | bit_offset--; |
| 308 | | | } |
| 309 | | | break; |
| 310 | | | |
| 311 | | | case FLAGS: |
| 312 | | | if (full_byte == 0x7E) { |
| 313 | | | full_byte = 0x00; |
| 314 | | | bit_offset = 0; |
| 315 | | | } else { |
| 316 | | | state = DATA; |
| 317 | | | new_byte(full_byte, data, &data_len); |
| 318 | | | full_byte = 0x00; |
| 319 | | | bit_offset = 0; |
| 320 | | | } |
| 321 | | | break; |
| 322 | | | |
| 323 | | | case DATA: |
| 324 | | | |
| 325 | | | new_byte(full_byte, data, &data_len); |
| 326 | | | full_byte = 0x00; |
| 327 | | | bit_offset = 0; |
| 328 | | | break; |
| 329 | | | } |
| 330 | | | } |
| 331 | | | } |
| 332 | | | } |
| 333 | | | |
| 334 | | | if (state == DATA) { |
Event 10:
Taking false branch. state == DATA evaluates to false.
hide
|
|
| 335 | | | pinfo->desegment_offset = 0; |
| 336 | | | pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; |
| 337 | | | return; |
| 338 | | | } else { |
| 339 | | | if (NULL == p_get_proto_data(pinfo->fd, proto_lapd)) { |
Event 11:
Taking true branch. (void *)0 == p_get_proto_data(...) evaluates to true.
hide
|
|
| 340 | | | |
| 341 | | | lapd_ppi = g_malloc(sizeof(lapd_ppi_t)); |
| 342 | | | lapd_ppi->has_crc = TRUE; |
Event 13:
!0 evaluates to true.
hide
|
|
| 343 | | | if (prev_byte_state) |
Event 14:
Taking false branch. prev_byte_state evaluates to false.
hide
|
|
| 344 | | | fill_lapd_byte_state(&lapd_ppi->start_byte_state, prev_byte_state->state, |
| 345 | | | prev_byte_state->full_byte, prev_byte_state->bit_offset, |
| 346 | | | prev_byte_state->ones); |
| 347 | | | else |
| 348 | | | fill_lapd_byte_state(&lapd_ppi->start_byte_state, OUT_OF_SYNC, 0x00, 0, 0); |
| 349 | | | |
| 350 | | | p_add_proto_data(pinfo->fd, proto_lapd, lapd_ppi); |
| 351 | | | |
| 352 | | | |
| 353 | | | |
| 354 | | | |
| 355 | | | if (conversation) { |
Event 15:
Taking true branch. conversation evaluates to true.
hide
|
|
| 356 | | | if (convo_data) { |
Null Test After Dereference
This code tests the nullness of convo_data, which has already been dereferenced. - If convo_data were null, there would have been a prior null pointer dereference at packet-lapd.c:246, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 7. Show: All events | Only primary events |
|
| 357 | | | if (forward_stream) |
| 358 | | | fill_lapd_byte_state(convo_data->byte_state_a, state, full_byte, bit_offset, ones); |
| 359 | | | else { |
| 360 | | | if (!convo_data->byte_state_b) |
| 361 | | | convo_data->byte_state_b = g_malloc(sizeof(lapd_byte_state_t)); |
| 362 | | | fill_lapd_byte_state(convo_data->byte_state_b, state, full_byte, bit_offset, ones); |
| 363 | | | } |
| 364 | | | } else { |
| 365 | | | lapd_byte_state = g_malloc(sizeof(lapd_byte_state_t)); |
| 366 | | | fill_lapd_byte_state(lapd_byte_state, state, full_byte, bit_offset, ones); |
| 367 | | | convo_data = g_malloc(sizeof(lapd_convo_data_t)); |
| 368 | | | COPY_ADDRESS(&convo_data->addr_a, &pinfo->src);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
107 | #define COPY_ADDRESS(to, from) { \ |
108 | guint8 *COPY_ADDRESS_data; \ |
109 | (to)->type = (from)->type; \ |
110 | (to)->len = (from)->len; \ |
111 | COPY_ADDRESS_data = g_malloc((from)->len); \ |
112 | memcpy(COPY_ADDRESS_data, (from)->data, (from)->len); \ |
113 | (to)->data = COPY_ADDRESS_data; \ |
114 | } |
| |
|
| 369 | | | COPY_ADDRESS(&convo_data->addr_b, &pinfo->dst);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
107 | #define COPY_ADDRESS(to, from) { \ |
108 | guint8 *COPY_ADDRESS_data; \ |
109 | (to)->type = (from)->type; \ |
110 | (to)->len = (from)->len; \ |
111 | COPY_ADDRESS_data = g_malloc((from)->len); \ |
112 | memcpy(COPY_ADDRESS_data, (from)->data, (from)->len); \ |
113 | (to)->data = COPY_ADDRESS_data; \ |
114 | } |
| |
|
| 370 | | | convo_data->port_a = pinfo->srcport; |
| 371 | | | convo_data->port_b = pinfo->destport; |
| 372 | | | convo_data->byte_state_a = lapd_byte_state; |
| 373 | | | convo_data->byte_state_b = NULL; |
| 374 | | | conversation_add_proto_data(conversation, proto_lapd, convo_data); |
| 375 | | | } |
| 376 | | | } |
| 377 | | | } |
| 378 | | | } |
| 379 | | | } |
| |