(/home/sate/Testcases/c/cve/wireshark-1.2.0/plugins/mate/mate_util.c) |
| |
| 825 | | | extern void merge_avpl(AVPL* dst, AVPL* src, gboolean copy_avps) { |
| 826 | | | AVPN* cd = NULL; |
| 827 | | | AVPN* cs = NULL; |
| 828 | | | ptrdiff_t c; |
| 829 | | | AVP* copy; |
| 830 | | | |
| 831 | | | #ifdef _AVP_DEBUGGING |
| 832 | | | dbg_print(dbg_avpl_op,3,dbg_fp,"merge_avpl: %X %X",dst,src); |
| 833 | | | #endif |
| 834 | | | |
| 835 | | | cs = src->null.next; |
| 836 | | | cd = dst->null.next; |
Event 1:
cd is set to dst->null.next.
hide
|
|
| 837 | | | |
| 838 | | | while(cs->avp) { |
Event 2:
Entering loop body. cs->avp evaluates to true.
hide
|
|
| 839 | | | |
| 840 | | | if(cd->avp) { |
Event 3:
Taking true branch. cd->avp evaluates to true.
hide
|
|
| 841 | | | c = ADDRDIFF(cd->avp->n,cs->avp->n);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/plugins/mate/mate_util.c |
| |
39 | #define ADDRDIFF(p,q) (((char *)(void *)(p)) - ((char *)(void *)(q))) |
| |
|
Event 4:
*cd is dereferenced, where cd is dst->null.next. See related event 1.
hide
|
|
| 842 | | | } else { |
| 843 | | | c = -1; |
| 844 | | | } |
| 845 | | | |
| 846 | | | if (c > 0) { |
Event 5:
Taking false branch. c > 0 evaluates to false.
hide
|
|
| 847 | | | if (cd->avp) cd = cd->next; |
| 848 | | | } else if (c < 0) { |
Event 6:
Taking false branch. c < 0 evaluates to false.
hide
|
|
| 849 | | | if (copy_avps) { |
| 850 | | | copy = avp_copy(cs->avp); |
| 851 | | | if ( ! insert_avp(dst,copy) ) { |
| 852 | | | delete_avp(copy); |
| 853 | | | } |
| 854 | | | } else { |
| 855 | | | insert_avp(dst,cs->avp); |
| 856 | | | } |
| 857 | | | |
| 858 | | | cs = cs->next; |
| 859 | | | } else { |
| 860 | | | if ( ! cd->avp || ! (cd->avp->v == cs->avp->v) ) { |
Null Test After Dereference
This code tests the nullness of *cd, which has already been dereferenced. - If *cd were null, there would have been a prior null pointer dereference at mate_util.c:841, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related events 1 and 4. Show: All events | Only primary events |
|
| 861 | | | if (copy_avps) { |
| 862 | | | copy = avp_copy(cs->avp); |
| 863 | | | if ( ! insert_avp(dst,copy) ) { |
| 864 | | | delete_avp(copy); |
| 865 | | | } |
| 866 | | | } else { |
| 867 | | | insert_avp(dst,cs->avp); |
| 868 | | | } |
| 869 | | | } |
| 870 | | | cs = cs->next; |
| 871 | | | if (cd->avp) cd = cd->next; |
| 872 | | | } |
| 873 | | | } |
| 874 | | | |
| 875 | | | #ifdef _AVP_DEBUGGING |
| 876 | | | dbg_print(dbg_avpl_op,8,dbg_fp,"merge_avpl: done"); |
| 877 | | | #endif |
| 878 | | | |
| 879 | | | return; |
| 880 | | | } |
| |