(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ieee80211.c) |
| |
| 6069 | | | dissect_ieee80211_common (tvbuff_t * tvb, packet_info * pinfo, |
| 6070 | | | proto_tree * tree, gboolean , gint fcs_len, |
| 6071 | | | gboolean wlan_broken_fc, gboolean datapad, |
| 6072 | | | gboolean is_ht) |
| 6073 | | | { |
| 6074 | | | guint16 fcf, flags, frame_type_subtype, ctrl_fcf, ctrl_type_subtype; |
| 6075 | | | guint16 seq_control; |
| 6076 | | | guint32 seq_number, frag_number; |
| 6077 | | | gboolean more_frags; |
| 6078 | | | const guint8 *src = NULL; |
Event 1:
src is set to NULL. - Dereferenced later, causing the null pointer dereference.
hide
|
|
| 6079 | | | const guint8 *dst = NULL; |
| 6080 | | | const guint8 *bssid = NULL; |
| 6081 | | | proto_item *ti = NULL; |
| 6082 | | | proto_item *fcs_item = NULL; |
| 6083 | | | proto_item *cw_item = NULL; |
| 6084 | | | proto_item *hidden_item; |
| 6085 | | | proto_tree *volatile hdr_tree = NULL; |
| 6086 | | | proto_tree *fcs_tree = NULL; |
| 6087 | | | proto_tree *cw_tree = NULL; |
| 6088 | | | guint16 hdr_len, ohdr_len, htc_len = 0; |
| 6089 | | | gboolean has_fcs, fcs_good, fcs_bad; |
| 6090 | | | gint len, reported_len, ivlen; |
| 6091 | | | gboolean is_amsdu = 0; |
| 6092 | | | gboolean save_fragmented; |
| 6093 | | | tvbuff_t *volatile next_tvb = NULL; |
| 6094 | | | guint32 addr_type; |
| 6095 | | | volatile encap_t encap_type; |
| 6096 | | | guint8 octet1, octet2; |
| 6097 | | | char out_buff[SHORT_STR]; |
| 6098 | | | gint is_iv_bad; |
| 6099 | | | guchar iv_buff[4]; |
| 6100 | | | const char *addr1_str = NULL; |
| 6101 | | | int addr1_hf = -1; |
| 6102 | | | guint offset; |
| 6103 | | | const gchar *fts_str; |
| 6104 | | | gchar flag_str[] = "opmPRMFTC"; |
| 6105 | | | gint i; |
| 6106 | | | |
| 6107 | | | wlan_hdr *volatile whdr; |
| 6108 | | | static wlan_hdr whdrs[4]; |
| 6109 | | | gboolean retransmitted; |
| 6110 | | | |
| 6111 | | | whdr= &whdrs[0]; |
| 6112 | | | |
| 6113 | | | if (check_col (pinfo->cinfo, COL_PROTOCOL)) |
Event 2:
Taking true branch. check_col(...) evaluates to true.
hide
|
|
| 6114 | | | col_set_str (pinfo->cinfo, COL_PROTOCOL, "IEEE 802.11"); |
| 6115 | | | if (check_col (pinfo->cinfo, COL_INFO)) |
Event 3:
Taking true branch. check_col(...) evaluates to true.
hide
|
|
| 6116 | | | col_clear (pinfo->cinfo, COL_INFO); |
| 6117 | | | |
| 6118 | | | fcf = FETCH_FCF(0);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ieee80211.c |
| |
181 | #define FETCH_FCF(off) (wlan_broken_fc ? \ |
182 | BSWAP16(tvb_get_letohs(tvb, off)) : \ |
183 | tvb_get_letohs(tvb, off)) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/pint.h |
| |
105 | #define BSWAP16(x) \ |
106 | ((((x)&0xFF00)>>8) | \ |
107 | (((x)&0x00FF)<<8)) |
| |
|
Event 4:
wlan_broken_fc evaluates to true.
hide
|
|
| 6119 | | | frame_type_subtype = COMPOSE_FRAME_TYPE(fcf);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ieee80211.c |
| |
204 | #define COMPOSE_FRAME_TYPE(x) (((x & 0x0C)<< 2)+FCF_FRAME_SUBTYPE(x)) /* Create key to (sub)type */ |
| |
|
| 6120 | | | if (frame_type_subtype == CTRL_CONTROL_WRAPPER) |
Event 5:
Taking false branch. frame_type_subtype == 23 evaluates to false.
hide
|
|
| 6121 | | | ctrl_fcf = FETCH_FCF(10);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ieee80211.c |
| |
181 | #define FETCH_FCF(off) (wlan_broken_fc ? \ |
182 | BSWAP16(tvb_get_letohs(tvb, off)) : \ |
183 | tvb_get_letohs(tvb, off)) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/pint.h |
| |
105 | #define BSWAP16(x) \ |
106 | ((((x)&0xFF00)>>8) | \ |
107 | (((x)&0x00FF)<<8)) |
| |
|
| 6122 | | | else |
| 6123 | | | ctrl_fcf = 0; |
| 6124 | | | |
| 6125 | | | if () |
Event 6:
Taking false branch. evaluates to false.
hide
|
|
| 6126 | | | hdr_len = DATA_LONG_HDR_LEN; |
| 6127 | | | else |
| 6128 | | | hdr_len = (fcf, ctrl_fcf, is_ht); |
| 6129 | | | ohdr_len = hdr_len; |
| 6130 | | | if (datapad) |
Event 7:
Skipping " if". datapad evaluates to false.
hide
|
|
| 6131 | | | hdr_len = roundup2(hdr_len, 4);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ieee80211.c |
| |
89 | #define roundup2(x, y) (((x)+((y)-1))&(~((y)-1))) /* if y is powers of two */ |
| |
|
| 6132 | | | |
| 6133 | | | fts_str = val_to_str(frame_type_subtype, frame_type_subtype_vals, |
| 6134 | | | "Unrecognized (Reserved frame)"); |
| 6135 | | | if (check_col (pinfo->cinfo, COL_INFO)) |
Event 8:
Taking true branch. check_col(...) evaluates to true.
hide
|
|
| 6136 | | | col_set_str (pinfo->cinfo, COL_INFO, fts_str); |
| 6137 | | | |
| 6138 | | | |
| 6139 | | | flags = FCF_FLAGS (fcf); |
| 6140 | | | more_frags = HAVE_FRAGMENTS (flags); |
| 6141 | | | |
| 6142 | | | for (i = 0; i < 8; i++) { |
| 6143 | | | if (! (flags & 0x80 >> i)) { |
| 6144 | | | flag_str[i] = '.'; |
| 6145 | | | } |
| 6146 | | | } |
| 6147 | | | |
| 6148 | | | if (is_ht && IS_STRICTLY_ORDERED(flags) && |
Event 10:
Skipping " if". - is_ht evaluates to true.
- flags & 128 evaluates to true.
- (fcf & 12) >> 2 == 0 evaluates to false.
- (fcf & 12) >> 2 == 2 evaluates to false.
hide
|
|
| 6149 | | | ((FCF_FRAME_TYPE(fcf) == MGT_FRAME) || (FCF_FRAME_TYPE(fcf) == DATA_FRAME && |
| 6150 | | | DATA_FRAME_IS_QOS(frame_type_subtype)))) { |
| 6151 | | | htc_len = 4; |
| 6152 | | | } |
| 6153 | | | |
| 6154 | | | |
| 6155 | | | if (tree) |
Event 11:
Skipping " if". tree evaluates to false.
hide
|
|
| 6156 | | | { |
| 6157 | | | ti = proto_tree_add_protocol_format (tree, proto_wlan, tvb, 0, hdr_len, |
| 6158 | | | "IEEE 802.11 %s", fts_str); |
| 6159 | | | hdr_tree = proto_item_add_subtree (ti, ett_80211); |
| 6160 | | | |
| 6161 | | | dissect_frame_control(hdr_tree, tvb, wlan_broken_fc, 0); |
| 6162 | | | |
| 6163 | | | if (frame_type_subtype == CTRL_PS_POLL) |
| 6164 | | | proto_tree_add_uint(hdr_tree, hf_assoc_id,tvb,2,2, |
| 6165 | | | ASSOC_ID(tvb_get_letohs(tvb,2))); |
| 6166 | | | |
| 6167 | | | else |
| 6168 | | | proto_tree_add_uint (hdr_tree, hf_did_duration, tvb, 2, 2, |
| 6169 | | | tvb_get_letohs (tvb, 2)); |
| 6170 | | | } |
| 6171 | | | |
| 6172 | | | |
| 6173 | | | |
| 6174 | | | |
| 6175 | | | |
| 6176 | | | seq_control = 0; |
| 6177 | | | frag_number = 0; |
| 6178 | | | seq_number = 0; |
| 6179 | | | |
| 6180 | | | switch (FCF_FRAME_TYPE (fcf)) |
Event 12:
(fcf & 12) >> 2 evaluates to 2.
hide
|
|
| 6181 | | | { |
| 6182 | | | |
| 6183 | | | case MGT_FRAME: |
| 6184 | | | |
| 6185 | | | |
| 6186 | | | |
| 6187 | | | src = tvb_get_ptr (tvb, 10, 6); |
| 6188 | | | dst = tvb_get_ptr (tvb, 4, 6); |
| 6189 | | | |
| 6190 | | | SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
66 | #define SET_ADDRESS(addr, addr_type, addr_len, addr_data) { \ |
67 | (addr)->type = (addr_type); \ |
68 | (addr)->len = (addr_len); \ |
69 | (addr)->data = (addr_data); \ |
70 | } |
| |
|
| 6191 6504 |  | | [ Lines 6191 to 6504 omitted. ] |
| 6505 | | | } |
| 6506 | | | } |
| 6507 | | | } |
| 6508 | | | break; |
| 6509 | | | } |
| 6510 | | | |
| 6511 | | | } |
| 6512 | | | break; |
| 6513 | | | } |
| 6514 | | | |
| 6515 | | | case DATA_FRAME: |
| 6516 | | | addr_type = FCF_ADDR_SELECTOR (fcf); |
| 6517 | | | |
| 6518 | | | |
| 6519 | | | switch (addr_type) |
Event 13:
addr_type evaluates to implicit-default.
hide
|
|
| 6520 | | | { |
| 6521 | | | |
| 6522 | | | case DATA_ADDR_T1: |
| 6523 | | | src = tvb_get_ptr (tvb, 10, 6); |
| 6524 | | | dst = tvb_get_ptr (tvb, 4, 6); |
| 6525 | | | bssid = tvb_get_ptr (tvb, 16, 6); |
| 6526 | | | break; |
| 6527 | | | |
| 6528 | | | case DATA_ADDR_T2: |
| 6529 | | | src = tvb_get_ptr (tvb, 16, 6); |
| 6530 | | | dst = tvb_get_ptr (tvb, 4, 6); |
| 6531 | | | bssid = tvb_get_ptr (tvb, 10, 6); |
| 6532 | | | break; |
| 6533 | | | |
| 6534 | | | case DATA_ADDR_T3: |
| 6535 | | | src = tvb_get_ptr (tvb, 10, 6); |
| 6536 | | | dst = tvb_get_ptr (tvb, 16, 6); |
| 6537 | | | bssid = tvb_get_ptr (tvb, 4, 6); |
| 6538 | | | break; |
| 6539 | | | |
| 6540 | | | case DATA_ADDR_T4: |
| 6541 | | | src = tvb_get_ptr (tvb, 24, 6); |
| 6542 | | | dst = tvb_get_ptr (tvb, 16, 6); |
| 6543 | | | bssid = tvb_get_ptr (tvb, 16, 6); |
| 6544 | | | break; |
| 6545 | | | } |
| 6546 | | | |
| 6547 | | | SET_ADDRESS(&pinfo->dl_src, AT_ETHER, 6, src);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
66 | #define SET_ADDRESS(addr, addr_type, addr_len, addr_data) { \ |
67 | (addr)->type = (addr_type); \ |
68 | (addr)->len = (addr_len); \ |
69 | (addr)->data = (addr_data); \ |
70 | } |
| |
|
Event 14:
pinfo->dl_src.data is set to src, which evaluates to NULL. See related event 1.
hide
|
|
| 6548 | | | SET_ADDRESS(&pinfo->src, AT_ETHER, 6, src);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
66 | #define SET_ADDRESS(addr, addr_type, addr_len, addr_data) { \ |
67 | (addr)->type = (addr_type); \ |
68 | (addr)->len = (addr_len); \ |
69 | (addr)->data = (addr_data); \ |
70 | } |
| |
|
| 6549 | | | SET_ADDRESS(&pinfo->dl_dst, AT_ETHER, 6, dst);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
66 | #define SET_ADDRESS(addr, addr_type, addr_len, addr_data) { \ |
67 | (addr)->type = (addr_type); \ |
68 | (addr)->len = (addr_len); \ |
69 | (addr)->data = (addr_data); \ |
70 | } |
| |
|
| 6550 | | | SET_ADDRESS(&pinfo->dst, AT_ETHER, 6, dst);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
66 | #define SET_ADDRESS(addr, addr_type, addr_len, addr_data) { \ |
67 | (addr)->type = (addr_type); \ |
68 | (addr)->len = (addr_len); \ |
69 | (addr)->data = (addr_data); \ |
70 | } |
| |
|
| 6551 | | | |
| 6552 | | | |
| 6553 | | | |
| 6554 | | | SET_ADDRESS(&whdr->bssid, AT_ETHER, 6, bssid);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
66 | #define SET_ADDRESS(addr, addr_type, addr_len, addr_data) { \ |
67 | (addr)->type = (addr_type); \ |
68 | (addr)->len = (addr_len); \ |
69 | (addr)->data = (addr_data); \ |
70 | } |
| |
|
| 6555 | | | SET_ADDRESS(&whdr->src, AT_ETHER, 6, src);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
66 | #define SET_ADDRESS(addr, addr_type, addr_len, addr_data) { \ |
67 | (addr)->type = (addr_type); \ |
68 | (addr)->len = (addr_len); \ |
69 | (addr)->data = (addr_data); \ |
70 | } |
| |
|
| 6556 | | | SET_ADDRESS(&whdr->dst, AT_ETHER, 6, dst);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
66 | #define SET_ADDRESS(addr, addr_type, addr_len, addr_data) { \ |
67 | (addr)->type = (addr_type); \ |
68 | (addr)->len = (addr_len); \ |
69 | (addr)->data = (addr_data); \ |
70 | } |
| |
|
| 6557 | | | whdr->type = frame_type_subtype; |
| 6558 | | | |
| 6559 | | | seq_control = tvb_get_letohs(tvb, 22); |
| 6560 | | | frag_number = SEQCTL_FRAGMENT_NUMBER(seq_control); |
| 6561 | | | seq_number = SEQCTL_SEQUENCE_NUMBER(seq_control); |
| 6562 | | | |
| 6563 | | | if (check_col (pinfo->cinfo, COL_INFO)) |
Event 15:
Taking true branch. check_col(...) evaluates to true.
hide
|
|
| 6564 | | | { |
| 6565 | | | col_append_fstr(pinfo->cinfo, COL_INFO, |
| 6566 | | | ", SN=%d, FN=%d", seq_number,frag_number); |
| 6567 | | | } |
| 6568 | | | |
| 6569 | | | |
| 6570 | | | if (tree) |
Event 16:
Skipping " if". tree evaluates to false.
hide
|
|
| 6571 | | | { |
| 6572 | | | |
| 6573 | | | switch (addr_type) |
| 6574 | | | { |
| 6575 | | | |
| 6576 | | | case DATA_ADDR_T1: |
| 6577 | | | proto_tree_add_ether (hdr_tree, hf_addr_da, tvb, 4, 6, dst); |
| 6578 | | | proto_tree_add_ether (hdr_tree, hf_addr_sa, tvb, 10, 6, src); |
| 6579 | | | proto_tree_add_ether (hdr_tree, hf_addr_bssid, tvb, 16, 6, bssid); |
| 6580 | | | proto_tree_add_uint (hdr_tree, hf_frag_number, tvb, 22, 2, |
| 6581 6635 |  | | [ Lines 6581 to 6635 omitted. ] |
| 6636 | | | |
| 6637 | | | |
| 6638 | | | hidden_item = proto_tree_add_ether (hdr_tree, hf_addr, tvb, 16, 6, dst); |
| 6639 | | | PROTO_ITEM_SET_HIDDEN(hidden_item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
319 | #define PROTO_ITEM_SET_HIDDEN(proto_item) \ |
320 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_HIDDEN) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 6640 | | | hidden_item = proto_tree_add_ether (hdr_tree, hf_addr, tvb, 24, 6, src); |
| 6641 | | | PROTO_ITEM_SET_HIDDEN(hidden_item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
319 | #define PROTO_ITEM_SET_HIDDEN(proto_item) \ |
320 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_HIDDEN) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 6642 | | | break; |
| 6643 | | | } |
| 6644 | | | |
| 6645 | | | } |
| 6646 | | | break; |
| 6647 | | | } |
| 6648 | | | |
| 6649 | | | len = tvb_length_remaining(tvb, hdr_len); |
| 6650 | | | reported_len = tvb_reported_length_remaining(tvb, hdr_len); |
| 6651 | | | |
| 6652 | | | switch (fcs_len) |
Event 17:
Executing default case.
hide
|
|
| 6653 | | | { |
| 6654 | | | case 0: |
| 6655 | | | has_fcs = FALSE; |
| 6656 | | | break; |
| 6657 | | | |
| 6658 | | | case 4: |
| 6659 | | | has_fcs = TRUE; |
| 6660 | | | break; |
| 6661 | | | |
| 6662 | | | default: |
| 6663 | | | has_fcs = wlan_check_fcs; |
| 6664 | | | break; |
| 6665 | | | } |
| 6666 | | | if (has_fcs) |
Event 18:
Taking false branch. has_fcs evaluates to false.
hide
|
|
| 6667 | | | { |
| 6668 | | | |
| 6669 | | | |
| 6670 | | | |
| 6671 | | | |
| 6672 | | | |
| 6673 | | | if (reported_len < 4) |
| 6674 | | | { |
| 6675 | | | |
| 6676 | | | |
| 6677 6739 |  | | [ Lines 6677 to 6739 omitted. ] |
| 6740 | | | fcs_good); |
| 6741 | | | PROTO_ITEM_SET_GENERATED(fcs_item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 6742 | | | |
| 6743 | | | fcs_item = proto_tree_add_boolean(fcs_tree, |
| 6744 | | | hf_fcs_bad, tvb, |
| 6745 | | | hdr_len + len, 4, |
| 6746 | | | fcs_bad); |
| 6747 | | | PROTO_ITEM_SET_GENERATED(fcs_item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 6748 | | | } |
| 6749 | | | } |
| 6750 | | | } else { |
| 6751 | | | flag_str[8] = '\0'; |
| 6752 | | | } |
| 6753 | | | |
| 6754 | | | proto_item_append_text(ti, ", Flags: %s", flag_str); |
| 6755 | | | if (check_col (pinfo->cinfo, COL_INFO)) |
Event 19:
Taking true branch. check_col(...) evaluates to true.
hide
|
|
| 6756 | | | col_append_fstr (pinfo->cinfo, COL_INFO, ", Flags=%s", flag_str); |
| 6757 | | | |
| 6758 | | | |
| 6759 | | | |
| 6760 | | | |
| 6761 | | | |
| 6762 | | | |
| 6763 | | | switch (FCF_FRAME_TYPE (fcf)) |
Event 20:
(fcf & 12) >> 2 evaluates to 0.
hide
|
|
| 6764 | | | { |
| 6765 | | | |
| 6766 | | | case MGT_FRAME: |
| 6767 | | | if (htc_len == 4) { |
Event 21:
Skipping " if". htc_len == 4 evaluates to false.
hide
|
|
| 6768 | | | dissect_ht_control(hdr_tree, tvb, ohdr_len - 4); |
| 6769 | | | } |
| 6770 | | | break; |
| 6771 | | | |
| 6772 | | | case DATA_FRAME: |
| 6773 | | | if (tree && DATA_FRAME_IS_QOS(frame_type_subtype)) |
| 6774 | | | { |
| 6775 | | | proto_item *qos_fields; |
| 6776 | | | proto_tree *qos_tree; |
| 6777 | | | |
| 6778 | | | guint16 qosoff; |
| 6779 | | | guint16 qos_control; |
| 6780 | | | guint16 qos_priority; |
| 6781 7000 |  | | [ Lines 6781 to 7000 omitted. ] |
| 7001 | | | |
| 7002 | | | break; |
| 7003 | | | |
| 7004 | | | case CONTROL_FRAME: |
| 7005 | | | return; |
| 7006 | | | |
| 7007 | | | default: |
| 7008 | | | return; |
| 7009 | | | } |
| 7010 | | | |
| 7011 | | | if (IS_PROTECTED(FCF_FLAGS(fcf)) && wlan_ignore_wep != WLAN_IGNORE_WEP_WO_IV) { |
| 7012 | | | |
| 7013 | | | |
| 7014 | | | |
| 7015 | | | |
| 7016 | | | |
| 7017 | | | gboolean can_decrypt = FALSE; |
| 7018 | | | proto_tree *wep_tree = NULL; |
| 7019 | | | guint32 iv; |
| 7020 | | | guint8 key, keybyte; |
| 7021 | | | |
| 7022 7290 |  | | [ Lines 7022 to 7290 omitted. ] |
| 7291 | | | |
| 7292 | | | |
| 7293 | | | |
| 7294 | | | |
| 7295 | | | |
| 7296 | | | |
| 7297 | | | |
| 7298 | | | |
| 7299 | | | hdr_len = 0; |
| 7300 | | | |
| 7301 | | | } else { |
| 7302 | | | |
| 7303 | | | |
| 7304 | | | |
| 7305 | | | |
| 7306 | | | |
| 7307 | | | |
| 7308 | | | |
| 7309 | | | |
| 7310 | | | |
| 7311 | | | next_tvb = tvb; |
| 7312 | | | } |
| 7313 | | | |
| 7314 | | | |
| 7315 | | | |
| 7316 | | | |
| 7317 | | | |
| 7318 | | | |
| 7319 | | | |
| 7320 | | | |
| 7321 | | | |
| 7322 | | | |
| 7323 | | | |
| 7324 | | | |
| 7325 | | | |
| 7326 | | | |
| 7327 | | | |
| 7328 | | | |
| 7329 | | | |
| 7330 | | | |
| 7331 | | | |
| 7332 | | | |
| 7333 | | | |
| 7334 | | | |
| 7335 | | | save_fragmented = pinfo->fragmented; |
| 7336 | | | if (wlan_defragment && (more_frags || frag_number != 0)) { |
| 7337 | | | fragment_data *fd_head; |
| 7338 | | | |
| 7339 | | | |
| 7340 | | | |
| 7341 | | | |
| 7342 | | | |
| 7343 | | | |
| 7344 | | | |
| 7345 | | | if (reported_len < 0) |
| 7346 | | | THROW(ReportedBoundsError);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
223 | #define THROW(x) \ |
224 | except_throw(XCEPT_GROUP_WIRESHARK, (x), NULL) |
| |
|
| 7347 | | | fd_head = fragment_add_seq_802_11(next_tvb, hdr_len, pinfo, seq_number, |
| 7348 | | | wlan_fragment_table, |
| 7349 | | | wlan_reassembled_table, |
| 7350 | | | frag_number, |
| 7351 | | | reported_len, |
| 7352 | | | more_frags); |
| 7353 | | | next_tvb = process_reassembled_data(tvb, hdr_len, pinfo, |
| 7354 | | | "Reassembled 802.11", fd_head, |
| 7355 | | | &frag_items, NULL, hdr_tree); |
| 7356 | | | } else { |
| 7357 | | | |
| 7358 | | | |
| 7359 | | | |
| 7360 | | | |
| 7361 | | | if (frag_number != 0) { |
Event 24:
Taking false branch. frag_number != 0 evaluates to false.
hide
|
|
| 7362 | | | |
| 7363 | | | next_tvb = NULL; |
| 7364 | | | } else { |
| 7365 | | | |
| 7366 | | | |
| 7367 | | | |
| 7368 | | | next_tvb = tvb_new_subset (next_tvb, hdr_len, len, reported_len); |
| 7369 | | | |
| 7370 | | | |
| 7371 | | | |
| 7372 | | | |
| 7373 | | | |
| 7374 | | | if (more_frags) |
Event 25:
Taking false branch. more_frags evaluates to false.
hide
|
|
| 7375 | | | pinfo->fragmented = TRUE; |
| 7376 | | | else |
| 7377 | | | pinfo->fragmented = FALSE; |
| 7378 | | | } |
| 7379 | | | } |
| 7380 | | | |
| 7381 | | | if (next_tvb == NULL) { |
Event 26:
Skipping " if". next_tvb == (void *)0 evaluates to false.
hide
|
|
| 7382 | | | |
| 7383 | | | if (check_col(pinfo->cinfo, COL_INFO)) |
| 7384 | | | col_set_str(pinfo->cinfo, COL_INFO, "Fragmented IEEE 802.11 frame"); |
| 7385 | | | next_tvb = tvb_new_subset (tvb, hdr_len, len, reported_len); |
| 7386 | | | call_dissector(data_handle, next_tvb, pinfo, tree); |
| 7387 | | | pinfo->fragmented = save_fragmented; |
| 7388 | | | goto end_of_wlan; |
| 7389 | | | } |
| 7390 | | | |
| 7391 | | | switch (FCF_FRAME_TYPE (fcf)) |
Event 27:
(fcf & 12) >> 2 evaluates to 2.
hide
|
|
| 7392 | | | { |
| 7393 | | | |
| 7394 | | | case MGT_FRAME: |
| 7395 | | | dissect_ieee80211_mgt (fcf, next_tvb, pinfo, tree); |
| 7396 | | | break; |
| 7397 | | | |
| 7398 | | | case DATA_FRAME: |
| 7399 | | | if (is_amsdu && tvb_reported_length_remaining(next_tvb, 0) > 4){ |
Event 28:
Skipping " if". is_amsdu evaluates to false.
hide
|
|
| 7400 | | | tvbuff_t *volatile msdu_tvb = NULL; |
| 7401 | | | guint32 msdu_offset = 0; |
| 7402 | | | guint16 i = 1; |
| 7403 | | | const guint8 *src = NULL; |
| 7404 | | | const guint8 *dst = NULL; |
| 7405 | | | guint16 msdu_length; |
| 7406 | | | proto_item *parent_item; |
| 7407 | | | proto_tree *mpdu_tree; |
| 7408 | | | proto_tree *subframe_tree; |
| 7409 | | | |
| 7410 7458 |  | | [ Lines 7410 to 7458 omitted. ] |
| 7459 | | | |
| 7460 | | | |
| 7461 | | | |
| 7462 | | | |
| 7463 | | | |
| 7464 | | | |
| 7465 | | | |
| 7466 | | | |
| 7467 | | | |
| 7468 | | | |
| 7469 | | | encap_type = ENCAP_802_2; |
| 7470 | | | TRY {
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
176 | #define TRY \ |
177 | {\ |
178 | except_t *exc; \ |
179 | volatile int except_state = 0; \ |
180 | static const except_id_t catch_spec[] = { \ |
181 | { XCEPT_GROUP_WIRESHARK, XCEPT_CODE_ANY } }; \ |
182 | except_try_push(catch_spec, 1, &exc); \ |
183 | \ |
184 | if(except_state & EXCEPT_CAUGHT) \ |
185 | except_state |= EXCEPT_RETHROWN; \ |
186 | except_state &= ~EXCEPT_CAUGHT; \ |
187 | \ |
188 | if (except_state == 0 && exc == 0) \ |
189 | /* user's code goes here */ |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/except.h |
| |
143 | #define except_try_push(ID, NUM, PPE) \ |
144 | { \ |
145 | struct except_stacknode except_sn; \ |
146 | struct except_catch except_ch; \ |
147 | except_setup_try(&except_sn, &except_ch, ID, NUM); \ |
148 | if (setjmp(except_ch.except_jmp)) \ |
149 | *(PPE) = &except_ch.except_obj; \ |
150 | else \ |
151 | *(PPE) = 0 |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
165 | #define EXCEPT_CAUGHT 1 /* exception has been caught, no need to rethrow at |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
168 | #define EXCEPT_RETHROWN 2 /* the exception was rethrown from a CATCH |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
165 | #define EXCEPT_CAUGHT 1 /* exception has been caught, no need to rethrow at |
| |
|
Event 29:
Taking false branch. setjmp(except_ch.except_jmp) evaluates to false.
hide
Event 30:
Skipping " if". except_state & 1 evaluates to false.
hide
|
|
| 7471 | [+] | | octet1 = tvb_get_guint8(next_tvb, 0); |
 |
| 7472 | | | octet2 = tvb_get_guint8(next_tvb, 1); |
| 7473 | | | if (octet1 != 0xaa || octet2 != 0xaa) { |
Event 46:
Taking true branch. octet1 != 170 evaluates to true.
hide
|
|
| 7474 | | | src = tvb_get_ptr (next_tvb, 6, 6); |
| 7475 | | | dst = tvb_get_ptr (next_tvb, 0, 6); |
| 7476 | | | if (memcmp(src, pinfo->dl_src.data, 6) == 0 || |
Event 47:
pinfo->dl_src.data, which evaluates to NULL, is passed to memcmp() as the second argument. See related event 14.
hide
Null Pointer Dereference
The body of memcmp() dereferences pinfo->dl_src.data, but it is NULL. The issue can occur if the highlighted code executes. See related event 47. Show: All events | Only primary events |
|
| |