(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-dtls.c) |
| |
| 477 | | | decrypt_dtls_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, |
| 478 | | | guint32 record_length, guint8 content_type, SslDecryptSession* ssl, |
| 479 | | | gboolean save_plaintext) |
| 480 | | | { |
| 481 | | | gint ret; |
| 482 | | | gint direction; |
| 483 | | | SslDecoder* decoder; |
| 484 | | | ret = 0; |
| 485 | | | |
| 486 | | | |
| 487 | | | |
| 488 | | | ssl_debug_printf("decrypt_dtls_record: app_data len %d ssl state %X\n", |
| 489 | | | record_length, ssl->state); |
| 490 | | | if (!(ssl->state & SSL_HAVE_SESSION_KEY)) { |
Event 1:
Skipping " if". ssl->state & 1 << 3 evaluates to true.
hide
|
|
| 491 | | | ssl_debug_printf("decrypt_dtls_record: no session key\n"); |
| 492 | | | return ret; |
| 493 | | | } |
| 494 | | | |
| 495 | | | |
| 496 | | | if ((direction = ssl_packet_from_server(dtls_associations, pinfo->srcport, pinfo->ptype == PT_TCP)) != 0) { |
Event 2:
Skipping " if". pinfo->ptype == PT_TCP evaluates to true.
hide
Event 3:
Taking true branch. (direction = ssl_packet_from_server(...)) != 0 evaluates to true.
hide
|
|
| 497 | | | ssl_debug_printf("decrypt_dtls_record: using server decoder\n"); |
| 498 | | | decoder = ssl->server; |
| 499 | | | } |
| 500 | | | else { |
| 501 | | | ssl_debug_printf("decrypt_dtls_record: using client decoder\n"); |
| 502 | | | decoder = ssl->client; |
| 503 | | | } |
| 504 | | | |
| 505 | | | |
| 506 | | | if (record_length > dtls_decrypted_data.data_len) |
Event 4:
Skipping " if". record_length > dtls_decrypted_data.data_len evaluates to false.
hide
|
|
| 507 | | | { |
| 508 | | | ssl_debug_printf("decrypt_dtls_record: allocating %d bytes" |
| 509 | | | " for decrypt data (old len %d)\n", |
| 510 | | | record_length + 32, dtls_decrypted_data.data_len); |
| 511 | | | dtls_decrypted_data.data = g_realloc(dtls_decrypted_data.data, |
| 512 | | | record_length + 32); |
| 513 | | | dtls_decrypted_data.data_len = record_length + 32; |
| 514 | | | } |
| 515 | | | |
| 516 | | | |
| 517 | | | |
| 518 | | | dtls_decrypted_data_avail = dtls_decrypted_data.data_len; |
| 519 | | | if (ssl_decrypt_record(ssl, decoder, |
| 520 | | | content_type, tvb_get_ptr(tvb, offset, record_length), |
| 521 | | | record_length, &dtls_compressed_data, &dtls_decrypted_data, &dtls_decrypted_data_avail) == 0) |
Event 5:
Taking true branch. ssl_decrypt_record(...) == 0 evaluates to true.
hide
|
|
| 522 | | | ret = 1; |
| 523 | | | |
| 524 | | | if (ret && save_plaintext) { |
| 525 | [+] | | ssl_add_data_info(proto_dtls, pinfo, dtls_decrypted_data.data, dtls_decrypted_data_avail, TVB_RAW_OFFSET(tvb)+offset, 0);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/tvbuff.h |
| |
306 | #define TVB_RAW_OFFSET(tvb) \ |
307 | ((tvb->raw_offset==-1)?(tvb->raw_offset = offset_from_real_beginning(tvb, 0)):tvb->raw_offset) |
| |
|
Event 7:
tvb->raw_offset == -1 evaluates to false.
hide
Event 8:
0, which evaluates to NULL, is passed to ssl_add_data_info() as the sixth argument. - Dereferenced later, causing the null pointer dereference.
hide
|
|
 |
| |