(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-tpncp.c) |
| |
| 488 | | | static gint fill_enums_id_vals(FILE *file) { |
| 489 | | | gint i = 0, enum_id = 0, enum_val = 0, first_entry = 1; |
| 490 | | | gchar *line_in_file = NULL, *enum_name = NULL, |
| 491 | | | *enum_type = NULL, *enum_str = NULL; |
| 492 | | | |
| 493 | [+] | | line_in_file = ep_alloc(MAX_TPNCP_DB_ENTRY_LEN); |
 |
| 494 | | | line_in_file[0] = 0; |
| 495 | [+] | | enum_name = ep_alloc(MAX_TPNCP_DB_ENTRY_LEN); |
 |
| 496 | | | enum_name[0] = 0; |
| 497 | | | enum_type = ep_alloc(MAX_TPNCP_DB_ENTRY_LEN); |
| 498 | | | enum_type[0] = 0; |
| 499 | | | enum_str = ep_alloc(MAX_TPNCP_DB_ENTRY_LEN); |
| 500 | | | enum_str[0] = 0; |
| 501 | | | |
| 502 | | | while (fgets(line_in_file, MAX_TPNCP_DB_ENTRY_LEN, file) != NULL) { |
Event 9:
Entering loop body. fgets(...) != (void *)0 evaluates to true.
hide
|
|
| 503 | | | if (!strncmp(line_in_file, "#####", 5)) { |
Event 10:
Skipping " if". strncmp(...) evaluates to true.
hide
|
|
| 504 | | | break; |
| 505 | | | } |
| 506 | | | if (sscanf(line_in_file, "%s %s %d", enum_name, enum_str, &enum_id) == 3) { |
Event 11:
enum_name, which evaluates to the value assigned to buf at emem.c:419, is passed to __isoc99_sscanf() as the third argument. See related event 7.
hide
Event 12:
"%s %s %d" is passed to __isoc99_sscanf() as the second argument.
hide
Buffer Overrun
This code could write past the end of the buffer pointed to by enum_name. - enum_name evaluates to the value assigned to buf at emem.c:419.
- __isoc99_sscanf() writes an unknown and potentially dangerous [?unknown and potentially dangerous: the value cannot be determined and may come from program input] number of bytes starting at the beginning of the buffer pointed to by enum_name.
- The number of bytes written could exceed the number of allocated bytes.
- The capacity of the buffer pointed to by enum_name, in bytes, is the value assigned to the capacity of the buffer pointed to by buf at emem.c:419. See related event 11.
- If the access length is higher than the value assigned to the capacity of the buffer pointed to by buf at emem.c:419, an overrun will occur. The analysis cannot rule out this possibility, so has issued this warning.
The issue can occur if the highlighted code executes. See related events 11 and 12. Show: All events | Only primary events |
|
| 507 | | | if (strcmp(enum_type, enum_name)) { |
| 508 | | | if (!first_entry) { |
| 509 | | | if (enum_val < MAX_ENUMS_NUM) { |
| 510 | | | tpncp_enums_id_vals[enum_val][i].strptr = NULL; |
| 511 | | | tpncp_enums_id_vals[enum_val][i].value = 0; |
| 512 | | | enum_val++; i = 0; |
| 513 | | | } |
| 514 | | | else { |
| 515 | | | break; |
| 516 | | | } |
| 517 | | | } |
| 518 | | | else |
| 519 | | | first_entry = 0; |
| 520 | | | tpncp_enums_name_vals[enum_val] = g_strdup(enum_name); |
| 521 | | | g_strlcpy(enum_type, enum_name, MAX_TPNCP_DB_ENTRY_LEN); |
| 522 | | | } |
| 523 | | | tpncp_enums_id_vals[enum_val][i].strptr = g_strdup(enum_str); |
| 524 | | | tpncp_enums_id_vals[enum_val][i].value = enum_id; |
| 525 | | | if (i < MAX_ENUM_ENTRIES) { |
| 526 | | | i++; |
| |