(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-bootp.c) |
| |
| 4004 | | | bootp_init_protocol(void) |
| 4005 | | | { |
| 4006 | | | gchar **optionstrings = NULL; |
| 4007 | | | gchar **optiondetail = NULL; |
| 4008 | | | gchar *type = NULL; |
| 4009 | | | guint i, ii; |
| 4010 | | | |
| 4011 | | | |
| 4012 | | | for(i=0; i<BOOTP_OPT_NUM; i++) |
Event 1:
The loop is executed one or more times.
hide
|
|
| 4013 | | | { |
| 4014 | | | bootp_opt[i].text = default_bootp_opt[i].text; |
| 4015 | | | bootp_opt[i].ftype = default_bootp_opt[i].ftype; |
| 4016 | | | bootp_opt[i].data = default_bootp_opt[i].data; |
| 4017 | | | } |
| 4018 | | | |
| 4019 | | | |
| 4020 | | | optionstrings = ep_strsplit(pref_optionstring, ";", -1); |
| 4021 | | | for (i=0;optionstrings[i]!=NULL;i++) |
Event 3:
Continuing from loop body. Entering loop body. optionstrings[i] != (void *)0 evaluates to true.
hide
|
|
| 4022 | | | { |
| 4023 | | | |
| 4024 | | | |
| 4025 | | | |
| 4026 | | | |
| 4027 | | | |
| 4028 | | | |
| 4029 | | | |
| 4030 | | | optiondetail = ep_strsplit(optionstrings[i], ",",-1); |
| 4031 | | | |
| 4032 | | | for(ii=0;(optiondetail[ii]!=NULL);ii++) |
| 4033 | | | { |
| 4034 | | | |
| 4035 | | | } |
| 4036 | | | if (ii < 3) continue; |
Event 5:
Skipping " if". ii < 3 evaluates to false.
hide
|
|
| 4037 | | | ii = atoi(optiondetail[0]); |
Event 6:
atoi() returns a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - This determines the potentially dangerous position that will be accessed later.
hide
Event 7:
ii is set to atoi(optiondetail[0]). See related event 6.
hide
|
|
| 4038 | | | if (ii==0 || ii>=BOOTP_OPT_NUM-1) continue; |
Event 8:
Skipping " if". - ii == 0 evaluates to false.
- ii >= 256 - 1 evaluates to false.
hide
|
|
| 4039 | | | if (bootp_opt[ii].ftype == special) continue; |
Event 9:
Skipping " if". bootp_opt[ii].ftype == special evaluates to false.
hide
|
|
| 4040 | | | bootp_opt[ii].text = se_strdup(optiondetail[1]); |
Buffer Underrun
This code could write before the beginning of the buffer bootp_opt. - The first potentially underrun byte is at offset 12 * ii from the beginning of the object. See related event 7.
- 12 * ii evaluates to 12 * atoi(optiondetail[0]) from packet-bootp.c:4037, which is bounded above by 3048.
- If 12 * ii is negative, an underrun will occur. The analysis cannot rule out the possibility of 12 * ii taking on one or more of these dangerous values, so has issued this warning.
- The underrun occurs in static memory.
The issue can occur if the highlighted code executes. See related event 7. Show: All events | Only primary events |
|
| 4041 | | | type = optiondetail[2]; |
| 4042 | | | |
| 4043 | | | if (g_ascii_strcasecmp(type,"string") == 0) |
| 4044 | | | { |
| 4045 | | | bootp_opt[ii].ftype = string; |
| 4046 | | | } else if (g_ascii_strcasecmp(type,"ipv4") == 0) |
| 4047 | | | { |
| 4048 | | | bootp_opt[ii].ftype = ipv4; |
| 4049 | | | } else if (g_ascii_strcasecmp(type,"bytes") == 0) |
| 4050 | | | { |
| 4051 | | | bootp_opt[ii].ftype = bytes; |
| 4052 | | | } else |
| 4053 | | | { |
| 4054 | | | bootp_opt[ii].ftype = opaque; |
| |