(/home/sate/Testcases/c/cve/wireshark-1.2.0/plugins/profinet/packet-dcom-cba-acco.c) |
| |
| 900 | | | static cba_connection_t * |
| 901 | | | cba_connection_connect(packet_info *pinfo, cba_ldev_t *cons_ldev, cba_ldev_t *prov_ldev, cba_frame_t *cons_frame, |
| 902 | | | guint16 qostype, guint16 qosvalue, const char *provitem, guint32 consid, guint16 length, |
| 903 | | | guint16 *typedesc, guint16 typedesclen) |
| 904 | | | { |
| 905 | | | GList *cba_iter; |
| 906 | | | cba_connection_t *conn; |
| 907 | | | |
| 908 | | | |
| 909 | | | |
| 910 | | | if(cons_frame != NULL) { |
Event 1:
Taking true branch. cons_frame != (void *)0 evaluates to true.
hide
|
|
| 911 | | | |
| 912 | | | for(cba_iter = cons_frame->conns; cba_iter != NULL; cba_iter = g_list_next(cba_iter)) {
x /usr/include/glib-2.0/glib/glist.h |
| |
113 | #define g_list_next(list) ((list) ? (((GList *)(list))->next) : NULL) |
| |
|
Event 3:
Leaving loop. cba_iter != (void *)0 evaluates to false.
hide
|
|
| 913 | | | conn = cba_iter->data; |
| 914 | | | if(conn->consid == consid) { |
| 915 | | | return conn; |
| 916 | | | } |
| 917 | | | } |
| 918 | | | } else { |
| 919 | | | |
| 920 | | | for(cba_iter = cons_ldev->consconns; cba_iter != NULL; cba_iter = g_list_next(cba_iter)) {
x /usr/include/glib-2.0/glib/glist.h |
| |
113 | #define g_list_next(list) ((list) ? (((GList *)(list))->next) : NULL) |
| |
|
| 921 | | | conn = cba_iter->data; |
| 922 | | | if( conn->consid == consid && |
| 923 | | | cba_packet_in_range(pinfo, conn->packet_connect, conn->packet_disconnect, conn->packet_disconnectme)) { |
| 924 | | | return conn; |
| 925 | | | } |
| 926 | | | } |
| 927 | | | } |
| 928 | | | |
| 929 | | | conn = se_alloc(sizeof(cba_connection_t)); |
| 930 | | | |
| 931 | | | conn->consparentacco = cons_ldev; |
| 932 | | | conn->provparentacco = prov_ldev; |
| 933 | | | conn->parentframe = cons_frame; |
| 934 | | | |
| 935 | | | conn->packet_connect = pinfo->fd->num; |
| 936 | | | conn->packet_disconnect = 0; |
| 937 | | | conn->packet_disconnectme = 0; |
| 938 | | | conn->packet_first = 0; |
| 939 | | | conn->packet_last = 0; |
| 940 | | | |
| 941 | | | conn->consid = consid; |
| 942 | | | conn->provitem = se_strdup(provitem); |
| 943 | | | conn->typedesclen = typedesclen; |
| 944 | | | conn->typedesc = typedesc; |
| 945 | | | conn->qostype = qostype; |
| 946 | | | conn->qosvalue = qosvalue; |
| 947 | | | conn->length = length; |
| 948 | | | |
| 949 | | | conn->provid = 0; |
| 950 | | | conn->connret = -1; |
| 951 | | | |
| 952 | | | if(cons_frame != NULL) { |
Null Test After Dereference
This code tests the nullness of cons_frame, which has already been dereferenced. - If cons_frame were null, there would have been a prior null pointer dereference at packet-dcom-cba-acco.c:912, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 2. Show: All events | Only primary events |
|
| 953 | | | conn->frame_offset = cons_frame->offset; |
| 954 | | | conn->length = length; |
| 955 | | | cons_frame->offset += length; |
| 956 | | | cons_frame->conns = g_list_append(cons_frame->conns, conn); |
| 957 | | | } else { |
| 958 | | | conn->frame_offset = 0; |
| 959 | | | cons_ldev->consconns = g_list_append(cons_ldev->consconns, conn); |
| 960 | | | prov_ldev->provconns = g_list_append(prov_ldev->provconns, conn); |
| 961 | | | } |
| 962 | | | |
| 963 | | | return conn; |
| 964 | | | } |
| |