(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-scsi.c) |
| |
| 2238 | | | dissect_spc_inquiry (tvbuff_t *tvb, packet_info *pinfo, |
| 2239 | | | proto_tree *tree, guint offset, gboolean isreq, |
| 2240 | | | gboolean iscdb, guint32 payload_len, |
| 2241 | | | scsi_task_data_t *cdata) |
| 2242 | | | { |
| 2243 | | | guint8 flags, i; |
| 2244 | | | tvbuff_t *volatile tvb_v = tvb; |
| 2245 | | | volatile guint offset_v = offset; |
| 2246 | | | |
| 2247 | | | static const int *peripheal_fields[] = { |
| 2248 | | | &hf_scsi_inq_qualifier, |
| 2249 | | | &hf_scsi_inq_devtype, |
| 2250 | | | NULL |
| 2251 | | | }; |
| 2252 | | | static const int *aca_fields[] = { |
| 2253 | | | &hf_scsi_inq_aerc, |
| 2254 | | | &hf_scsi_inq_trmtsk, |
| 2255 | | | &hf_scsi_inq_normaca, |
| 2256 | | | &hf_scsi_inq_hisup, |
| 2257 | | | &hf_scsi_inq_rdf, |
| 2258 | | | NULL |
| 2259 | | | }; |
| 2260 | | | static const int *rmb_fields[] = { |
| 2261 | | | &hf_scsi_inq_rmb, |
| 2262 | | | NULL |
| 2263 | | | }; |
| 2264 | | | |
| 2265 | | | if (!isreq && (cdata == NULL || !(cdata->itlq->flags & 0x3)) |
Event 1:
Skipping " if". - isreq evaluates to false.
- cdata == (void *)0 evaluates to false.
- cdata->itlq->flags & 3 evaluates to true.
hide
|
|
| 2266 | | | && (tvb_length_remaining(tvb_v, offset_v)>=1) ) { |
| 2267 | | | |
| 2268 | | | |
| 2269 | | | |
| 2270 | | | |
| 2271 | | | if(cdata && cdata->itl){ |
| 2272 | | | cdata->itl->cmdset=tvb_get_guint8(tvb_v, offset_v)&SCSI_DEV_BITS; |
| 2273 | | | } |
| 2274 | | | } |
| 2275 | | | |
| 2276 | | | if (isreq && iscdb) { |
Event 3:
Taking false branch. isreq evaluates to false.
hide
|
|
| 2277 | | | flags = tvb_get_guint8 (tvb_v, offset_v); |
| 2278 | | | if (cdata) { |
| 2279 | | | cdata->itlq->flags = flags; |
| 2280 | | | } |
| 2281 | | | |
| 2282 | | | proto_tree_add_uint_format (tree, hf_scsi_inquiry_flags, tvb_v, offset_v, 1, |
| 2283 | | | flags, "CMDT = %u, EVPD = %u", |
| 2284 | | | flags & 0x2, flags & 0x1); |
| 2285 | | | if (flags & 0x1) { |
| 2286 | | | proto_tree_add_item (tree, hf_scsi_inquiry_evpd_page, tvb_v, offset_v+1, |
| 2287 | | | 1, 0); |
| 2288 | | | } |
| 2289 | | | else if (flags & 0x2) { |
| 2290 | | | proto_tree_add_item (tree, hf_scsi_inquiry_cmdt_page, tvb_v, offset_v+1, |
| 2291 | | | 1, 0); |
| 2292 | | | } |
| 2293 | | | |
| 2294 | | | proto_tree_add_item (tree, hf_scsi_alloclen, tvb_v, offset_v+3, 1, 0); |
| 2295 | | | |
| 2296 | | | if(cdata){ |
| 2297 | | | cdata->itlq->alloc_len=tvb_get_guint8(tvb_v, offset_v+3); |
| 2298 | | | } |
| 2299 | | | |
| 2300 | | | flags = tvb_get_guint8 (tvb_v, offset_v+4); |
| 2301 | | | proto_tree_add_uint_format (tree, hf_scsi_control, tvb_v, offset_v+4, 1, |
| 2302 | | | flags, |
| 2303 | | | "Vendor Unique = %u, NACA = %u, Link = %u", |
| 2304 | | | flags & 0xC0, flags & 0x4, flags & 0x1); |
| 2305 | | | } else if (!isreq) { |
Event 4:
Taking true branch. isreq evaluates to false.
hide
|
|
| 2306 | | | if (!cdata) { |
Null Test After Dereference
This code tests the nullness of cdata, which has already been dereferenced. - If cdata were null, there would have been a prior null pointer dereference at packet-scsi.c:2265, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 2. Show: All events | Only primary events |
|
| 2307 | | | return; |
| 2308 | | | } |
| 2309 | | | |
| 2310 | | | if (cdata->itlq->flags & 0x1) { |
| 2311 | | | dissect_scsi_evpd (tvb_v, pinfo, tree, offset_v, payload_len); |
| 2312 | | | return; |
| 2313 | | | } |
| 2314 | | | if (cdata->itlq->flags & 0x2) { |
| 2315 | | | dissect_scsi_cmddt (tvb_v, pinfo, tree, offset_v, payload_len); |
| 2316 | | | return; |
| 2317 | | | } |
| 2318 | | | |
| 2319 | | | |
| 2320 | | | |
| 2321 | | | |
| 2322 | | | TRY_SCSI_CDB_ALLOC_LEN(pinfo, tvb_v, offset_v, cdata->itlq->alloc_len);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-scsi.h |
| |
242 | #define TRY_SCSI_CDB_ALLOC_LEN(pinfo, tvb, offset, length) \ |
243 | { \ |
244 | volatile gboolean short_packet; \ |
245 | tvbuff_t *new_tvb; \ |
246 | guint32 end_data_offset=0; \ |
247 | \ |
248 | short_packet=pinfo->fd->cap_len<pinfo->fd->pkt_len; \ |
249 | new_tvb=tvb_new_subset(tvb, offset, tvb_length_remaining(tvb, offset), length);\ |
250 | tvb=new_tvb; \ |
251 | offset=0; \ |
252 | TRY { |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
176 | #define TRY \ |
177 | {\ |
178 | except_t *exc; \ |
179 | volatile int except_state = 0; \ |
180 | static const except_id_t catch_spec[] = { \ |
181 | { XCEPT_GROUP_WIRESHARK, XCEPT_CODE_ANY } }; \ |
182 | except_try_push(catch_spec, 1, &exc); \ |
183 | \ |
184 | if(except_state & EXCEPT_CAUGHT) \ |
185 | except_state |= EXCEPT_RETHROWN; \ |
186 | except_state &= ~EXCEPT_CAUGHT; \ |
187 | \ |
188 | if (except_state == 0 && exc == 0) \ |
189 | /* user's code goes here */ |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/except.h |
| |
143 | #define except_try_push(ID, NUM, PPE) \ |
144 | { \ |
145 | struct except_stacknode except_sn; \ |
146 | struct except_catch except_ch; \ |
147 | except_setup_try(&except_sn, &except_ch, ID, NUM); \ |
148 | if (setjmp(except_ch.except_jmp)) \ |
149 | *(PPE) = &except_ch.except_obj; \ |
150 | else \ |
151 | *(PPE) = 0 |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
165 | #define EXCEPT_CAUGHT 1 /* exception has been caught, no need to rethrow at |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
168 | #define EXCEPT_RETHROWN 2 /* the exception was rethrown from a CATCH |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
165 | #define EXCEPT_CAUGHT 1 /* exception has been caught, no need to rethrow at |
| |
|
| 2323 | | | |
| 2324 | | | |
| 2325 | | | proto_tree_add_bitmask(tree, tvb_v, offset_v, hf_scsi_inq_peripheral, ett_scsi_inq_peripheral, peripheal_fields, FALSE); |
| 2326 | | | offset_v+=1; |
| 2327 | | | |
| 2328 | | | |
| 2329 | | | proto_tree_add_bitmask(tree, tvb_v, offset_v, hf_scsi_inq_rmbflags, ett_scsi_inq_rmbflags, rmb_fields, FALSE); |
| 2330 | | | offset_v+=1; |
| 2331 | | | |
| 2332 | | | |
| 2333 | | | proto_tree_add_item (tree, hf_scsi_inq_version, tvb_v, offset_v, 1, 0); |
| 2334 | | | offset_v+=1; |
| 2335 | | | |
| 2336 | | | |
| 2337 | | | proto_tree_add_bitmask(tree, tvb_v, offset_v, hf_scsi_inq_acaflags, ett_scsi_inq_acaflags, aca_fields, FALSE); |
| 2338 | | | offset_v+=1; |
| 2339 | | | |
| 2340 | | | |
| 2341 | | | SET_SCSI_DATA_END(tvb_get_guint8(tvb_v, offset_v)+offset); |
| 2342 | | | proto_tree_add_item(tree, hf_scsi_inq_add_len, tvb_v, offset_v, 1, 0); |
| 2343 | | | offset_v+=1; |
| 2344 | | | |
| 2345 | | | |
| 2346 | | | offset_v=dissect_spc_inq_sccsflags(tvb_v, offset_v, tree); |
| 2347 | | | |
| 2348 | | | |
| 2349 | | | offset_v=dissect_spc_inq_bqueflags(tvb_v, offset_v, tree); |
| 2350 | | | |
| 2351 | | | |
| 2352 | | | offset_v=dissect_spc_inq_reladrflags(tvb_v, offset_v, tree); |
| 2353 | | | |
| 2354 | | | |
| 2355 | | | proto_tree_add_item(tree, hf_scsi_inq_vendor_id, tvb_v, offset_v, 8, 0); |
| 2356 | | | offset_v+=8; |
| 2357 | | | |
| 2358 | | | |
| 2359 | | | proto_tree_add_item(tree, hf_scsi_inq_product_id, tvb_v, offset_v, 16, 0); |
| 2360 | | | offset_v+=16; |
| 2361 | | | |
| 2362 | | | |
| 2363 | | | proto_tree_add_item(tree, hf_scsi_inq_product_rev, tvb_v, offset_v, 4, 0); |
| 2364 | | | offset_v+=4; |
| 2365 | | | |
| 2366 | | | |
| 2367 | | | proto_tree_add_item(tree, hf_scsi_inq_vendor_specific, tvb_v, offset_v, 20, 0); |
| 2368 | | | offset_v+=20; |
| 2369 | | | |
| 2370 | | | proto_tree_add_item(tree, hf_scsi_inq_reserved, tvb_v, offset_v, 2, 0); |
| 2371 | | | |
| 2372 | | | offset_v++; |
| 2373 | | | |
| 2374 | | | |
| 2375 | | | offset_v++; |
| 2376 | | | |
| 2377 | | | |
| 2378 | | | for(i=0;i<8;i++){ |
| 2379 | | | proto_tree_add_item(tree, hf_scsi_inq_version_desc, tvb_v, offset_v, 2, 0); |
| 2380 | | | offset_v+=2; |
| 2381 | | | } |
| 2382 | | | |
| 2383 | | | END_TRY_SCSI_CDB_ALLOC_LEN;
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-scsi.h |
| |
254 | #define END_TRY_SCSI_CDB_ALLOC_LEN \ |
255 | if(end_data_offset){ \ |
256 | /* just verify we can read all the bytes we were\ |
257 | * supposed to. \ |
258 | */ \ |
259 | tvb_get_guint8(tvb,end_data_offset); \ |
260 | } \ |
261 | } /* TRY */ \ |
262 | CATCH(BoundsError) { \ |
263 | if(short_packet){ \ |
264 | /* this was a short packet */ \ |
265 | RETHROW; \ |
266 | } else { \ |
267 | /* We probably tried to dissect beyond the end \ |
268 | * of the alloc len reported in the data \ |
269 | * pdu. This is not an error so dont flag it as \ |
270 | * one \ |
271 | * it is the alloc_len in the CDB that is the \ |
272 | * important one \ |
273 | */ \ |
274 | } \ |
275 | } \ |
276 | CATCH(ReportedBoundsError) { \ |
277 | if(short_packet){ \ |
278 | /* this was a short packet */ \ |
279 | RETHROW; \ |
280 | } else { \ |
281 | /* this packet was not really short but limited \ |
282 | * due to a short SCSI allocation length \ |
283 | */ \ |
284 | THROW(ScsiBoundsError); \ |
285 | } \ |
286 | } \ |
287 | CATCH_ALL { \ |
288 | RETHROW; \ |
289 | } \ |
290 | ENDTRY; \ |
291 | } |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
202 | #define CATCH(x) \ |
203 | if (except_state == 0 && exc != 0 && exc->except_id.except_code == (x) && \ |
204 | (except_state |= EXCEPT_CAUGHT)) \ |
205 | /* user's code goes here */ |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
165 | #define EXCEPT_CAUGHT 1 /* exception has been caught, no need to rethrow at |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
231 | #define RETHROW \ |
232 | { \ |
233 | /* check we're in a catch block */ \ |
234 | g_assert(except_state == EXCEPT_CAUGHT); \ |
235 | /* we can't use except_rethrow here, as that pops a catch block \ |
236 | * off the stack, and we don't want to do that, because we want to \ |
237 | * excecute the FINALLY {} block first. \ |
238 | * except_throw doesn't provide an interface to rethrow an existing \ |
239 | * exception; however, longjmping back to except_try_push() has the \ |
240 | * desired effect. \ |
241 | * \ |
242 | * Note also that THROW and RETHROW should provide much the same \ |
243 | * functionality in terms of which blocks to enter, so any messing \ |
| |
x /usr/include/glib-2.0/glib/gtestutils.h |
| |
74 | #define g_assert(expr) do { if G_LIKELY (expr) ; else \ |
75 | g_assertion_message_expr (G_LOG_DOMAIN, __FILE__, __LINE__, G_STRFUNC, \ |
76 | #expr); } while (0) |
| |
x /usr/include/glib-2.0/glib/gmacros.h |
| |
277 | #define G_LIKELY(expr) (__builtin_expect (_G_BOOLEAN_EXPR(expr), 1)) |
| |
x /usr/include/glib-2.0/glib/gmacros.h |
| |
268 | #define _G_BOOLEAN_EXPR(expr) \ |
269 | __extension__ ({ \ |
270 | int _g_boolean_var_; \ |
271 | if (expr) \ |
272 | _g_boolean_var_ = 1; \ |
273 | else \ |
274 | _g_boolean_var_ = 0; \ |
275 | _g_boolean_var_; \ |
276 | }) |
| |
x /usr/include/glib-2.0/glib/gmacros.h |
| |
160 | # define G_STRFUNC ((const char*) (__PRETTY_FUNCTION__)) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
165 | #define EXCEPT_CAUGHT 1 /* exception has been caught, no need to rethrow at |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
223 | #define THROW(x) \ |
224 | except_throw(XCEPT_GROUP_WIRESHARK, (x), NULL) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
202 | #define CATCH(x) \ |
203 | if (except_state == 0 && exc != 0 && exc->except_id.except_code == (x) && \ |
204 | (except_state |= EXCEPT_CAUGHT)) \ |
205 | /* user's code goes here */ |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
165 | #define EXCEPT_CAUGHT 1 /* exception has been caught, no need to rethrow at |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
231 | #define RETHROW \ |
232 | { \ |
233 | /* check we're in a catch block */ \ |
234 | g_assert(except_state == EXCEPT_CAUGHT); \ |
235 | /* we can't use except_rethrow here, as that pops a catch block \ |
236 | * off the stack, and we don't want to do that, because we want to \ |
237 | * excecute the FINALLY {} block first. \ |
238 | * except_throw doesn't provide an interface to rethrow an existing \ |
239 | * exception; however, longjmping back to except_try_push() has the \ |
240 | * desired effect. \ |
241 | * \ |
242 | * Note also that THROW and RETHROW should provide much the same \ |
243 | * functionality in terms of which blocks to enter, so any messing \ |
| |
x /usr/include/glib-2.0/glib/gtestutils.h |
| |
74 | #define g_assert(expr) do { if G_LIKELY (expr) ; else \ |
75 | g_assertion_message_expr (G_LOG_DOMAIN, __FILE__, __LINE__, G_STRFUNC, \ |
76 | #expr); } while (0) |
| |
x /usr/include/glib-2.0/glib/gmacros.h |
| |
277 | #define G_LIKELY(expr) (__builtin_expect (_G_BOOLEAN_EXPR(expr), 1)) |
| |
x /usr/include/glib-2.0/glib/gmacros.h |
| |
268 | #define _G_BOOLEAN_EXPR(expr) \ |
269 | __extension__ ({ \ |
270 | int _g_boolean_var_; \ |
271 | if (expr) \ |
272 | _g_boolean_var_ = 1; \ |
273 | else \ |
274 | _g_boolean_var_ = 0; \ |
275 | _g_boolean_var_; \ |
276 | }) |
| |
x /usr/include/glib-2.0/glib/gmacros.h |
| |
160 | # define G_STRFUNC ((const char*) (__PRETTY_FUNCTION__)) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
165 | #define EXCEPT_CAUGHT 1 /* exception has been caught, no need to rethrow at |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
223 | #define THROW(x) \ |
224 | except_throw(XCEPT_GROUP_WIRESHARK, (x), NULL) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
223 | #define THROW(x) \ |
224 | except_throw(XCEPT_GROUP_WIRESHARK, (x), NULL) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
213 | #define CATCH_ALL \ |
214 | if (except_state == 0 && exc != 0 && \ |
215 | (except_state|=EXCEPT_CAUGHT)) \ |
216 | /* user's code goes here */ |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
165 | #define EXCEPT_CAUGHT 1 /* exception has been caught, no need to rethrow at |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
231 | #define RETHROW \ |
232 | { \ |
233 | /* check we're in a catch block */ \ |
234 | g_assert(except_state == EXCEPT_CAUGHT); \ |
235 | /* we can't use except_rethrow here, as that pops a catch block \ |
236 | * off the stack, and we don't want to do that, because we want to \ |
237 | * excecute the FINALLY {} block first. \ |
238 | * except_throw doesn't provide an interface to rethrow an existing \ |
239 | * exception; however, longjmping back to except_try_push() has the \ |
240 | * desired effect. \ |
241 | * \ |
242 | * Note also that THROW and RETHROW should provide much the same \ |
243 | * functionality in terms of which blocks to enter, so any messing \ |
| |
x /usr/include/glib-2.0/glib/gtestutils.h |
| |
74 | #define g_assert(expr) do { if G_LIKELY (expr) ; else \ |
75 | g_assertion_message_expr (G_LOG_DOMAIN, __FILE__, __LINE__, G_STRFUNC, \ |
76 | #expr); } while (0) |
| |
x /usr/include/glib-2.0/glib/gmacros.h |
| |
277 | #define G_LIKELY(expr) (__builtin_expect (_G_BOOLEAN_EXPR(expr), 1)) |
| |
x /usr/include/glib-2.0/glib/gmacros.h |
| |
268 | #define _G_BOOLEAN_EXPR(expr) \ |
269 | __extension__ ({ \ |
270 | int _g_boolean_var_; \ |
271 | if (expr) \ |
272 | _g_boolean_var_ = 1; \ |
273 | else \ |
274 | _g_boolean_var_ = 0; \ |
275 | _g_boolean_var_; \ |
276 | }) |
| |
x /usr/include/glib-2.0/glib/gmacros.h |
| |
160 | # define G_STRFUNC ((const char*) (__PRETTY_FUNCTION__)) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
165 | #define EXCEPT_CAUGHT 1 /* exception has been caught, no need to rethrow at |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
223 | #define THROW(x) \ |
224 | except_throw(XCEPT_GROUP_WIRESHARK, (x), NULL) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
191 | #define ENDTRY \ |
192 | /* rethrow the exception if necessary */ \ |
193 | if(!(except_state&EXCEPT_CAUGHT) && exc != 0) \ |
194 | except_rethrow(exc); \ |
195 | except_try_pop();\ |
196 | } |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
165 | #define EXCEPT_CAUGHT 1 /* exception has been caught, no need to rethrow at |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/except.h |
| |
153 | #define except_try_pop() \ |
154 | except_free(except_ch.except_obj.except_dyndata); \ |
155 | except_pop(); \ |
156 | } |
| |
|
| 2384 | | | } |
| 2385 | | | } |
| |