(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-dtls.c) |
| |
| 541 | | | dissect_dtls_record(tvbuff_t *tvb, packet_info *pinfo, |
| 542 | | | proto_tree *tree, guint32 offset, |
| 543 | | | guint *conv_version, |
| 544 | | | SslDecryptSession* ssl) |
| 545 | | | { |
| 546 | | | |
| 547 | | | |
| 548 | | | |
| 549 | | | |
| 550 | | | |
| 551 | | | |
| 552 | | | |
| 553 | | | |
| 554 | | | |
| 555 568 |  | | [ Lines 555 to 568 omitted. ] |
| 569 | | | guint16 epoch; |
| 570 | | | gdouble sequence_number; |
| 571 | | | gint64 sequence_number_temp; |
| 572 | | | guint8 content_type; |
| 573 | | | guint8 next_byte; |
| 574 | | | proto_tree *ti; |
| 575 | | | proto_tree *dtls_record_tree; |
| 576 | | | guint32 available_bytes; |
| 577 | | | SslAssociation* association; |
| 578 | | | SslDataInfo *appl_data; |
| 579 | | | ti = NULL; |
| 580 | | | dtls_record_tree = NULL; |
| 581 | | | available_bytes = tvb_length_remaining(tvb, offset); |
| 582 | | | |
| 583 | | | |
| 584 | | | |
| 585 | | | |
| 586 | | | content_type = tvb_get_guint8(tvb, offset); |
| 587 | | | version = tvb_get_ntohs(tvb, offset + 1); |
| 588 | | | epoch = tvb_get_ntohs(tvb, offset + 3); |
| 589 | | | sequence_number = tvb_get_ntohl(tvb, offset + 7); |
| 590 | | | sequence_number_temp=tvb_get_ntohs(tvb, offset + 5); |
| 591 | | | sequence_number_temp=sequence_number_temp<<32; |
| 592 | | | sequence_number+=sequence_number_temp; |
| 593 | | | record_length = tvb_get_ntohs(tvb, offset + 11); |
| 594 | | | |
| 595 | | | if(ssl){ |
Event 1:
Taking true branch. ssl evaluates to true.
hide
|
|
| 596 | | | if(ssl_packet_from_server(dtls_associations, pinfo->srcport, pinfo->ptype == PT_TCP)){ |
Event 2:
Skipping " if". pinfo->ptype == PT_TCP evaluates to true.
hide
Event 3:
Taking true branch. ssl_packet_from_server(...) evaluates to true.
hide
|
|
| 597 | | | if (ssl->server) { |
Event 4:
Taking true branch. ssl->server evaluates to true.
hide
|
|
| 598 | | | ssl->server->seq=(guint32)sequence_number; |
| 599 | | | ssl->server->epoch=epoch; |
| 600 | | | } |
| 601 | | | } |
| 602 | | | else{ |
| 603 | | | if (ssl->client) { |
| 604 | | | ssl->client->seq=(guint32)sequence_number; |
| 605 | | | ssl->client->epoch=epoch; |
| 606 | | | } |
| 607 | | | } |
| 608 | | | } |
| 609 | | | if (!ssl_is_valid_content_type(content_type)) { |
Event 5:
Skipping " if". ssl_is_valid_content_type(...) evaluates to true.
hide
|
|
| 610 | | | |
| 611 | | | |
| 612 | | | |
| 613 | | | |
| 614 | | | if (check_col(pinfo->cinfo, COL_INFO)) |
| 615 | | | col_append_str(pinfo->cinfo, COL_INFO, "Continuation Data"); |
| 616 | | | |
| 617 | | | |
| 618 | | | if (check_col(pinfo->cinfo, COL_PROTOCOL)) |
| 619 | | | { |
| 620 | | | col_set_str(pinfo->cinfo, COL_PROTOCOL,"DTLS"); |
| 621 | | | } |
| 622 | | | return offset + 13 + record_length; |
| 623 | | | } |
| 624 | | | |
| 625 | | | |
| 626 | | | |
| 627 | | | |
| 628 | | | |
| 629 | | | if (tree) |
Event 6:
Taking true branch. tree evaluates to true.
hide
|
|
| 630 | | | { |
| 631 | | | |
| 632 | | | tvb_ensure_bytes_exist(tvb, offset, 13 + record_length); |
| 633 | | | ti = proto_tree_add_item(tree, hf_dtls_record, tvb, |
| 634 | | | offset, 13 + record_length, 0); |
| 635 | | | dtls_record_tree = proto_item_add_subtree(ti, ett_dtls_record); |
| 636 | | | } |
| 637 | | | |
| 638 | | | if (dtls_record_tree) |
Event 7:
Taking true branch. dtls_record_tree evaluates to true.
hide
|
|
| 639 | | | { |
| 640 | | | |
| 641 | | | |
| 642 | | | proto_tree_add_item(dtls_record_tree, hf_dtls_record_content_type, |
| 643 | | | tvb, offset, 1, FALSE); |
| 644 | | | offset++; |
| 645 | | | |
| 646 | | | |
| 647 | | | proto_tree_add_item(dtls_record_tree, hf_dtls_record_version, tvb, |
| 648 | | | offset, 2, FALSE); |
| 649 | | | offset += 2; |
| 650 | | | |
| 651 | | | |
| 652 | | | proto_tree_add_uint(dtls_record_tree, hf_dtls_record_epoch, tvb, offset, 2, epoch); |
| 653 | | | |
| 654 | | | offset += 2; |
| 655 | | | |
| 656 | | | |
| 657 | | | |
| 658 | | | proto_tree_add_double(dtls_record_tree, hf_dtls_record_sequence_number, tvb, offset, 6, sequence_number); |
| 659 | | | |
| 660 | | | offset += 6; |
| 661 | | | |
| 662 | | | |
| 663 | | | proto_tree_add_uint(dtls_record_tree, hf_dtls_record_length, tvb, |
| 664 | | | offset, 2, record_length); |
| 665 | | | offset += 2; |
| 666 | | | |
| 667 | | | } |
| 668 | | | else |
| 669 | | | { |
| 670 | | | |
| 671 | | | offset += 13; |
| 672 | | | } |
| 673 | | | |
| 674 | | | |
| 675 | | | |
| 676 | | | |
| 677 | | | |
| 678 | | | |
| 679 | | | |
| 680 | | | |
| 681 | | | next_byte = tvb_get_guint8(tvb, offset); |
| 682 | | | if (*conv_version == SSL_VER_UNKNOWN |
Event 8:
Skipping " if". *conv_version == 0 evaluates to false.
hide
|
|
| 683 | | | && dtls_is_authoritative_version_message(content_type, next_byte)) |
| 684 | | | { |
| 685 | | | if (version == DTLSV1DOT0_VERSION || |
| 686 | | | version == DTLSV1DOT0_VERSION_NOT) |
| 687 | | | { |
| 688 | | | |
| 689 | | | *conv_version = SSL_VER_DTLS; |
| 690 | | | if (ssl) { |
| 691 | | | ssl->version_netorder = version; |
| 692 | | | ssl->state |= SSL_VERSION; |
| 693 | | | } |
| 694 | | | |
| 695 | | | } |
| 696 | | | } |
| 697 | | | if (check_col(pinfo->cinfo, COL_PROTOCOL)) |
Event 9:
Taking true branch. check_col(...) evaluates to true.
hide
|
|
| 698 | | | { |
| 699 | | | if (version == DTLSV1DOT0_VERSION) |
Event 10:
Taking true branch. version == 65279 evaluates to true.
hide
|
|
| 700 | | | { |
| 701 | | | col_set_str(pinfo->cinfo, COL_PROTOCOL, |
| 702 | | | ssl_version_short_names[SSL_VER_DTLS]); |
| 703 | | | } |
| 704 | | | else |
| 705 | | | { |
| 706 | | | col_set_str(pinfo->cinfo, COL_PROTOCOL,"DTLS"); |
| 707 | | | } |
| 708 | | | } |
| 709 | | | |
| 710 | | | |
| 711 | | | |
| 712 | | | |
| 713 | | | ssl_debug_printf("dissect_dtls_record: content_type %d\n",content_type); |
| 714 | | | |
| 715 | | | |
| 716 | | | |
| 717 | | | |
| 718 | | | switch (content_type) { |
Event 11:
content_type evaluates to 23.
hide
|
|
| 719 | | | case SSL_ID_CHG_CIPHER_SPEC: |
| 720 | | | if (check_col(pinfo->cinfo, COL_INFO)) |
| 721 | | | col_append_str(pinfo->cinfo, COL_INFO, "Change Cipher Spec"); |
| 722 | | | dissect_dtls_change_cipher_spec(tvb, dtls_record_tree, |
| 723 | | | offset, conv_version, content_type); |
| 724 | | | break; |
| 725 | | | case SSL_ID_ALERT: |
| 726 | | | { |
| 727 | | | tvbuff_t* decrypted; |
| 728 | | | decrypted = 0; |
| 729 | | | if (ssl&&decrypt_dtls_record(tvb, pinfo, offset, |
| 730 | | | record_length, content_type, ssl, FALSE)) |
| 731 | | | ssl_add_record_info(proto_dtls, pinfo, dtls_decrypted_data.data, |
| 732 | | | dtls_decrypted_data_avail, offset); |
| 733 | | | |
| 734 | | | |
| 735 | | | decrypted = ssl_get_record_info(proto_dtls, pinfo, offset); |
| 736 | | | if (decrypted) |
| 737 | | | dissect_dtls_alert(decrypted, pinfo, dtls_record_tree, 0, |
| 738 | | | conv_version); |
| 739 | | | else |
| 740 | | | dissect_dtls_alert(tvb, pinfo, dtls_record_tree, offset, |
| 741 | | | conv_version); |
| 742 | | | break; |
| 743 | | | } |
| 744 | | | case SSL_ID_HANDSHAKE: |
| 745 | | | { |
| 746 | | | tvbuff_t* decrypted; |
| 747 | | | decrypted = 0; |
| 748 | | | |
| 749 | | | |
| 750 | | | |
| 751 | | | |
| 752 | | | if (ssl && decrypt_dtls_record(tvb, pinfo, offset, |
| 753 | | | record_length, content_type, ssl, FALSE)) |
| 754 | | | ssl_add_record_info(proto_dtls, pinfo, dtls_decrypted_data.data, |
| 755 | | | dtls_decrypted_data_avail, offset); |
| 756 | | | |
| 757 | | | |
| 758 | | | decrypted = ssl_get_record_info(proto_dtls, pinfo, offset); |
| 759 | | | if (decrypted) |
| 760 | | | dissect_dtls_handshake(decrypted, pinfo, dtls_record_tree, 0, |
| 761 | | | decrypted->length, conv_version, ssl, content_type); |
| 762 | | | else |
| 763 | | | dissect_dtls_handshake(tvb, pinfo, dtls_record_tree, offset, |
| 764 | | | record_length, conv_version, ssl, content_type); |
| 765 | | | break; |
| 766 | | | } |
| 767 | | | case SSL_ID_APP_DATA: |
| 768 | | | if (ssl) |
Event 12:
Taking true branch. ssl evaluates to true.
hide
|
|
| 769 | | | decrypt_dtls_record(tvb, pinfo, offset, |
| 770 | | | record_length, content_type, ssl, TRUE); |
Event 13:
!0 evaluates to true.
hide
|
|
| 771 | | | |
| 772 | | | |
| 773 | | | if (check_col(pinfo->cinfo, COL_INFO)) |
Event 14:
Skipping " if". check_col(...) evaluates to false.
hide
|
|
| 774 | | | col_append_str(pinfo->cinfo, COL_INFO, "Application Data"); |
| 775 | | | |
| 776 | | | if (!dtls_record_tree) |
Event 15:
Skipping " if". dtls_record_tree evaluates to true.
hide
|
|
| 777 | | | break; |
| 778 | | | |
| 779 | | | |
| 780 | | | |
| 781 | | | |
| 782 | | | association = ssl_association_find(dtls_associations, pinfo->srcport, pinfo->ptype == PT_TCP); |
Event 16:
pinfo->ptype == PT_TCP evaluates to true.
hide
|
|
| 783 | | | association = association ? association: ssl_association_find(dtls_associations, pinfo->destport, pinfo->ptype == PT_TCP); |
Event 17:
association evaluates to true.
hide
|
|
| 784 | | | |
| 785 | | | proto_item_set_text(dtls_record_tree, |
| 786 | | | "%s Record Layer: %s Protocol: %s", |
| 787 | | | ssl_version_short_names[*conv_version], |
| 788 | | | val_to_str(content_type, ssl_31_content_type, "unknown"), |
| 789 | | | association?association->info:"Application Data"); |
Event 18:
association evaluates to true.
hide
|
|
| 790 | | | |
| 791 | | | proto_tree_add_item(dtls_record_tree, hf_dtls_record_appdata, tvb, |
| 792 | | | offset, record_length, 0); |
| 793 | | | |
| 794 | | | |
| 795 | | | appl_data = ssl_get_data_info(proto_dtls, pinfo, TVB_RAW_OFFSET(tvb)+offset);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/tvbuff.h |
| |
306 | #define TVB_RAW_OFFSET(tvb) \ |
307 | ((tvb->raw_offset==-1)?(tvb->raw_offset = offset_from_real_beginning(tvb, 0)):tvb->raw_offset) |
| |
|
Event 20:
tvb->raw_offset == -1 evaluates to true.
hide
|
|
| 796 | | | if (appl_data && (appl_data->plain_data.data_len > 0)) |
| 797 | | | { |
| 798 | | | tvbuff_t *next_tvb; |
| 799 | | | |
| 800 | | | ssl_debug_printf("dissect_dtls_record decrypted len %d\n", |
| 801 | | | appl_data->plain_data.data_len); |
| 802 | | | |
| 803 | | | |
| 804 | | | next_tvb = tvb_new_child_real_data(tvb, appl_data->plain_data.data, appl_data->plain_data.data_len, appl_data->plain_data.data_len); |
| 805 | | | |
| 806 | | | add_new_data_source(pinfo, next_tvb, "Decrypted DTLS data"); |
| 807 | | | |
| 808 | | | |
| 809 | | | if (association && association->handle) { |
Null Test After Dereference
This code tests the nullness of association, which has already been dereferenced. - If association were null, there would have been a prior null pointer dereference at packet-dtls.c:789, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 19. Show: All events | Only primary events |
|
| 810 | | | ssl_debug_printf("dissect_dtls_record found association %p\n", (void *)association); |
| 811 | | | ssl_print_text_data("decrypted app data",appl_data->plain_data.data, appl_data->plain_data.data_len); |
| 812 | | | |
| 813 | | | call_dissector(association->handle, next_tvb, pinfo, top_tree); |
| 814 | | | } |
| 815 | | | } |
| 816 | | | break; |
| 817 | | | |
| 818 | | | default: |
| 819 | | | |
| 820 | | | if (check_col(pinfo->cinfo, COL_INFO)) |
| 821 | | | col_append_str(pinfo->cinfo, COL_INFO, "Bad DTLS Content Type"); |
| 822 | | | break; |
| 823 | | | } |
| 824 | | | offset += record_length; |
| 825 | | | |
| 826 | | | return offset; |
| 827 | | | } |
| |