(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ssl.c) |
| |
| 1284 | | | dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, |
| 1285 | | | proto_tree *tree, guint32 offset, |
| 1286 | | | guint *conv_version, gboolean *need_desegmentation, |
| 1287 | | | SslDecryptSession* ssl, gboolean first_record_in_frame _U_) |
| 1288 | | | { |
| 1289 | | | |
| 1290 | | | |
| 1291 | | | |
| 1292 | | | |
| 1293 | | | |
| 1294 | | | |
| 1295 | | | |
| 1296 | | | |
| 1297 | | | |
| 1298 | | | |
| 1299 | | | |
| 1300 | | | |
| 1301 | | | |
| 1302 | | | |
| 1303 | | | |
| 1304 | | | |
| 1305 | | | |
| 1306 | | | |
| 1307 | | | |
| 1308 | | | guint32 record_length; |
| 1309 | | | guint16 version; |
| 1310 | | | guint8 content_type; |
| 1311 | | | guint8 next_byte; |
| 1312 | | | proto_tree *ti; |
| 1313 | | | proto_tree *ssl_record_tree; |
| 1314 | | | SslAssociation* association; |
| 1315 | | | guint32 available_bytes; |
| 1316 | | | ti = NULL; |
| 1317 | | | ssl_record_tree = NULL; |
| 1318 | | | available_bytes = 0; |
| 1319 | | | |
| 1320 | [+] | | available_bytes = tvb_length_remaining(tvb, offset); |
 |
| 1321 | | | |
| 1322 | | | |
| 1323 | | | if ((*conv_version==SSL_VER_TLS || *conv_version==SSL_VER_TLSv1DOT1 || *conv_version==SSL_VER_TLSv1DOT2) && |
Event 12:
Skipping " if". - *conv_version == 3 evaluates to false.
- *conv_version == 4 evaluates to false.
- *conv_version == 7 evaluates to true.
- available_bytes >= 1 evaluates to true.
hide
Event 13:
Considering the case where *conv_version must have been equal to 7.
hide
|
|
| 1324 | [+] | | (available_bytes >=1 ) && !ssl_is_valid_content_type(tvb_get_guint8(tvb, offset))) { |
 |
| 1325 | | | proto_tree_add_text(tree, tvb, offset, available_bytes, "Ignored Unknown Record"); |
| 1326 | [+] | | if (check_col(pinfo->cinfo, COL_INFO)) |
 |
| 1327 | | | col_append_str(pinfo->cinfo, COL_INFO, "Ignored Unknown Record"); |
| 1328 | | | if (check_col(pinfo->cinfo, COL_PROTOCOL)) |
Event 19:
Taking true branch. check_col(...) evaluates to true.
hide
|
|
| 1329 | | | col_set_str(pinfo->cinfo, COL_PROTOCOL, ssl_version_short_names[*conv_version]); |
Buffer Overrun
This code reads past the end of ssl_version_short_names. - The first byte read is at offset 4 * *conv_version from the beginning of ssl_version_short_names, whose capacity is 28 bytes.
- The offset exceeds the capacity.
- 4 * *conv_version is equal to 28.
- The overrun occurs in global memory.
The issue can occur if the highlighted code executes. See related event 13. Show: All events | Only primary events |
|
| |