(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-rtsp.c) |
| |
| 334 | | | rtsp_create_conversation(packet_info *pinfo, const guchar *line_begin, |
| 335 | | | size_t line_len, gint rdt_feature_level) |
| 336 | | | { |
| 337 | | | conversation_t *conv; |
| 338 | | | guchar buf[256]; |
| 339 | | | guchar *tmp; |
| 340 | | | gboolean rtp_transport = FALSE; |
| 341 | | | gboolean rdt_transport = FALSE; |
| 342 | | | guint c_data_port, c_mon_port; |
| 343 | | | guint s_data_port, s_mon_port; |
| 344 | | | gboolean is_video = FALSE; |
| 345 | | | |
| 346 | | | |
| 347 | | | if (line_len > sizeof(buf) - 1) |
Event 1:
Taking true branch. line_len > sizeof( buf ) - 1 evaluates to true.
hide
|
|
| 348 | | | { |
| 349 | | | |
| 350 | | | line_len = sizeof(buf) - 1; |
| 351 | | | } |
| 352 | | | memcpy(buf, line_begin, line_len); |
| 353 | | | buf[line_len] = '\0'; |
| 354 | | | |
| 355 | | | |
| 356 | | | tmp = buf + STRLEN_CONST(rtsp_transport); |
| 357 | | | while (*tmp && isspace(*tmp)) |
| 358 | | | tmp++; |
| 359 | | | |
| 360 | | | |
| 361 | | | if (g_ascii_strncasecmp(tmp, rtsp_rtp, strlen(rtsp_rtp)) == 0) |
Event 3:
g_ascii_strncasecmp is an Undefined Function.
hide
Event 4:
Taking false branch. g_ascii_strncasecmp(...) == 0 evaluates to false.
hide
|
|
| 362 | | | rtp_transport = TRUE; |
| 363 | | | else |
| 364 | | | if (g_ascii_strncasecmp(tmp, rtsp_real_rdt, strlen(rtsp_real_rdt)) == 0 || |
Event 5:
g_ascii_strncasecmp is an Undefined Function.
hide
Event 6:
Taking true branch. g_ascii_strncasecmp(...) == 0 evaluates to true.
hide
|
|
| 365 | | | g_ascii_strncasecmp(tmp, rtsp_real_tng, strlen(rtsp_real_tng)) == 0) |
| 366 | | | rdt_transport = TRUE; |
Event 7:
!0 evaluates to true.
hide
|
|
| 367 | | | else |
| 368 | | | { |
| 369 | | | |
| 370 | | | return; |
| 371 | | | } |
| 372 | | | |
| 373 | | | c_data_port = c_mon_port = 0; |
| 374 | | | s_data_port = s_mon_port = 0; |
| 375 | | | |
| 376 | | | |
| 377 | | | if ((tmp = strstr(buf, rtsp_sps))) { |
Event 8:
Skipping " if". tmp = strstr(buf, rtsp_sps) evaluates to false.
hide
|
|
| 378 | | | tmp += strlen(rtsp_sps); |
| 379 | | | if (sscanf(tmp, "%u-%u", &s_data_port, &s_mon_port) < 1) { |
| 380 | | | g_warning("Frame %u: rtsp: bad server_port",
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 381 | | | pinfo->fd->num); |
| 382 | | | return; |
| 383 | | | } |
| 384 | | | } |
| 385 | | | |
| 386 | | | if ((tmp = strstr(buf, rtsp_cps))) { |
Event 9:
Taking true branch. tmp = strstr(buf, rtsp_cps) evaluates to true.
hide
|
|
| 387 | | | tmp += strlen(rtsp_cps); |
| 388 | | | if (sscanf(tmp, "%u-%u", &c_data_port, &c_mon_port) < 1) { |
Event 10:
Skipping " if". sscanf(...) < 1 evaluates to false.
hide
|
|
| 389 | | | g_warning("Frame %u: rtsp: bad client_port",
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 390 | | | pinfo->fd->num); |
| 391 | | | return; |
| 392 | | | } |
| 393 | | | } |
| 394 | | | |
| 395 | | | |
| 396 | | | |
| 397 | | | if (!c_data_port) { |
Event 11:
Taking true branch. c_data_port evaluates to false.
hide
|
|
| 398 | | | rtsp_conversation_data_t *data; |
| 399 | | | guint s_data_chan, s_mon_chan; |
| 400 | | | int i; |
| 401 | | | |
| 402 | | | |
| 403 | | | if ((tmp = strstr(buf, rtsp_inter)) == NULL) { |
Event 12:
Skipping " if". (tmp = strstr(...)) == (void *)0 evaluates to false.
hide
|
|
| 404 | | | |
| 405 | | | |
| 406 | | | |
| 407 | | | |
| 408 | | | return; |
| 409 | | | } |
| 410 | | | |
| 411 | | | |
| 412 | | | tmp += strlen(rtsp_inter); |
| 413 | | | |
| 414 | | | i = sscanf(tmp, "%u-%u", &s_data_chan, &s_mon_chan); |
| 415 | | | if (i < 1) |
Event 16:
Skipping " if". i < 1 evaluates to false.
hide
|
|
| 416 | | | { |
| 417 | | | g_warning("Frame %u: rtsp: bad interleaved", pinfo->fd->num);
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 418 | | | return; |
| 419 | | | } |
| 420 | | | |
| 421 | | | |
| 422 | | | conv = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype, |
| 423 | | | pinfo->srcport, pinfo->destport, 0); |
| 424 | | | |
| 425 | | | |
| 426 | | | if (!conv) |
Event 17:
Taking true branch. conv evaluates to false.
hide
|
|
| 427 | | | { |
| 428 | | | conv = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, |
| 429 | | | pinfo->ptype, pinfo->srcport, pinfo->destport, |
| 430 | | | 0); |
| 431 | | | } |
| 432 | | | |
| 433 | | | |
| 434 | [+] | | data = conversation_get_proto_data(conv, proto_rtsp); |
 |
| 435 | | | |
| 436 | | | |
| 437 | | | if (!data) |
Event 24:
Skipping " if". data evaluates to true.
hide
|
|
| 438 | | | { |
| 439 | | | data = se_alloc(sizeof(rtsp_conversation_data_t)); |
| 440 | | | conversation_add_proto_data(conv, proto_rtsp, data); |
| 441 | | | } |
| 442 | | | |
| 443 | | | |
| 444 | | | |
| 445 | | | if (rtp_transport) |
Event 25:
Taking false branch. rtp_transport evaluates to false.
hide
|
|
| 446 | | | { |
| 447 | | | if (s_data_chan < RTSP_MAX_INTERLEAVED) { |
| 448 | | | data->interleaved[s_data_chan].dissector = |
| 449 | | | rtp_handle; |
| 450 | | | } |
| 451 | | | if (i > 1 && s_mon_chan < RTSP_MAX_INTERLEAVED) { |
| 452 | | | data->interleaved[s_mon_chan].dissector = |
| 453 | | | rtcp_handle; |
| 454 | | | } |
| 455 | | | } |
| 456 | | | else if (rdt_transport) |
Event 26:
Taking true branch. rdt_transport evaluates to true.
hide
|
|
| 457 | | | { |
| 458 | | | if (s_data_chan < RTSP_MAX_INTERLEAVED) { |
Event 27:
Taking true branch. s_data_chan < 256 evaluates to true.
hide
|
|
| 459 | | | data->interleaved[s_data_chan].dissector = |
| 460 | | | rdt_handle; |
Buffer Underrun
This code could write before the beginning of the buffer pointed to by data. - data evaluates to ((char*)g_slist_find_custom(...)->data)[4] at conversation.c:1028. See related event 23.
- data is at an offset from the beginning of the allocated memory. The byte offset value is the number of allocated bytes preceding ((char*)g_slist_find_custom(...)->data)[4] at conversation.c:1028. See related event 23.
- The first potentially underrun byte is at offset 4 * s_data_chan from the beginning of the object. See related event 15.
- 4 * s_data_chan evaluates to the value assigned to s_data_chan at packet-rtsp.c:414, times 4, which is bounded above by 1020.
- If 4 * s_data_chan is less than the number of allocated bytes preceding ((char*)g_slist_find_custom(...)->data)[4] at conversation.c:1028, an underrun will occur. The analysis cannot rule out the possibility of 4 * s_data_chan taking on one or more of these dangerous values, so has issued this warning.
The issue can occur if the highlighted code executes. See related events 15 and 23. Show: All events | Only primary events |
|
| |