(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-alcap.c) |
| |
| 1367 | | | static void dissect_alcap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { |
| 1368 | | | proto_tree *alcap_tree = NULL; |
| 1369 | | | alcap_message_info_t* msg_info = ep_alloc0(sizeof(alcap_message_info_t)); |
| 1370 | | | int len = tvb_length(tvb); |
| 1371 | | | int offset; |
| 1372 | | | proto_item* pi; |
| 1373 | | | proto_tree* compat_tree; |
| 1374 | | | const alcap_msg_type_info_t* msg_type; |
| 1375 | | | |
| 1376 | | | if (check_col(pinfo->cinfo, COL_PROTOCOL)) |
Event 1:
Skipping " if". check_col(...) evaluates to false.
hide
|
|
| 1377 | | | col_set_str(pinfo->cinfo, COL_PROTOCOL, alcap_proto_name_short); |
| 1378 | | | |
| 1379 | | | if (tree) { |
Event 2:
Taking true branch. tree evaluates to true.
hide
|
|
| 1380 | | | proto_item *alcap_item = proto_tree_add_item(tree, proto_alcap, tvb, 0, -1, FALSE); |
| 1381 | | | alcap_tree = proto_item_add_subtree(alcap_item, ett_alcap); |
| 1382 | | | } |
| 1383 | | | |
| 1384 | | | proto_tree_add_item(alcap_tree,hf_alcap_dsaid,tvb,0,4,FALSE); |
| 1385 | | | pi = proto_tree_add_item(alcap_tree,hf_alcap_msg_id,tvb,4,1,FALSE); |
| 1386 | | | |
| 1387 | | | msg_info->dsaid = tvb_get_ntohl(tvb, 0); |
| 1388 | | | msg_info->msg_type = tvb_get_guint8(tvb, 4); |
| 1389 | | | |
| 1390 | | | msg_type = GET_MSG_TYPE(msg_info->msg_type);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-alcap.c |
| |
1365 | #define GET_MSG_TYPE(id) ( array_length(msg_types) <= id ? &(msg_types[0]) : &(msg_types[id]) ) |
| |
|
Event 3:
sizeof( msg_types ) / sizeof( msg_types[0] ) <= msg_info->msg_type evaluates to false.
hide
|
|
| 1391 | | | |
| 1392 | | | expert_add_info_format(pinfo, pi, PI_RESPONSE_CODE, msg_type->severity, " "); |
| 1393 | | | |
| 1394 | | | if (check_col(pinfo->cinfo, COL_INFO)) |
Event 4:
Taking true branch. check_col(...) evaluates to true.
hide
|
|
| 1395 | | | col_set_str(pinfo->cinfo, COL_INFO, msg_type->abbr); |
| 1396 | | | |
| 1397 | | | |
| 1398 | | | pi = proto_tree_add_item(alcap_tree,hf_alcap_compat,tvb,5,1,FALSE); |
| 1399 | | | compat_tree = proto_item_add_subtree(pi,ett_compat); |
| 1400 | | | proto_tree_add_item(compat_tree,hf_alcap_compat_pass_on_sni,tvb,5,1,FALSE); |
| 1401 | | | proto_tree_add_item(compat_tree,hf_alcap_compat_pass_on_ii,tvb,5,1,FALSE); |
| 1402 | | | proto_tree_add_item(compat_tree,hf_alcap_compat_general_sni,tvb,5,1,FALSE); |
| 1403 | | | proto_tree_add_item(compat_tree,hf_alcap_compat_general_ii,tvb,5,1,FALSE); |
| 1404 | | | |
| 1405 | | | len -= ; |
| 1406 | | | offset = ; |
| 1407 | | | |
| 1408 | | | while(len > 0) { |
Event 5:
Leaving loop. len > 0 evaluates to false.
hide
|
|
| 1409 | | | guint param_id = tvb_get_guint8(tvb,offset); |
| 1410 | | | guint param_len = tvb_get_guint8(tvb,offset+2); |
| 1411 | | | const alcap_param_info_t* param_info = GET_PARAM_INFO(param_id);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-alcap.c |
| |
1268 | #define GET_PARAM_INFO(id) ( array_length(param_infos) <= id ? &(param_infos[0]) : &(param_infos[id]) ) |
| |
|
| 1412 | | | proto_tree* param_tree; |
| 1413 | | | const gchar* colinfo_str = NULL; |
| 1414 | | | |
| 1415 | | | pi = proto_tree_add_item(alcap_tree,hf_alcap_param_id,tvb,offset,1,FALSE); |
| 1416 | | | param_tree = proto_item_add_subtree(pi,param_info->ett); |
| 1417 | | | |
| 1418 | | | pi = proto_tree_add_item(param_tree,hf_alcap_compat,tvb,offset+1,1,FALSE); |
| 1419 | | | compat_tree = proto_item_add_subtree(pi,ett_compat); |
| 1420 | | | proto_tree_add_item(compat_tree,hf_alcap_compat_pass_on_sni,tvb,offset+1,1,FALSE); |
| 1421 | | | proto_tree_add_item(compat_tree,hf_alcap_compat_pass_on_ii,tvb,offset+1,1,FALSE); |
| 1422 | | | proto_tree_add_item(compat_tree,hf_alcap_compat_general_sni,tvb,offset+1,1,FALSE); |
| 1423 | | | proto_tree_add_item(compat_tree,hf_alcap_compat_general_ii,tvb,offset+1,1,FALSE); |
| 1424 | | | |
| 1425 | | | proto_tree_add_item(param_tree,hf_alcap_param_len,tvb,offset+2,1,FALSE); |
| 1426 | | | |
| 1427 | | | if ( alcap_tree || param_info->run_wo_tree ) |
| 1428 | | | colinfo_str = param_info->dissect_fields(pinfo,tvb,param_tree,offset+3,param_len,msg_info); |
| 1429 | | | |
| 1430 | | | if (colinfo_str && check_col(pinfo->cinfo, COL_INFO)) { |
| 1431 | | | col_append_fstr(pinfo->cinfo, COL_INFO, " %s",colinfo_str); |
| 1432 | | | } |
| 1433 | | | |
| 1434 | | | len -= 3 + param_len; |
| 1435 | | | offset += 3 + param_len; |
| 1436 | | | } |
| 1437 | | | |
| 1438 | | | if (keep_persistent_info) { |
Event 6:
Taking true branch. keep_persistent_info evaluates to true.
hide
|
|
| 1439 | | | alcap_leg_info_t* leg = NULL; |
| 1440 | | | switch (msg_info->msg_type) { |
Event 7:
msg_info->msg_type evaluates to 7.
hide
|
|
| 1441 | | | case 5: |
| 1442 | | | if( ! ( leg = se_tree_lookup32(legs_by_osaid,msg_info->osaid) )) { |
| 1443 | | | leg = se_alloc(sizeof(alcap_leg_info_t)); |
| 1444 | | | |
| 1445 | | | leg->dsaid = 0; |
| 1446 | | | leg->osaid = msg_info->osaid; |
| 1447 | | | leg->pathid = msg_info->pathid; |
| 1448 | | | leg->cid = msg_info->cid; |
| 1449 | | | leg->sugr = msg_info->sugr; |
| 1450 | | | leg->orig_nsap = NULL; |
| 1451 | | | leg->dest_nsap = NULL; |
| 1452 | | | |
| 1453 | | | if (msg_info->orig_nsap) { |
| 1454 | | | gchar* key = se_strdup_printf("%s:%.8X",msg_info->orig_nsap,leg->sugr); |
| 1455 | | | ascii_strdown_inplace(key); |
| 1456 | | | |
| 1457 | | | leg->orig_nsap = se_strdup(msg_info->orig_nsap); |
| 1458 | | | |
| 1459 | | | if (!se_tree_lookup_string(legs_by_bearer,key,0)) { |
| 1460 | | | se_tree_insert_string(legs_by_bearer,key,leg,0); |
| 1461 | | | } |
| 1462 | | | } |
| 1463 | | | |
| 1464 | | | if (msg_info->dest_nsap) { |
| 1465 | | | gchar* key = se_strdup_printf("%s:%.8X",msg_info->dest_nsap,leg->sugr); |
| 1466 | | | ascii_strdown_inplace(key); |
| 1467 | | | |
| 1468 | | | leg->dest_nsap = se_strdup(msg_info->dest_nsap); |
| 1469 | | | |
| 1470 | | | if (!se_tree_lookup_string(legs_by_bearer,key,0)) { |
| 1471 | | | se_tree_insert_string(legs_by_bearer,key,leg,0); |
| 1472 | | | } |
| 1473 | | | } |
| 1474 | | | |
| 1475 | | | leg->msgs = NULL; |
| 1476 | | | leg->release_cause = 0; |
| 1477 | | | |
| 1478 | | | se_tree_insert32(legs_by_osaid,leg->osaid,leg); |
| 1479 | | | } |
| 1480 | | | break; |
| 1481 | | | case 4: |
| 1482 | | | if(( leg = se_tree_lookup32(legs_by_osaid,msg_info->dsaid) )) { |
| 1483 | | | leg->dsaid = msg_info->osaid; |
| 1484 | | | se_tree_insert32(legs_by_dsaid,leg->dsaid,leg); |
| 1485 | | | } |
| 1486 | | | break; |
| 1487 | | | case 6: |
| 1488 | | | case 12: |
| 1489 | | | case 13: |
| 1490 | | | case 14: |
| 1491 | | | if( ( leg = se_tree_lookup32(legs_by_osaid,msg_info->dsaid) ) |
| 1492 | | | || ( leg = se_tree_lookup32(legs_by_dsaid,msg_info->dsaid) ) ) { |
| 1493 | | | |
| 1494 | | | if(msg_info->release_cause) |
| 1495 | | | leg->release_cause = msg_info->release_cause; |
| 1496 | | | |
| 1497 | | | } |
| 1498 | | | break; |
| 1499 | | | case 7: |
| 1500 | | | leg = se_tree_lookup32(legs_by_osaid,msg_info->dsaid); |
Event 8:
legs_by_osaid is passed to emem_tree_lookup32() as the first argument.
hide
Event 9:
emem_tree_lookup32() returns legs_by_osaid->tree->data. See related event 8.
hide
Event 10:
leg is set to emem_tree_lookup32(...), which evaluates to legs_by_osaid->tree->data. See related event 9.
hide
|
|
| 1501 | | | |
| 1502 | | | if(leg) { |
Event 11:
Taking true branch. leg evaluates to true.
hide
|
|
| 1503 | | | leg->release_cause = msg_info->release_cause; |
| 1504 | | | } else if (( leg = se_tree_lookup32(legs_by_dsaid,msg_info->dsaid) )) { |
| 1505 | | | leg->release_cause = msg_info->release_cause; |
| 1506 | | | } |
| 1507 | | | break; |
| 1508 | | | default: |
| 1509 | | | break; |
| 1510 | | | } |
| 1511 | | | |
| 1512 | | | if (leg && ( (! leg->msgs) || leg->msgs->last-> < pinfo->fd->num ) ) { |
Event 13:
leg->msgs is dereferenced, where leg is legs_by_osaid->tree->data. See related event 10.
hide
|
|
| 1513 | | | alcap_msg_data_t* msg = se_alloc(sizeof(alcap_msg_data_t)); |
| 1514 | | | msg->msg_type = msg_info->msg_type; |
| 1515 | | | msg-> = pinfo->fd->num; |
| 1516 | | | msg->next = NULL; |
| 1517 | | | msg->last = NULL; |
| 1518 | | | |
| 1519 | | | if (leg->msgs) { |
Null Test After Dereference
This code tests the nullness of leg->msgs, which has already been dereferenced. - If leg->msgs were null, there would have been a prior null pointer dereference at packet-alcap.c:1512, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related events 10 and 13. Show: All events | Only primary events |
|
| 1520 | | | leg->msgs->last->next = msg; |
| 1521 | | | } else { |
| 1522 | | | leg->msgs = msg; |
| 1523 | | | } |
| 1524 | | | |
| 1525 | | | leg->msgs->last = msg; |
| 1526 | | | |
| 1527 | | | } |
| 1528 | | | |
| 1529 | | | if (tree && leg) alcap_leg_tree(alcap_tree,tvb,leg); |
| 1530 | | | } |
| 1531 | | | } |
| |