(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-gsm_a_dtap.c) |
| |
| 5484 | | | dissect_dtap(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) |
| 5485 | | | { |
| 5486 | | | static gsm_a_tap_rec_t tap_rec[4]; |
| 5487 | | | static gsm_a_tap_rec_t *tap_p; |
| 5488 | | | static guint tap_current=0; |
| 5489 | | | void (*msg_fcn)(tvbuff_t *tvb, proto_tree *tree, guint32 offset, guint len); |
| 5490 | | | guint8 oct; |
| 5491 | | | guint8 pd; |
| 5492 | | | guint32 offset; |
| 5493 | | | guint32 len; |
| 5494 | | | guint32 oct_1, oct_2; |
| 5495 | | | gint idx; |
| 5496 | | | proto_item *dtap_item = NULL; |
| 5497 | | | proto_tree *dtap_tree = NULL; |
| 5498 | | | proto_item *oct_1_item = NULL; |
| 5499 | | | proto_tree *pd_tree = NULL; |
| 5500 | | | const gchar *msg_str; |
| 5501 | | | gint ett_tree; |
| 5502 | | | gint ti; |
| 5503 | | | int hf_idx; |
| 5504 | | | gboolean nsd; |
| 5505 | | | |
| 5506 | | | |
| 5507 | | | len = tvb_length(tvb); |
| 5508 | | | |
| 5509 | | | if (len < 2) |
Event 1:
Skipping " if". len < 2 evaluates to false.
hide
|
|
| 5510 | | | { |
| 5511 | | | |
| 5512 | | | |
| 5513 | | | |
| 5514 | | | call_dissector(data_handle, tvb, pinfo, tree); |
| 5515 | | | return; |
| 5516 | | | } |
| 5517 | | | |
| 5518 | [+] | | if (check_col(pinfo->cinfo, COL_INFO)) |
 |
| 5519 | | | { |
| 5520 | | | col_append_str(pinfo->cinfo, COL_INFO, "(DTAP) "); |
| 5521 | | | } |
| 5522 | | | |
| 5523 | | | |
| 5524 | | | |
| 5525 | | | |
| 5526 | | | tap_current++; |
| 5527 | | | if (tap_current >= 4) |
Event 4:
Skipping " if". tap_current >= 4 evaluates to false.
hide
|
|
| 5528 | | | { |
| 5529 | | | tap_current = 0; |
| 5530 | | | } |
| 5531 | | | tap_p = &tap_rec[tap_current]; |
| 5532 | | | |
| 5533 | | | |
| 5534 | | | offset = 0; |
| 5535 | | | oct_2 = 0; |
| 5536 | | | |
| 5537 | | | gsm_a_dtap_pinfo = pinfo; |
| 5538 | | | g_tree = tree; |
| 5539 | | | |
| 5540 | | | |
| 5541 | | | |
| 5542 | | | |
| 5543 | | | oct_1 = tvb_get_guint8(tvb, offset++); |
| 5544 | | | |
| 5545 | | | if ((((oct_1 & DTAP_TI_MASK) >> 4) & DTAP_TIE_PRES_MASK) == DTAP_TIE_PRES_MASK) |
Event 5:
Skipping " if". ((oct_1 & 240) >> 4 & 7) == 7 evaluates to false.
hide
|
|
| 5546 | | | { |
| 5547 | | | |
| 5548 | | | |
| 5549 | | | |
| 5550 | | | |
| 5551 | | | |
| 5552 | | | oct_2 = tvb_get_guint8(tvb, offset++); |
| 5553 | | | } |
| 5554 | | | |
| 5555 | | | oct = tvb_get_guint8(tvb, offset); |
| 5556 | | | |
| 5557 | | | pd = oct_1 & DTAP_PD_MASK; |
| 5558 | | | ti = -1; |
| 5559 | | | msg_str = NULL; |
| 5560 | | | ett_tree = -1; |
| 5561 | | | hf_idx = -1; |
| 5562 | | | msg_fcn = NULL; |
| 5563 | | | nsd = FALSE; |
| 5564 | [+] | | if (check_col(pinfo->cinfo, COL_INFO)) |
 |
| 5565 | | | { |
| 5566 | | | col_append_fstr(pinfo->cinfo, COL_INFO, "(%s) ",val_to_str(pd,gsm_a_pd_short_str_vals,"unknown")); |
| 5567 | | | } |
| 5568 | | | |
| 5569 | | | |
| 5570 | | | |
| 5571 | | | |
| 5572 | | | switch (pd) |
Event 8:
pd evaluates to 3.
hide
|
|
| 5573 | | | { |
| 5574 | | | case 3: |
| 5575 | [+] | | msg_str = match_strval_idx((guint32) (oct & DTAP_CC_IEI_MASK), gsm_a_dtap_msg_cc_strings, &idx); |
Event 9:
&idx is passed to match_strval_idx() as the third argument.
hide
|
|
 |
| 5576 | | | ett_tree = ett_gsm_dtap_msg_cc[idx]; |
| 5577 | | | hf_idx = hf_gsm_a_dtap_msg_cc_type; |
| 5578 | | | msg_fcn = dtap_msg_cc_fcn[idx]; |
Buffer Underrun
This code reads before the beginning of the buffer dtap_msg_cc_fcn. - The first underrun byte is at offset 4 * idx from the beginning of the object. See related event 13.
- The underrun occurs in static memory.
The issue can occur if the highlighted code executes. See related event 13. Show: All events | Only primary events |
|
| |