(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ssh.c) |
| |
| 385 | | | ssh_dissect_ssh2(tvbuff_t *tvb, packet_info *pinfo, |
| 386 | | | struct ssh_flow_data *global_data, |
| 387 | | | int offset, proto_tree *tree,int is_response, int this_number, |
| 388 | | | gboolean *need_desegmentation) |
| 389 | | | { |
| 390 | | | proto_item *ti; |
| 391 | | | proto_item *ssh2_tree=NULL; |
| 392 | | | |
| 393 | | | if(tree) { |
Event 1:
Taking true branch. tree evaluates to true.
hide
|
|
| 394 | | | GString *title=g_string_new("SSH Version 2"); |
| 395 | | | |
| 396 | | | if (global_data->enc || global_data->mac || global_data->comp) { |
Event 3:
Skipping " if". - global_data->enc evaluates to false.
- global_data->mac evaluates to false.
- global_data->comp evaluates to false.
hide
|
|
| 397 | | | g_string_append_printf(title," ("); |
| 398 | | | if (global_data->enc) |
| 399 | | | g_string_append_printf(title,"encryption:%s%s", |
| 400 | | | global_data->enc, |
| 401 | | | global_data->mac || global_data->comp |
| 402 | | | ? " " : ""); |
| 403 | | | if (global_data->mac) |
| 404 | | | g_string_append_printf(title,"mac:%s%s", |
| 405 | | | global_data->mac, |
| 406 | | | global_data->comp ? " " : ""); |
| 407 | | | if (global_data->comp) |
| 408 | | | g_string_append_printf(title,"compression:%s", |
| 409 | | | global_data->comp); |
| 410 | | | g_string_append_printf(title,")"); |
| 411 | | | } |
| 412 | | | |
| 413 | | | ti=proto_tree_add_text(tree,tvb,offset,-1, "%s", title->str); |
| 414 | | | ssh2_tree = proto_item_add_subtree(ti ,ett_ssh2); |
| 415 | | | if (title) g_string_free(title,TRUE); |
Null Test After Dereference
This code tests the nullness of title, which has already been dereferenced. - If title were null, there would have been a prior null pointer dereference at packet-ssh.c:413, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 4. Show: All events | Only primary events |
|
| 416 | | | } |
| 417 | | | |
| 418 | | | if((is_response && this_number > 3) || (!is_response && this_number>4)) { |
| 419 | | | offset = ssh_dissect_encrypted_packet(tvb, pinfo, |
| 420 | | | global_data, |
| 421 | | | offset,ssh2_tree,is_response); |
| 422 | | | } else { |
| 423 | | | offset = ssh_dissect_key_exchange(tvb,pinfo, global_data, |
| 424 | | | offset,ssh2_tree,is_response,this_number, |
| 425 | | | need_desegmentation); |
| 426 | | | } |
| 427 | | | |
| 428 | | | return offset; |
| 429 | | | } |
| |