(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ssl.c) |
| |
| 1284 | | | dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, |
| 1285 | | | proto_tree *tree, guint32 offset, |
| 1286 | | | guint *conv_version, gboolean *need_desegmentation, |
| 1287 | | | SslDecryptSession* ssl, gboolean first_record_in_frame _U_) |
| 1288 | | | { |
| 1289 | | | |
| 1290 | | | |
| 1291 | | | |
| 1292 | | | |
| 1293 | | | |
| 1294 | | | |
| 1295 | | | |
| 1296 | | | |
| 1297 | | | |
| 1298 | | | |
| 1299 | | | |
| 1300 | | | |
| 1301 | | | |
| 1302 | | | |
| 1303 | | | |
| 1304 | | | |
| 1305 | | | |
| 1306 | | | |
| 1307 | | | |
| 1308 | | | guint32 record_length; |
| 1309 | | | guint16 version; |
| 1310 | | | guint8 content_type; |
| 1311 | | | guint8 next_byte; |
| 1312 | | | proto_tree *ti; |
| 1313 | | | proto_tree *ssl_record_tree; |
| 1314 | | | SslAssociation* association; |
| 1315 | | | guint32 available_bytes; |
| 1316 | | | ti = NULL; |
| 1317 | | | ssl_record_tree = NULL; |
| 1318 | | | available_bytes = 0; |
| 1319 | | | |
| 1320 | [+] | | available_bytes = tvb_length_remaining(tvb, offset); |
 |
| 1321 | | | |
| 1322 | | | |
| 1323 | | | if ((*conv_version==SSL_VER_TLS || *conv_version==SSL_VER_TLSv1DOT1 || *conv_version==SSL_VER_TLSv1DOT2) && |
Event 12:
Skipping " if". - *conv_version == 3 evaluates to false.
- *conv_version == 4 evaluates to false.
- *conv_version == 7 evaluates to true.
- available_bytes >= 1 evaluates to false.
hide
Event 13:
Considering the case where *conv_version must have been equal to 7.
hide
|
|
| 1324 | | | (available_bytes >=1 ) && !ssl_is_valid_content_type(tvb_get_guint8(tvb, offset))) { |
| 1325 | | | proto_tree_add_text(tree, tvb, offset, available_bytes, "Ignored Unknown Record"); |
| 1326 | | | if (check_col(pinfo->cinfo, COL_INFO)) |
| 1327 | | | col_append_str(pinfo->cinfo, COL_INFO, "Ignored Unknown Record"); |
| 1328 | | | if (check_col(pinfo->cinfo, COL_PROTOCOL)) |
| 1329 | | | col_set_str(pinfo->cinfo, COL_PROTOCOL, ssl_version_short_names[*conv_version]); |
| 1330 | | | return offset + available_bytes; |
| 1331 | | | } |
| 1332 | | | |
| 1333 | | | |
| 1334 | | | |
| 1335 | | | |
| 1336 | | | if (ssl_desegment && pinfo->can_desegment) { |
Event 14:
Skipping " if". - ssl_desegment evaluates to true.
- pinfo->can_desegment evaluates to false.
hide
|
|
| 1337 | | | |
| 1338 | | | |
| 1339 | | | |
| 1340 | | | if (available_bytes < 5) { |
| 1341 | | | |
| 1342 | | | |
| 1343 | | | |
| 1344 | | | |
| 1345 | | | |
| 1346 | | | pinfo->desegment_offset = offset; |
| 1347 | | | pinfo->desegment_len = 5 - available_bytes; |
| 1348 | | | *need_desegmentation = TRUE; |
| 1349 | | | return offset; |
| 1350 | | | } |
| 1351 | | | } |
| 1352 | | | |
| 1353 | | | |
| 1354 | | | |
| 1355 | | | |
| 1356 | [+] | | content_type = tvb_get_guint8(tvb, offset); |
 |
| 1357 | | | version = tvb_get_ntohs(tvb, offset + 1); |
| 1358 | | | record_length = tvb_get_ntohs(tvb, offset + 3); |
| 1359 | | | |
| 1360 | [+] | | if (ssl_is_valid_content_type(content_type)) { |
 |
| 1361 | | | |
| 1362 | | | |
| 1363 | | | |
| 1364 | | | |
| 1365 | | | if (ssl_desegment && pinfo->can_desegment) { |
Event 31:
Skipping " if". - ssl_desegment evaluates to true.
- pinfo->can_desegment evaluates to false.
hide
|
|
| 1366 | | | |
| 1367 | | | |
| 1368 | | | |
| 1369 | | | if (available_bytes < record_length + 5) { |
| 1370 | | | |
| 1371 | | | |
| 1372 | | | |
| 1373 | | | |
| 1374 | | | |
| 1375 | | | pinfo->desegment_offset = offset; |
| 1376 1399 |  | | [ Lines 1376 to 1399 omitted. ] |
| 1400 | | | { |
| 1401 | | | col_set_str(pinfo->cinfo, COL_PROTOCOL, |
| 1402 | | | ssl_version_short_names[*conv_version]); |
| 1403 | | | } |
| 1404 | | | return offset + 5 + record_length; |
| 1405 | | | } |
| 1406 | | | |
| 1407 | | | |
| 1408 | | | |
| 1409 | | | |
| 1410 | | | if (tree) |
Event 32:
Taking false branch. tree evaluates to false.
hide
|
|
| 1411 | | | { |
| 1412 | | | |
| 1413 | | | |
| 1414 | | | tvb_ensure_bytes_exist(tvb, offset, 5 + record_length); |
| 1415 | | | ti = proto_tree_add_item(tree, hf_ssl_record, tvb, |
| 1416 | | | offset, 5 + record_length, 0); |
| 1417 | | | ssl_record_tree = proto_item_add_subtree(ti, ett_ssl_record); |
| 1418 | | | |
| 1419 | | | |
| 1420 | | | proto_tree_add_item(ssl_record_tree, hf_ssl_record_content_type, |
| 1421 | | | tvb, offset, 1, 0); |
| 1422 | | | offset++; |
| 1423 | | | |
| 1424 | | | |
| 1425 | | | proto_tree_add_item(ssl_record_tree, hf_ssl_record_version, tvb, |
| 1426 | | | offset, 2, FALSE); |
| 1427 | | | offset += 2; |
| 1428 | | | |
| 1429 | | | |
| 1430 | | | proto_tree_add_uint(ssl_record_tree, hf_ssl_record_length, tvb, |
| 1431 | | | offset, 2, record_length); |
| 1432 | | | offset += 2; |
| 1433 | | | } |
| 1434 | | | else |
| 1435 | | | { |
| 1436 | | | |
| 1437 | | | offset += 5; |
| 1438 | | | } |
| 1439 | | | |
| 1440 | | | |
| 1441 | | | |
| 1442 | | | |
| 1443 | | | |
| 1444 | | | |
| 1445 | | | |
| 1446 | | | |
| 1447 | | | next_byte = tvb_get_guint8(tvb, offset); |
| 1448 | | | if (*conv_version == SSL_VER_UNKNOWN |
Event 33:
Skipping " if". *conv_version == 0 evaluates to false.
hide
|
|
| 1449 | | | && ssl_is_authoritative_version_message(content_type, next_byte)) |
| 1450 | | | { |
| 1451 | | | if (version == SSLV3_VERSION) |
| 1452 | | | { |
| 1453 | | | *conv_version = SSL_VER_SSLv3; |
| 1454 | | | if (ssl) { |
| 1455 | | | ssl->version_netorder = version; |
| 1456 | | | ssl->state |= SSL_VERSION; |
| 1457 | | | ssl_debug_printf("dissect_ssl3_record found version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state); |
| 1458 | | | } |
| 1459 1484 |  | | [ Lines 1459 to 1484 omitted. ] |
| 1485 | | | |
| 1486 | | | *conv_version = SSL_VER_TLSv1DOT2; |
| 1487 | | | if (ssl) { |
| 1488 | | | ssl->version_netorder = version; |
| 1489 | | | ssl->state |= SSL_VERSION; |
| 1490 | | | ssl_debug_printf("dissect_ssl3_record found version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state); |
| 1491 | | | } |
| 1492 | | | |
| 1493 | | | } |
| 1494 | | | } |
| 1495 | | | if (check_col(pinfo->cinfo, COL_PROTOCOL)) |
Event 34:
Taking true branch. check_col(...) evaluates to true.
hide
|
|
| 1496 | | | { |
| 1497 | | | col_set_str(pinfo->cinfo, COL_PROTOCOL, |
| 1498 | | | ssl_version_short_names[*conv_version]); |
| 1499 | | | } |
| 1500 | | | |
| 1501 | | | |
| 1502 | | | |
| 1503 | | | |
| 1504 | | | ssl_debug_printf("dissect_ssl3_record: content_type %d\n",content_type); |
| 1505 | | | |
| 1506 | | | |
| 1507 | | | |
| 1508 | | | |
| 1509 | | | switch (content_type) { |
Event 35:
content_type evaluates to 23.
hide
|
|
| 1510 | | | case SSL_ID_CHG_CIPHER_SPEC: |
| 1511 | | | ssl_debug_printf("dissect_ssl3_change_cipher_spec\n"); |
| 1512 | | | if (check_col(pinfo->cinfo, COL_INFO)) |
| 1513 | | | col_append_str(pinfo->cinfo, COL_INFO, "Change Cipher Spec"); |
| 1514 | | | dissect_ssl3_change_cipher_spec(tvb, ssl_record_tree, |
| 1515 | | | offset, conv_version, content_type); |
| 1516 | | | if (ssl) ssl_change_cipher(ssl, ssl_packet_from_server(ssl_associations, pinfo->srcport, pinfo->ptype == PT_TCP)); |
| 1517 | | | break; |
| 1518 | | | case SSL_ID_ALERT: |
| 1519 | | | { |
| 1520 1550 |  | | [ Lines 1520 to 1550 omitted. ] |
| 1551 | | | |
| 1552 | | | add_new_data_source(pinfo, decrypted, "Decrypted SSL record"); |
| 1553 | | | dissect_ssl3_handshake(decrypted, pinfo, ssl_record_tree, 0, |
| 1554 | | | decrypted->length, conv_version, ssl, content_type); |
| 1555 | | | } else { |
| 1556 | | | dissect_ssl3_handshake(tvb, pinfo, ssl_record_tree, offset, |
| 1557 | | | record_length, conv_version, ssl, content_type); |
| 1558 | | | } |
| 1559 | | | break; |
| 1560 | | | } |
| 1561 | | | case SSL_ID_APP_DATA: |
| 1562 | | | if (ssl){ |
Event 36:
Skipping " if". ssl evaluates to false.
hide
|
|
| 1563 | | | decrypt_ssl3_record(tvb, pinfo, offset, |
| 1564 | | | record_length, content_type, ssl, TRUE); |
| 1565 | | | |
| 1566 | | | |
| 1567 | | | |
| 1568 | | | |
| 1569 | | | } |
| 1570 | | | |
| 1571 | | | |
| 1572 | [+] | | if (check_col(pinfo->cinfo, COL_INFO)) |
 |
| 1573 | | | col_append_str(pinfo->cinfo, COL_INFO, "Application Data"); |
| 1574 | | | |
| 1575 | | | |
| 1576 | | | |
| 1577 | | | |
| 1578 | | | association = ssl_association_find(ssl_associations, pinfo->srcport, pinfo->ptype == PT_TCP); |
Event 40:
pinfo->ptype == PT_TCP evaluates to true.
hide
|
|
| 1579 | | | association = association ? association: ssl_association_find(ssl_associations, pinfo->destport, pinfo->ptype == PT_TCP); |
Event 41:
association evaluates to true.
hide
|
|
| 1580 | | | |
| 1581 | | | proto_item_set_text(ssl_record_tree, |
| 1582 | | | "%s Record Layer: %s Protocol: %s", |
| 1583 | | | ssl_version_short_names[*conv_version], |
Buffer Overrun
This code reads past the end of ssl_version_short_names. - The first byte read is at offset 4 * *conv_version from the beginning of ssl_version_short_names, whose capacity is 28 bytes.
- The offset exceeds the capacity.
- 4 * *conv_version is equal to 28.
- The overrun occurs in global memory.
The issue can occur if the highlighted code executes. See related event 13. Show: All events | Only primary events |
|
| 1584 | | | val_to_str(content_type, ssl_31_content_type, "unknown"), |
| 1585 | | | association?association->info:"Application Data"); |
Event 42:
association evaluates to true.
hide
|
|
| |