(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-isakmp.c) |
| |
| 990 | | | dissect_isakmp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) |
| 991 | | | { |
| 992 | | | int offset = 0, len; |
| 993 | | | isakmp_hdr_t hdr; |
| 994 | | | proto_item * ti; |
| 995 | | | proto_tree * isakmp_tree = NULL; |
| 996 | | | int isakmp_version; |
| 997 | | | #ifdef HAVE_LIBGCRYPT |
| 998 | | | guint8 i_cookie[COOKIE_SIZE], *ic_key; |
| 999 | | | decrypt_data_t *decr = NULL; |
| 1000 | | | tvbuff_t *decr_tvb; |
| 1001 | | | proto_tree *decr_tree; |
| 1002 | | | address null_addr; |
| 1003 | | | void *pd_save; |
| 1004 | | | gboolean pd_changed = FALSE; |
| 1005 | | | #endif |
| 1006 | | | |
| 1007 | | | if (check_col(pinfo->cinfo, COL_PROTOCOL)) |
Event 1:
Skipping " if". check_col(...) evaluates to false.
hide
|
|
| 1008 | | | col_set_str(pinfo->cinfo, COL_PROTOCOL, "ISAKMP"); |
| 1009 | | | if (check_col(pinfo->cinfo, COL_INFO)) |
Event 2:
Skipping " if". check_col(...) evaluates to false.
hide
|
|
| 1010 | | | col_clear(pinfo->cinfo, COL_INFO); |
| 1011 | | | |
| 1012 | | | if (tree) { |
Event 3:
Taking true branch. tree evaluates to true.
hide
|
|
| 1013 | | | ti = proto_tree_add_item(tree, proto_isakmp, tvb, offset, -1, FALSE); |
| 1014 | | | isakmp_tree = proto_item_add_subtree(ti, ett_isakmp); |
| 1015 | | | } |
| 1016 | | | |
| 1017 | | | |
| 1018 | | | |
| 1019 | | | |
| 1020 | | | if( (tvb_length(tvb)==1) && (tvb_get_guint8(tvb, offset)==0xff) ){ |
Event 4:
Skipping " if". tvb_length(tvb) == 1 evaluates to false.
hide
|
|
| 1021 | | | if (check_col(pinfo->cinfo, COL_INFO)){ |
| 1022 | | | col_set_str(pinfo->cinfo, COL_INFO, "NAT Keepalive"); |
| 1023 | | | } |
| 1024 | | | proto_tree_add_item(isakmp_tree, hf_isakmp_nat_keepalive, tvb, offset, 1, FALSE); |
| 1025 | | | return; |
| 1026 | | | } |
| 1027 | | | |
| 1028 | | | hdr.length = tvb_get_ntohl(tvb, offset + ISAKMP_HDR_SIZE - sizeof(hdr.length)); |
| 1029 | | | hdr.exch_type = tvb_get_guint8(tvb, COOKIE_SIZE + COOKIE_SIZE + sizeof(hdr.next_payload) + sizeof(hdr.version)); |
| 1030 | | | hdr.version = tvb_get_guint8(tvb, COOKIE_SIZE + COOKIE_SIZE + sizeof(hdr.next_payload)); |
| 1031 | | | isakmp_version = hi_nibble(hdr.version); |
| 1032 | | | hdr.flags = tvb_get_guint8(tvb, COOKIE_SIZE + COOKIE_SIZE + sizeof(hdr.next_payload) + sizeof(hdr.version) + sizeof(hdr.exch_type)); |
| 1033 | | | if (check_col(pinfo->cinfo, COL_INFO)) |
Event 5:
Skipping " if". check_col(...) evaluates to false.
hide
|
|
| 1034 | | | col_add_str(pinfo->cinfo, COL_INFO, |
| 1035 | | | exchtype2str(isakmp_version, hdr.exch_type)); |
| 1036 | | | |
| 1037 | | | #ifdef HAVE_LIBGCRYPT |
| 1038 | | | if (isakmp_version == 1) { |
Event 6:
Taking true branch. isakmp_version == 1 evaluates to true.
hide
|
|
| 1039 | | | SET_ADDRESS(&null_addr, AT_NONE, 0, NULL);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
66 | #define SET_ADDRESS(addr, addr_type, addr_len, addr_data) { \ |
67 | (addr)->type = (addr_type); \ |
68 | (addr)->len = (addr_len); \ |
69 | (addr)->data = (addr_data); \ |
70 | } |
| |
|
| 1040 | | | |
| 1041 | | | tvb_memcpy(tvb, i_cookie, offset, COOKIE_SIZE); |
| 1042 | | | decr = (decrypt_data_t*) g_hash_table_lookup(isakmp_hash, i_cookie); |
| 1043 | | | |
| 1044 | | | if (! decr) { |
Event 8:
Skipping " if". decr evaluates to true.
hide
|
|
| 1045 | | | ic_key = g_mem_chunk_alloc(isakmp_key_data); |
| 1046 | | | memcpy(ic_key, i_cookie, COOKIE_SIZE); |
| 1047 | | | decr = g_mem_chunk_alloc(isakmp_decrypt_data); |
| 1048 | | | memset(decr, 0, sizeof(decrypt_data_t)); |
| 1049 | | | SET_ADDRESS(&decr->initiator, AT_NONE, 0, NULL);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
66 | #define SET_ADDRESS(addr, addr_type, addr_len, addr_data) { \ |
67 | (addr)->type = (addr_type); \ |
68 | (addr)->len = (addr_len); \ |
69 | (addr)->data = (addr_data); \ |
70 | } |
| |
|
| 1050 | | | |
| 1051 | | | g_hash_table_insert(isakmp_hash, ic_key, decr); |
| 1052 | | | } |
| 1053 | | | |
| 1054 | | | if (ADDRESSES_EQUAL(&decr->initiator, &null_addr)) {
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
92 | #define ADDRESSES_EQUAL(addr1, addr2) \ |
93 | ( \ |
94 | (addr1)->type == (addr2)->type && \ |
95 | ( \ |
96 | (addr1)->type == AT_NONE || \ |
97 | ( \ |
98 | (addr1)->len == (addr2)->len && \ |
99 | memcmp((addr1)->data, (addr2)->data, (addr1)->len) == 0 \ |
100 | ) \ |
101 | ) \ |
102 | ) |
| |
|
| 1055 | | | |
| 1056 | | | |
| 1057 | | | SE_COPY_ADDRESS(&decr->initiator, &pinfo->src);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
116 | #define SE_COPY_ADDRESS(to, from) { \ |
117 | guint8 *SE_COPY_ADDRESS_data; \ |
118 | (to)->type = (from)->type; \ |
119 | (to)->len = (from)->len; \ |
120 | SE_COPY_ADDRESS_data = se_alloc((from)->len); \ |
121 | memcpy(SE_COPY_ADDRESS_data, (from)->data, (from)->len); \ |
122 | (to)->data = SE_COPY_ADDRESS_data; \ |
123 | } |
| |
|
| 1058 | | | } |
| 1059 | | | |
| 1060 | | | pd_save = pinfo->private_data; |
| 1061 | | | pinfo->private_data = decr; |
| 1062 | | | pd_changed = TRUE; |
Event 11:
!0 evaluates to true.
hide
|
|
| 1063 | | | } else if (isakmp_version == 2) { |
| 1064 | | | ikev2_uat_data_key_t hash_key; |
| 1065 | | | ikev2_uat_data_t *ike_sa_data = NULL; |
| 1066 | | | ikev2_decrypt_data_t *ikev2_dec_data; |
| 1067 | | | guchar spii[COOKIE_SIZE], spir[COOKIE_SIZE]; |
| 1068 | | | |
| 1069 | | | tvb_memcpy(tvb, spii, offset, COOKIE_SIZE); |
| 1070 | | | tvb_memcpy(tvb, spir, offset + COOKIE_SIZE, COOKIE_SIZE); |
| 1071 | | | hash_key.spii = spii; |
| 1072 | | | hash_key.spir = spir; |
| 1073 | | | hash_key.spii_len = COOKIE_SIZE; |
| 1074 | | | hash_key.spir_len = COOKIE_SIZE; |
| 1075 | | | |
| 1076 | | | ike_sa_data = g_hash_table_lookup(ikev2_key_hash, &hash_key); |
| 1077 | | | if (ike_sa_data) { |
| 1078 | | | guint8 initiator_flag; |
| 1079 | | | initiator_flag = hdr.flags & I_FLAG; |
| 1080 | | | ikev2_dec_data = ep_alloc(sizeof(ikev2_decrypt_data_t)); |
| 1081 | | | ikev2_dec_data->encr_key = initiator_flag ? ike_sa_data->sk_ei : ike_sa_data->sk_er; |
| 1082 | | | ikev2_dec_data->auth_key = initiator_flag ? ike_sa_data->sk_ai : ike_sa_data->sk_ar; |
| 1083 | | | ikev2_dec_data->encr_spec = ike_sa_data->encr_spec; |
| 1084 | | | ikev2_dec_data->auth_spec = ike_sa_data->auth_spec; |
| 1085 | | | |
| 1086 | | | pd_save = pinfo->private_data; |
| 1087 | | | pinfo->private_data = ikev2_dec_data; |
| 1088 | | | pd_changed = TRUE; |
| 1089 | | | } |
| 1090 | | | } |
| 1091 | | | #endif |
| 1092 | | | |
| 1093 | | | if (tree) { |
Event 12:
Taking true branch. tree evaluates to true.
hide
|
|
| 1094 | | | proto_tree_add_item(isakmp_tree, hf_isakmp_icookie, tvb, offset, COOKIE_SIZE, FALSE); |
| 1095 | | | offset += COOKIE_SIZE; |
| 1096 | | | |
| 1097 | | | proto_tree_add_item(isakmp_tree, hf_isakmp_rcookie, tvb, offset, COOKIE_SIZE, FALSE); |
| 1098 | | | offset += COOKIE_SIZE; |
| 1099 | | | |
| 1100 | | | hdr.next_payload = tvb_get_guint8(tvb, offset); |
| 1101 | | | proto_tree_add_uint_format(isakmp_tree, hf_isakmp_nextpayload, tvb, offset, |
| 1102 | | | sizeof(hdr.next_payload), hdr.next_payload, |
| 1103 | | | "Next payload: %s (%u)", |
| 1104 | | | payloadtype2str(isakmp_version, hdr.next_payload), |
| 1105 | | | hdr.next_payload); |
| 1106 | | | offset += sizeof(hdr.next_payload); |
| 1107 | | | |
| 1108 | | | proto_tree_add_uint_format(isakmp_tree, hf_isakmp_version, tvb, offset, |
| 1109 | | | sizeof(hdr.version), hdr.version, "Version: %u.%u", |
| 1110 | | | hi_nibble(hdr.version), lo_nibble(hdr.version)); |
| 1111 | | | offset += sizeof(hdr.version); |
| 1112 | | | |
| 1113 | | | hdr.exch_type = tvb_get_guint8(tvb, offset); |
| 1114 | | | proto_tree_add_uint_format(isakmp_tree, hf_isakmp_exchangetype, tvb, offset, |
| 1115 | | | sizeof(hdr.exch_type), hdr.exch_type, |
| 1116 | | | "Exchange type: %s (%u)", |
| 1117 | | | exchtype2str(isakmp_version, hdr.exch_type), |
| 1118 | | | hdr.exch_type); |
| 1119 | | | offset += sizeof(hdr.exch_type); |
| 1120 | | | |
| 1121 | | | { |
| 1122 | | | proto_item * fti; |
| 1123 | | | proto_tree * ftree; |
| 1124 | | | |
| 1125 | | | fti = proto_tree_add_item(isakmp_tree, hf_isakmp_flags, tvb, offset, sizeof(hdr.flags), FALSE); |
| 1126 | | | ftree = proto_item_add_subtree(fti, ett_isakmp_flags); |
| 1127 | | | |
| 1128 | | | if (isakmp_version == 1) { |
Event 13:
Taking true branch. isakmp_version == 1 evaluates to true.
hide
|
|
| 1129 | | | proto_tree_add_text(ftree, tvb, offset, 1, "%s", |
| 1130 | | | decode_boolean_bitfield(hdr.flags, E_FLAG, sizeof(hdr.flags)*8, |
| 1131 | | | "Encrypted", "Not encrypted")); |
| 1132 | | | proto_tree_add_text(ftree, tvb, offset, 1, "%s", |
| 1133 | | | decode_boolean_bitfield(hdr.flags, C_FLAG, sizeof(hdr.flags)*8, |
| 1134 | | | "Commit", "No commit")); |
| 1135 | | | proto_tree_add_text(ftree, tvb, offset, 1, "%s", |
| 1136 | | | decode_boolean_bitfield(hdr.flags, A_FLAG, sizeof(hdr.flags)*8, |
| 1137 | | | "Authentication", "No authentication")); |
| 1138 | | | } else if (isakmp_version == 2) { |
| 1139 | | | proto_tree_add_text(ftree, tvb, offset, 1, "%s", |
| 1140 | | | decode_boolean_bitfield(hdr.flags, I_FLAG, sizeof(hdr.flags)*8, |
| 1141 | | | "Initiator", "Responder")); |
| 1142 | | | proto_tree_add_text(ftree, tvb, offset, 1, "%s", |
| 1143 | | | decode_boolean_bitfield(hdr.flags, V_FLAG, sizeof(hdr.flags)*8, |
| 1144 | | | "A higher version enabled", "")); |
| 1145 | | | proto_tree_add_text(ftree, tvb, offset, 1, "%s", |
| 1146 | | | decode_boolean_bitfield(hdr.flags, R_FLAG, sizeof(hdr.flags)*8, |
| 1147 | | | "Response", "Request")); |
| 1148 | | | } |
| 1149 | | | offset += sizeof(hdr.flags); |
| 1150 | | | } |
| 1151 | | | |
| 1152 | | | hdr.message_id = tvb_get_ntohl(tvb, offset); |
| 1153 | | | proto_tree_add_item(isakmp_tree, hf_isakmp_messageid, tvb, offset, sizeof(hdr.message_id), FALSE); |
| 1154 | | | offset += sizeof(hdr.message_id); |
| 1155 | | | |
| 1156 | | | if (hdr.length < ISAKMP_HDR_SIZE) { |
Event 14:
Skipping " if". hdr.length < sizeof( struct isakmp_hdr ) + 2 * 8 evaluates to false.
hide
|
|
| 1157 | | | proto_tree_add_uint_format(isakmp_tree, hf_isakmp_length, tvb, offset, sizeof(hdr.length), |
| 1158 | | | hdr.length, "Length: (bogus, length is %u, should be at least %lu)", |
| 1159 | | | hdr.length, (unsigned long)ISAKMP_HDR_SIZE); |
| 1160 | | | #ifdef HAVE_LIBGCRYPT |
| 1161 | | | if (pd_changed) pinfo->private_data = pd_save; |
| 1162 | | | #endif |
| 1163 | | | return; |
| 1164 | | | } |
| 1165 | | | |
| 1166 | | | len = hdr.length - ISAKMP_HDR_SIZE; |
| 1167 | | | |
| 1168 | | | if (len < 0) { |
Event 15:
Skipping " if". len < 0 evaluates to false.
hide
|
|
| 1169 | | | proto_tree_add_uint_format(isakmp_tree, hf_isakmp_length, tvb, offset, sizeof(hdr.length), |
| 1170 | | | hdr.length, "Length: (bogus, length is %u, which is too large)", |
| 1171 | | | hdr.length); |
| 1172 | | | #ifdef HAVE_LIBGCRYPT |
| 1173 | | | if (pd_changed) pinfo->private_data = pd_save; |
| 1174 | | | #endif |
| 1175 | | | return; |
| 1176 | | | } |
| 1177 | | | |
| 1178 | | | proto_tree_add_item(isakmp_tree, hf_isakmp_length, tvb, offset, sizeof(hdr.length), FALSE); |
| 1179 | | | offset += sizeof(hdr.length); |
| 1180 | | | |
| 1181 | | | if (hdr.flags & E_FLAG) { |
Event 16:
Taking true branch. hdr.flags & 1 evaluates to true.
hide
|
|
| 1182 | | | if (len && isakmp_tree) { |
| 1183 | | | ti = proto_tree_add_text(isakmp_tree, tvb, offset, len, |
| 1184 | | | "Encrypted payload (%d byte%s)", |
| 1185 | | | len, plurality(len, "", "s")); |
Event 18:
len == 1 evaluates to true.
hide
|
|
| 1186 | | | #ifdef HAVE_LIBGCRYPT |
| 1187 | | | |
| 1188 | | | if (decr) { |
Null Test After Dereference
This code tests the nullness of decr, which has already been dereferenced. - If decr were null, there would have been a prior null pointer dereference at packet-isakmp.c:1057, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 10. Show: All events | Only primary events |
|
| 1189 | | | decr_tvb = decrypt_payload(tvb, pinfo, tvb_get_ptr(tvb, offset, len), len, &hdr); |
| 1190 | | | if (decr_tvb) { |
| 1191 | | | decr_tree = proto_item_add_subtree(ti, ett_isakmp); |
| 1192 | | | dissect_payloads(decr_tvb, decr_tree, tree, isakmp_version, |
| 1193 | | | hdr.next_payload, 0, tvb_length(decr_tvb), pinfo); |
| 1194 | | | } |
| 1195 | | | } |
| 1196 | | | #endif |
| 1197 | | | } |
| 1198 | | | } else |
| 1199 | | | dissect_payloads(tvb, isakmp_tree, tree, isakmp_version, hdr.next_payload, |
| 1200 | | | offset, len, pinfo); |
| 1201 | | | } |
| 1202 | | | #ifdef HAVE_LIBGCRYPT |
| 1203 | | | if (pd_changed) pinfo->private_data = pd_save; |
| 1204 | | | #endif |
| 1205 | | | } |
| |