(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ber.c) |
| |
| 2238 | | | int dissect_ber_old_set(gboolean implicit_tag,asn1_ctx_t *actx, proto_tree *parent_tree, tvbuff_t *tvb, int offset, const ber_old_sequence_t *set, gint hf_id, gint ett_id) { |
| 2239 | | | gint8 classx; |
| 2240 | | | gboolean pcx, ind = 0, ind_field; |
| 2241 | | | gint32 tagx; |
| 2242 | | | guint32 lenx; |
| 2243 | | | proto_tree *tree = parent_tree; |
| 2244 | | | proto_item *item = NULL; |
| 2245 | | | proto_item *cause; |
| 2246 | | | int end_offset, s_offset; |
| 2247 | | | int hoffset; |
| 2248 | | | gint length_remaining; |
| 2249 | | | tvbuff_t *next_tvb; |
| 2250 | | | const ber_old_sequence_t *cset = NULL; |
| 2251 | | | # define MAX_SET_ELEMENTS 32 |
| 2252 | | | guint32 mandatory_fields = 0; |
| 2253 | | | guint8 set_idx; |
| 2254 | | | gboolean first_pass; |
| 2255 | | | s_offset = offset; |
| 2256 | | | #ifdef DEBUG_BER |
| 2257 | | | { |
| 2258 | | | const char *name; |
| 2259 | | | *hfinfo; |
| 2260 | | | if(hf_id>=0){ |
| 2261 | | | hfinfo = proto_registrar_get_nth(hf_id); |
| 2262 | | | name=hfinfo->name; |
| 2263 | | | } else { |
| 2264 | | | name="unnamed"; |
| 2265 | | | } |
| 2266 | | | if(tvb_length_remaining(tvb,offset)>3){ |
| 2267 | | | printf("SET dissect_old_ber_set(%s) entered offset:%d len:%d %02x:%02x:%02x\n",name,offset,tvb_length_remaining(tvb,offset),tvb_get_guint8(tvb,offset),tvb_get_guint8(tvb,offset+1),tvb_get_guint8(tvb,offset+2)); |
| 2268 | | | }else{ |
| 2269 | | | printf("SET dissect_old_ber_set(%s) entered\n",name); |
| 2270 | | | } |
| 2271 | | | } |
| 2272 | | | #endif |
| 2273 | | | |
| 2274 | | | if(!implicit_tag){ |
Event 1:
Taking false branch. implicit_tag evaluates to true.
hide
|
|
| 2275 | | | hoffset = offset; |
| 2276 | | | |
| 2277 | | | offset = dissect_ber_identifier(actx->pinfo, tree, tvb, offset, &classx, &pcx, &tagx); |
| 2278 | | | offset = dissect_ber_length(actx->pinfo, tree, tvb, offset, &lenx, &ind); |
| 2279 | | | if(ind){ |
| 2280 | | | |
| 2281 | | | |
| 2282 | | | end_offset = offset + lenx -2; |
| 2283 | | | } else { |
| 2284 | | | end_offset = offset + lenx; |
| 2285 | | | } |
| 2286 | | | |
| 2287 | | | |
| 2288 | | | if ((classx!=BER_CLASS_APP)&&(classx!=BER_CLASS_PRI)) |
| 2289 | | | if ((!pcx) |
| 2290 | | | ||(!implicit_tag&&((classx!=BER_CLASS_UNI) |
| 2291 | | | ||(tagx!=BER_UNI_TAG_SET)))) { |
| 2292 | | | tvb_ensure_bytes_exist(tvb, hoffset, 2); |
| 2293 | | | cause = proto_tree_add_text(tree, tvb, offset, lenx, "BER Error: SET expected but class:%s(%d) %s tag:%d was found", val_to_str(classx,ber_class_codes,"Unknown"), classx, pcx ? ber_pc_codes_short.true_string : ber_pc_codes_short.false_string, tagx); |
| 2294 | | | proto_item_set_expert_flags(cause, PI_MALFORMED, PI_WARN); |
| 2295 | | | expert_add_info_format(actx->pinfo, cause, PI_MALFORMED, PI_WARN, "BER Error: SET expected"); |
| 2296 | | | if (decode_unexpected) { |
| 2297 | | | proto_tree *unknown_tree = proto_item_add_subtree(cause, ett_ber_unknown); |
| 2298 | | | dissect_unknown_ber(actx->pinfo, tvb, hoffset, unknown_tree); |
| 2299 | | | } |
| 2300 | | | return end_offset; |
| 2301 | | | } |
| 2302 | | | } else { |
| 2303 | | | |
| 2304 | | | lenx=tvb_length_remaining(tvb,offset); |
| 2305 | | | end_offset=offset+lenx; |
| 2306 | | | } |
| 2307 | | | |
| 2308 | | | |
| 2309 | | | if (hf_id >= 0) { |
Event 2:
Taking true branch. hf_id >= 0 evaluates to true.
hide
|
|
| 2310 | | | if(parent_tree){ |
Event 3:
Skipping " if". parent_tree evaluates to false.
hide
|
|
| 2311 | | | item = proto_tree_add_item(parent_tree, hf_id, tvb, offset, lenx, FALSE); |
| 2312 | | | tree = proto_item_add_subtree(item, ett_id); |
| 2313 | | | } |
| 2314 | | | } |
| 2315 | | | |
| 2316 | | | |
| 2317 | | | |
| 2318 | | | for(set_idx = 0; (cset=&set[set_idx])->func && (set_idx < MAX_SET_ELEMENTS); set_idx++) { |
Event 4:
set_idx is set to 0.
hide
Event 5:
cset is set to set. See related event 4.
hide
Event 6:
Leaving loop. (cset = &set[set_idx])->func evaluates to false.
hide
Event 7:
Considering the case where cset->func is equal to 0 so set->func must have been equal to 0. See related event 5.
hide
|
|
| 2319 | | | |
| 2320 | | | if(!(cset->flags & BER_FLAGS_OPTIONAL)) |
| 2321 | | | mandatory_fields |= 1 << set_idx; |
| 2322 | | | |
| 2323 | | | } |
| 2324 | | | |
| 2325 | | | |
| 2326 | | | while (offset < end_offset){ |
Event 8:
Entering loop body. offset < end_offset evaluates to true.
hide
|
|
| 2327 | | | gint8 class; |
| 2328 | | | gboolean pc; |
| 2329 | | | gint32 tag; |
| 2330 | | | guint32 len; |
| 2331 | | | int eoffset, count; |
| 2332 | | | |
| 2333 | | | |
| 2334 | | | |
| 2335 | | | |
| 2336 | [+] | | if((tvb_get_guint8(tvb, offset)==0)&&(tvb_get_guint8(tvb, offset+1)==0)){ |
Event 9:
Skipping " if". tvb_get_guint8(...) == 0 evaluates to true.
hide
|
|
 |
| 2337 | | | if(show_internal_ber_fields){ |
| 2338 | | | proto_tree_add_text(tree, tvb, s_offset, offset+2, "SEQ EOC"); |
| 2339 | | | } |
| 2340 | | | return end_offset; |
| 2341 | | | } |
| 2342 | | | |
| 2343 | | | hoffset = offset; |
| 2344 | | | |
| 2345 | | | offset = get_ber_identifier(tvb, offset, &class, &pc, &tag); |
| 2346 | | | offset = get_ber_length(tvb, offset, &len, &ind_field); |
| 2347 | | | eoffset = offset + len; |
| 2348 | | | |
| 2349 | | | |
| 2350 | | | |
| 2351 | | | |
| 2352 | | | |
| 2353 | | | |
| 2354 | | | |
| 2355 | | | |
| 2356 | | | for(first_pass=TRUE, cset = set, set_idx = 0; cset->func || first_pass; cset++, set_idx++) { |
Event 15:
Entering loop body. !0 evaluates to true.
hide
|
|
| 2357 | | | |
| 2358 | | | |
| 2359 | | | if(!cset->func) { |
Event 18:
Taking true branch. cset->func evaluates to false.
hide
|
|
| 2360 | | | first_pass = FALSE; |
| 2361 | | | |
| 2362 | | | cset=set; |
Event 19:
cset is set to set. - Dereferenced later, causing the null pointer dereference.
hide
|
|
| 2363 | | | set_idx = 0; |
| 2364 | | | } |
| 2365 | | | |
| 2366 | | | if((first_pass && ((cset->class==class) && (cset->tag==tag))) || |
| 2367 | | | (!first_pass && ((cset->class== BER_CLASS_ANY) && (cset->tag == -1))) ) |
| 2368 | | | { |
| 2369 | | | |
| 2370 | | | if (!(cset->flags & BER_FLAGS_NOOWNTAG) ) { |
Event 21:
Taking false branch. cset->flags & 4 evaluates to true.
hide
|
|
| 2371 | | | |
| 2372 | | | hoffset = dissect_ber_identifier(actx->pinfo, tree, tvb, hoffset, NULL, NULL, NULL); |
| 2373 | | | hoffset = dissect_ber_length(actx->pinfo, tree, tvb, hoffset, NULL, NULL); |
| 2374 | | | length_remaining=tvb_length_remaining(tvb, hoffset); |
| 2375 | | | if (length_remaining>eoffset-hoffset-(2*ind_field)) |
| 2376 | | | length_remaining=eoffset-hoffset-(2*ind_field); |
| 2377 | | | next_tvb = tvb_new_subset(tvb, hoffset, length_remaining, eoffset-hoffset-(2*ind_field)); |
| 2378 | | | } |
| 2379 | | | else { |
| 2380 | | | length_remaining=tvb_length_remaining(tvb, hoffset); |
| 2381 | | | if (length_remaining>eoffset-hoffset) |
Event 22:
Taking true branch. length_remaining > eoffset - hoffset evaluates to true.
hide
|
|
| 2382 | | | length_remaining=eoffset-hoffset; |
| 2383 | [+] | | next_tvb = tvb_new_subset(tvb, hoffset, length_remaining, eoffset-hoffset); |
 |
| 2384 | | | } |
| 2385 | | | |
| 2386 | | | |
| 2387 | | | |
| 2388 | | | |
| 2389 | | | |
| 2390 | | | |
| 2391 | | | |
| 2392 | | | |
| 2393 | | | |
| 2394 2404 |  | | [ Lines 2394 to 2404 omitted. ] |
| 2405 | | | } else { |
| 2406 | | | name="unnamed"; |
| 2407 | | | } |
| 2408 | | | if(tvb_length_remaining(next_tvb,0)>3){ |
| 2409 | | | printf("SET dissect_old_ber_set(%s) calling subdissector offset:%d len:%d %02x:%02x:%02x\n",name,offset,tvb_length_remaining(next_tvb,0),tvb_get_guint8(next_tvb,0),tvb_get_guint8(next_tvb,1),tvb_get_guint8(next_tvb,2)); |
| 2410 | | | }else{ |
| 2411 | | | printf("SET dissect_old_ber_set(%s) calling subdissector\n",name); |
| 2412 | | | } |
| 2413 | | | } |
| 2414 | | | #endif |
| 2415 | | | if (next_tvb == NULL) { |
Event 25:
Skipping " if". next_tvb == (void *)0 evaluates to false.
hide
|
|
| 2416 | | | |
| 2417 | | | THROW(ReportedBoundsError);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
223 | #define THROW(x) \ |
224 | except_throw(XCEPT_GROUP_WIRESHARK, (x), NULL) |
| |
|
| 2418 | | | } |
| 2419 | | | count=cset->func(tree, next_tvb, 0, actx); |
Null Pointer Dereference
cset->func is dereferenced here, but it is NULL. - cset->func evaluates to set->func, which must be equal to 0.
The issue can occur if the highlighted code executes. See related events 7 and 19. Show: All events | Only primary events |
|
| 2420 | | | |
| 2421 | | | |
| 2422 | | | |
| 2423 | | | if(count || (first_pass && (len == 0 || (ind_field == 1 && len == 2)))) { |
| |