(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-bthci_evt.c) |
| |
| 627 | | | dissect_bthci_evt_cod(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree) |
| 628 | | | { |
| 629 | | | guint8 cod1, cod2; |
| 630 | | | proto_item *item; |
| 631 | | | |
| 632 | | | item = proto_tree_add_item(tree, hf_bthci_evt_class_of_device, tvb, offset, 3, TRUE); |
Event 1:
!0 evaluates to true.
hide
|
|
| 633 | | | |
| 634 | | | cod1 = tvb_get_guint8(tvb, offset+1); |
| 635 | | | cod2 = tvb_get_guint8(tvb, offset+2); |
| 636 | | | |
| 637 | | | if( (cod2 != 0) || (cod1 & 0x20) ) |
| 638 | | | { |
| 639 | | | char buf[128]; |
| 640 | | | |
| 641 | | | buf[0] = 0; |
Event 3:
The length of the string pointed to by buf is set to 0. - This determines the potentially dangerous position that will be accessed later.
hide
|
|
| 642 | | | |
| 643 | | | proto_item_append_text(item, " (%s - services:", val_to_str(cod1 & 0x1f, bthci_cmd_major_dev_class_vals, "???")); |
| 644 | | | if (cod2 & 0x80) g_strlcat(buf, " Information,", sizeof(buf)); |
Event 4:
Skipping " if". cod2 & 128 evaluates to false.
hide
|
|
| 645 | | | if (cod2 & 0x40) g_strlcat(buf, " Telephony,", sizeof(buf)); |
Event 5:
Skipping " if". cod2 & 64 evaluates to false.
hide
|
|
| 646 | | | if (cod2 & 0x20) g_strlcat(buf, " Audio,", sizeof(buf)); |
Event 6:
Skipping " if". cod2 & 32 evaluates to false.
hide
|
|
| 647 | | | if (cod2 & 0x10) g_strlcat(buf, " Object transfer,", sizeof(buf)); |
Event 7:
Skipping " if". cod2 & 16 evaluates to false.
hide
|
|
| 648 | | | if (cod2 & 0x08) g_strlcat(buf, " Capturing,", sizeof(buf)); |
Event 8:
Skipping " if". cod2 & 8 evaluates to false.
hide
|
|
| 649 | | | if (cod2 & 0x04) g_strlcat(buf, " Rendering,", sizeof(buf)); |
Event 9:
Skipping " if". cod2 & 4 evaluates to false.
hide
|
|
| 650 | | | if (cod2 & 0x02) g_strlcat(buf, " Networking,", sizeof(buf)); |
Event 10:
Skipping " if". cod2 & 2 evaluates to false.
hide
|
|
| 651 | | | if (cod2 & 0x01) g_strlcat(buf, " Positioning,", sizeof(buf)); |
Event 11:
Skipping " if". cod2 & 1 evaluates to false.
hide
|
|
| 652 | | | if (cod1 & 0x20) g_strlcat(buf, " Limited discoverable mode,", sizeof(buf)); |
Event 12:
Skipping " if". cod1 & 32 evaluates to false.
hide
|
|
| 653 | | | |
| 654 | | | buf[strlen(buf)-1] = 0; |
Event 13:
buf is passed to __builtin_strlen().
hide
Event 14:
__builtin_strlen() returns the length of the string pointed to by buf, which evaluates to 0. See related events 3 and 13.
hide
Buffer Underrun
This code writes before the beginning of the buffer buf. - The first underrun byte is at offset strlen(buf) - 1 from the beginning of the object. See related event 14.
- strlen(buf) - 1 evaluates to -1.
- The underrun occurs in stack memory.
The issue can occur if the highlighted code executes. See related event 14. Show: All events | Only primary events |
|
| |