(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-bootp.c) |
| |
| 4004 | | | bootp_init_protocol(void) |
| 4005 | | | { |
| 4006 | | | gchar **optionstrings = NULL; |
| 4007 | | | gchar **optiondetail = NULL; |
| 4008 | | | gchar *type = NULL; |
| 4009 | | | guint i, ii; |
| 4010 | | | |
| 4011 | | | |
| 4012 | | | for(i=0; i<BOOTP_OPT_NUM; i++) |
Event 1:
The loop is executed one or more times.
hide
|
|
| 4013 | | | { |
| 4014 | | | bootp_opt[i].text = default_bootp_opt[i].text; |
| 4015 | | | bootp_opt[i].ftype = default_bootp_opt[i].ftype; |
| 4016 | | | bootp_opt[i].data = default_bootp_opt[i].data; |
| 4017 | | | } |
| 4018 | | | |
| 4019 | | | |
| 4020 | | | optionstrings = ep_strsplit(pref_optionstring, ";", -1); |
| 4021 | | | for (i=0;optionstrings[i]!=NULL;i++) |
Event 3:
Continuing from loop body. Entering loop body. optionstrings[i] != (void *)0 evaluates to true.
hide
|
|
| 4022 | | | { |
| 4023 | | | |
| 4024 | | | |
| 4025 | | | |
| 4026 | | | |
| 4027 | | | |
| 4028 | | | |
| 4029 | | | |
| 4030 | | | optiondetail = ep_strsplit(optionstrings[i], ",",-1); |
| 4031 | | | |
| 4032 | | | for(ii=0;(optiondetail[ii]!=NULL);ii++) |
| 4033 | | | { |
| 4034 | | | |
| 4035 | | | } |
| 4036 | | | if (ii < 3) continue; |
Event 5:
Skipping " if". ii < 3 evaluates to false.
hide
|
|
| 4037 | | | ii = atoi(optiondetail[0]); |
Event 6:
atoi() returns a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - Determines the array index accessed during the type underrun later.
hide
Event 7:
ii is set to atoi(optiondetail[0]). See related event 6.
hide
|
|
| 4038 | | | if (ii==0 || ii>=BOOTP_OPT_NUM-1) continue; |
Event 8:
Skipping " if". - ii == 0 evaluates to false.
- ii >= 256 - 1 evaluates to false.
hide
|
|
| 4039 | | | if (bootp_opt[ii].ftype == special) continue; |
Type Underrun
The code could read outside bootp_opt. - The type of bootp_opt is struct opt_info[256].
- The index is ii. See related event 7.
- If ii is negative, an underrun will occur. The analysis cannot rule out the possibility of ii taking on one or more of these dangerous values, so has issued this warning.
The issue can occur if the highlighted code executes. See related event 7. Show: All events | Only primary events |
|
| 4040 | | | bootp_opt[ii].text = se_strdup(optiondetail[1]); |
| 4041 | | | type = optiondetail[2]; |
| 4042 | | | |
| 4043 | | | if (g_ascii_strcasecmp(type,"string") == 0) |
| 4044 | | | { |
| 4045 | | | bootp_opt[ii].ftype = string; |
| 4046 | | | } else if (g_ascii_strcasecmp(type,"ipv4") == 0) |
| 4047 | | | { |
| 4048 | | | bootp_opt[ii].ftype = ipv4; |
| 4049 | | | } else if (g_ascii_strcasecmp(type,"bytes") == 0) |
| 4050 | | | { |
| 4051 | | | bootp_opt[ii].ftype = bytes; |
| 4052 | | | } else |
| 4053 | | | { |
| 4054 | | | bootp_opt[ii].ftype = opaque; |
| |