(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ntlmssp.c) |
| |
| 1444 | | | static tvbuff_t * |
| 1445 | | | dissect_ntlmssp_encrypted_payload(tvbuff_t *data_tvb, |
| 1446 | | | tvbuff_t *auth_tvb _U_, |
| 1447 | | | int offset, |
| 1448 | | | packet_info *pinfo, |
| 1449 | | | dcerpc_auth_info *auth_info _U_) |
| 1450 | | | { |
| 1451 | | | tvbuff_t *decr_tvb; |
| 1452 | | | guint8 *peer_block; |
| 1453 | | | conversation_t *conversation; |
| 1454 | | | guint32 encrypted_block_length; |
| 1455 | | | rc4_state_struct *rc4_state; |
| 1456 | | | rc4_state_struct *rc4_state_peer; |
| 1457 | | | ntlmssp_info *conv_ntlmssp_info = NULL; |
| 1458 | | | ntlmssp_packet_info *packet_ntlmssp_info = NULL; |
| 1459 | | | |
| 1460 | [+] | | encrypted_block_length = tvb_length_remaining (data_tvb, offset); |
 |
| 1461 | | | |
| 1462 | | | |
| 1463 | | | packet_ntlmssp_info = p_get_proto_data(pinfo->fd, proto_ntlmssp); |
| 1464 | | | if (packet_ntlmssp_info == NULL) { |
Event 6:
Taking true branch. packet_ntlmssp_info == (void *)0 evaluates to true.
hide
|
|
| 1465 | | | |
| 1466 | | | packet_ntlmssp_info = se_alloc(sizeof(ntlmssp_packet_info)); |
| 1467 | | | memset(packet_ntlmssp_info, 0, sizeof(ntlmssp_packet_info)); |
| 1468 | | | p_add_proto_data(pinfo->fd, proto_ntlmssp, packet_ntlmssp_info); |
| 1469 | | | } |
| 1470 | | | |
| 1471 | | | if (!packet_ntlmssp_info->payload_decrypted) { |
Event 7:
Taking true branch. packet_ntlmssp_info->payload_decrypted evaluates to false.
hide
|
|
| 1472 | | | |
| 1473 | | | conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, |
| 1474 | | | pinfo->ptype, pinfo->srcport, |
| 1475 | [+] | | pinfo->destport, 0); |
 |
| 1476 | | | if (conversation == NULL) { |
Event 15:
Skipping " if". conversation == (void *)0 evaluates to false.
hide
|
|
| 1477 | | | |
| 1478 | | | return NULL; |
| 1479 | | | } |
| 1480 | | | |
| 1481 | | | conv_ntlmssp_info = conversation_get_proto_data(conversation, |
| 1482 | [+] | | proto_ntlmssp); |
 |
| 1483 | | | if (conv_ntlmssp_info == NULL) { |
Event 18:
Skipping " if". conv_ntlmssp_info == (void *)0 evaluates to false.
hide
|
|
| 1484 | | | |
| 1485 | | | return NULL; |
| 1486 | | | } |
| 1487 | | | |
| 1488 | | | |
| 1489 | | | |
| 1490 | | | |
| 1491 | | | if (conv_ntlmssp_info->peer1_dest_port == pinfo->destport) { |
Event 19:
Taking false branch. conv_ntlmssp_info->peer1_dest_port == pinfo->destport evaluates to false.
hide
|
|
| 1492 | | | rc4_state = get_encrypted_state(pinfo, 1); |
| 1493 | | | rc4_state_peer = get_encrypted_state(pinfo, 0); |
| 1494 | | | } else { |
| 1495 | [+] | | rc4_state = get_encrypted_state(pinfo, 0); |
 |
| 1496 | [+] | | rc4_state_peer = get_encrypted_state(pinfo, 1); |
 |
| 1497 | | | } |
| 1498 | | | |
| 1499 | | | if (rc4_state == NULL || rc4_state_peer == NULL) { |
Event 30:
Skipping " if". - rc4_state == (void *)0 evaluates to false.
- rc4_state_peer == (void *)0 evaluates to false.
hide
|
|
| 1500 | | | |
| 1501 | | | return NULL; |
| 1502 | | | } |
| 1503 | | | |
| 1504 | | | |
| 1505 | | | |
| 1506 | | | packet_ntlmssp_info->decrypted_payload = tvb_memdup(data_tvb, offset, |
| 1507 | | | encrypted_block_length); |
| 1508 | | | decrypted_payloads = g_slist_prepend(decrypted_payloads, |
| 1509 | | | packet_ntlmssp_info->decrypted_payload); |
| 1510 | | | |
| 1511 | | | |
| 1512 | | | crypt_rc4(rc4_state, packet_ntlmssp_info->decrypted_payload, |
| 1513 | | | encrypted_block_length); |
| 1514 | | | |
| 1515 | | | |
| 1516 | | | |
| 1517 | | | peer_block = g_malloc(encrypted_block_length); |
| 1518 | | | memcpy(peer_block, packet_ntlmssp_info->decrypted_payload, |
Unreasonable Size Argument
The size argument to memcpy() has an unreasonable value. - The size argument is encrypted_block_length, which evaluates to -1.
- A size argument is considered unreasonable if it is negative or very large.
The issue can occur if the highlighted code executes. See related event 33. Show: All events | Only primary events |
|
| 1519 | | | encrypted_block_length); |
Event 33:
encrypted_block_length, which evaluates to -1, is passed to memcpy() as the third argument. See related event 5.
hide
|
|
| |