(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-dpnss.c) |
| |
| 1073 | | | dissect_dpnss_sup_info_str(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, gint offset) |
| 1074 | | | { |
| 1075 | | | proto_item *sup_str_item; |
| 1076 | | | proto_tree *sup_str_tree; |
| 1077 | | | gint start_offset, hash_offset, tvb_end_offset, sup_inf_str_end_offset, str_no; |
| 1078 | | | gint par_start_offset, par_end_offset, number_of_found_par; |
| 1079 | | | gint sup_inf_str_len, par_type_num; |
| 1080 | | | guint sup_str_num; |
| 1081 | | | guint8 octet; |
| 1082 | | | gboolean last_string = FALSE; |
| 1083 | | | gboolean has_par; |
| 1084 | | | |
| 1085 | | | tvb_end_offset = tvb_length(tvb); |
| 1086 | | | |
| 1087 | | | str_no = 1; |
| 1088 | | | while((offset<tvb_end_offset)&&(last_string == FALSE)){ |
Event 1:
Entering loop body. - offset < tvb_end_offset evaluates to true.
- last_string == 0 evaluates to true.
hide
|
|
| 1089 | [+] | | octet = tvb_get_guint8(tvb,offset); |
 |
| 1090 | | | if (octet == '*'){ |
Event 8:
Taking true branch. octet == 42 evaluates to true.
hide
|
|
| 1091 | | | |
| 1092 | | | start_offset = offset; |
| 1093 | | | has_par = TRUE; |
Event 9:
!0 evaluates to true.
hide
|
|
| 1094 | | | number_of_found_par = 0; |
| 1095 | | | |
| 1096 | | | offset++; |
| 1097 | | | hash_offset = tvb_find_guint8(tvb, offset, -1, '#'); |
| 1098 | | | sup_str_item = proto_tree_add_text(tree, tvb, start_offset, hash_offset-start_offset+1, "Supplementary Information %u: %s",str_no,tvb_format_text(tvb,start_offset,hash_offset-start_offset+1)); |
| 1099 | | | sup_str_tree = proto_item_add_subtree(sup_str_item, ett_dpnss_sup_str); |
| 1100 | | | |
| 1101 | | | |
| 1102 | | | |
| 1103 | | | |
| 1104 | [+] | | sup_inf_str_end_offset = tvb_find_guint8(tvb, offset, hash_offset-offset, '*'); |
 |
| 1105 | | | if(sup_inf_str_end_offset==-1){ |
Event 13:
Skipping " if". sup_inf_str_end_offset == -1 evaluates to false.
hide
|
|
| 1106 | | | |
| 1107 | | | has_par = FALSE; |
| 1108 | | | sup_inf_str_end_offset = hash_offset; |
| 1109 | | | } |
| 1110 | | | sup_inf_str_len = sup_inf_str_end_offset - offset; |
| 1111 | | | sup_str_num = atoi(tvb_format_text(tvb, offset, sup_inf_str_len)); |
Event 14:
atoi() returns a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - This determines the potentially dangerous position that will be accessed later.
hide
Event 15:
sup_str_num is set to atoi(...). See related event 14.
hide
|
|
| 1112 | | | if((sup_str_num != 0) && (sup_str_num < array_length(dpnns_sup_serv_set))){ |
| 1113 | | | proto_tree_add_text(sup_str_tree, tvb,offset,sup_inf_str_len,"Sup str:%s ",dpnns_sup_serv_set[sup_str_num].compact_name); |
| 1114 | | | offset = sup_inf_str_end_offset+1; |
| 1115 | | | |
| 1116 | | | while(has_par){ |
Event 18:
Continuing from loop body. Entering loop body. has_par evaluates to true.
hide
|
|
| 1117 | | | number_of_found_par++; |
| 1118 | | | |
| 1119 | | | par_start_offset = offset; |
| 1120 | [+] | | par_end_offset = tvb_find_guint8(tvb, offset, -1, '*'); |
 |
| 1121 | | | if(par_end_offset == -1){ |
Event 22:
Skipping " if". par_end_offset == -1 evaluates to false.
hide
|
|
| 1122 | | | |
| 1123 | | | par_end_offset = hash_offset; |
| 1124 | | | has_par = FALSE; |
| 1125 | | | } |
| 1126 | | | switch(number_of_found_par){ |
Event 23:
number_of_found_par evaluates to 4.
hide
|
|
| 1127 | | | case 1: |
| 1128 | | | par_type_num = dpnns_sup_serv_set[sup_str_num].par1_num; |
| 1129 | | | dissect_dpnns_sup_str_par(tvb,sup_str_tree, par_type_num, par_start_offset, par_end_offset); |
| 1130 | | | break; |
| 1131 | | | case 2: |
| 1132 | | | par_type_num = dpnns_sup_serv_set[sup_str_num].par2_num; |
| 1133 | | | dissect_dpnns_sup_str_par(tvb,sup_str_tree, par_type_num, par_start_offset, par_end_offset); |
| 1134 | | | break; |
| 1135 | | | case 3: |
| 1136 | | | par_type_num = dpnns_sup_serv_set[sup_str_num].par3_num; |
| 1137 | | | dissect_dpnns_sup_str_par(tvb,sup_str_tree, par_type_num, par_start_offset, par_end_offset); |
| 1138 | | | break; |
| 1139 | | | case 4: |
| 1140 | | | par_type_num = dpnns_sup_serv_set[sup_str_num].par4_num; |
Buffer Underrun
This code could read before the beginning of the buffer dpnns_sup_serv_set. - The first potentially underrun byte is at offset 28 * sup_str_num + 24 from the beginning of the object. See related event 15.
- 28 * sup_str_num + 24 evaluates to 28 * atoi(...) + 24 from packet-dpnss.c:1111, which is bounded above by 7136.
- If 28 * sup_str_num + 24 is negative, an underrun will occur. The analysis cannot rule out the possibility of 28 * sup_str_num + 24 taking on one or more of these dangerous values, so has issued this warning.
- The underrun occurs in static memory.
The issue can occur if the highlighted code executes. See related event 15. Show: All events | Only primary events |
|
| 1141 | | | dissect_dpnns_sup_str_par(tvb,sup_str_tree, par_type_num, par_start_offset, par_end_offset); |
| 1142 | | | break; |
| 1143 | | | default: |
| 1144 | | | break; |
| 1145 | | | } |
| 1146 | | | |
| 1147 | | | offset = par_end_offset+1; |
| |