(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-memcache.c) |
| |
| 1389 | | | memcache_request_dissector (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset, |
| 1390 | | | const guchar *line, const guchar *lineend, guint8 opcode) |
| 1391 | | | { |
| 1392 | | | const guchar *next_token; |
| 1393 | | | int tokenlen; |
| 1394 | | | |
| 1395 | | | guint16 flags; |
| 1396 | | | guint32 expiration; |
| 1397 | | | guint32 bytes; |
| 1398 | | | guint64 cas; |
| 1399 | | | gchar response_chars[21]; |
| 1400 | | | |
| 1401 | | | |
| 1402 | [+] | | tokenlen = get_token_len (line, lineend, &next_token); |
 |
| 1403 | | | if (tokenlen == 0) { |
Event 2:
Skipping " if". tokenlen == 0 evaluates to false.
hide
|
|
| 1404 | | | return -1; |
| 1405 | | | } |
| 1406 | | | proto_tree_add_item (tree, hf_command, tvb, offset, tokenlen, FALSE); |
| 1407 | | | offset += (int) (next_token - line); |
| 1408 | | | line = next_token; |
| 1409 | | | |
| 1410 | | | switch (opcode) { |
Event 3:
opcode evaluates to 14.
hide
|
|
| 1411 | | | |
| 1412 | | | case OP_SET: |
| 1413 | | | case OP_ADD: |
| 1414 | | | case OP_REPLACE: |
| 1415 | | | case OP_APPEND: |
| 1416 | | | case OP_PREPEND: |
| 1417 | | | case OP_CAS: |
| 1418 | | | |
| 1419 | | | |
| 1420 | [+] | | tokenlen = get_token_len (line, lineend, &next_token); |
 |
| 1421 | | | if (tokenlen == 0) { |
Event 6:
Skipping " if". tokenlen == 0 evaluates to false.
hide
|
|
| 1422 | | | return -1; |
| 1423 | | | } |
| 1424 | | | |
| 1425 | | | dissect_key (tvb, pinfo, tree, offset, tokenlen, opcode, TRUE); |
Event 7:
!0 evaluates to true.
hide
|
|
| 1426 | | | offset += (int) (next_token - line); |
| 1427 | | | line = next_token; |
| 1428 | | | |
| 1429 | | | |
| 1430 | [+] | | tokenlen = get_token_len (line, lineend, &next_token); |
 |
| 1431 | | | if (tokenlen == 0 || tokenlen > 5) { |
Event 8:
Skipping " if". - tokenlen == 0 evaluates to false.
- tokenlen > 5 evaluates to false.
hide
|
|
| 1432 | | | return -1; |
| 1433 | | | } |
| 1434 | | | memcpy (response_chars, line, tokenlen); |
| 1435 | | | response_chars[tokenlen] = '\0'; |
| 1436 | | | |
| 1437 | | | flags = (guint16) strtoul (response_chars, NULL, 10); |
Event 9:
strtoul() returns a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - Determines the value that is cast in the Cast Alters Value warning later.
hide
Cast Alters Value
strtoul(...) is cast from unsigned long to unsigned short. - strtoul(...) could be 65536 or higher.
- Values 65536 or higher cannot be stored as unsigned short. Casting them to unsigned short can cause data loss or sign change.
The issue can occur if the highlighted code executes. See related event 9. Show: All events | Only primary events |
|
| |