(/home/sate/Testcases/c/cve/wireshark-1.2.0/plugins/irda/packet-irda.c) |
| |
| 516 | | | static void dissect_iap_request(tvbuff_t* tvb, packet_info* pinfo, proto_tree* root) |
| 517 | | | { |
| 518 | | | unsigned offset = 0; |
| 519 | | | guint8 op; |
| 520 | | | guint8 clen = 0; |
| 521 | | | guint8 alen = 0; |
| 522 | | | guint8 src; |
| 523 | | | address srcaddr; |
| 524 | | | address destaddr; |
| 525 | | | conversation_t* conv; |
| 526 | | | iap_conversation_t* iap_conv; |
| 527 | | | |
| 528 | | | |
| 529 | | | if (tvb_length(tvb) == 0) |
Event 1:
Skipping " if". tvb_length(tvb) == 0 evaluates to false.
hide
|
|
| 530 | | | return; |
| 531 | | | |
| 532 | | | |
| 533 | [+] | | if (check_col(pinfo->cinfo, COL_PROTOCOL)) |
 |
| 534 | | | col_set_str(pinfo->cinfo, COL_PROTOCOL, "IAP"); |
| 535 | | | |
| 536 | | | op = tvb_get_guint8(tvb, offset) & IAP_OP; |
| 537 | | | |
| 538 | | | switch (op) |
Event 4:
op evaluates to 4.
hide
|
|
| 539 | | | { |
| 540 | | | case GET_VALUE_BY_CLASS: |
| 541 | | | clen = MIN(tvb_get_guint8(tvb, offset + 1), 60);
x /usr/include/glib-2.0/glib/gmacros.h |
| |
201 | #define MIN(a, b) (((a) < (b)) ? (a) : (b)) |
| |
|
Event 5:
tvb_get_guint8(...) < 60 evaluates to false.
hide
|
|
| 542 | | | alen = MIN(tvb_get_guint8(tvb, offset + 1 + 1 + clen), 60);
x /usr/include/glib-2.0/glib/gmacros.h |
| |
201 | #define MIN(a, b) (((a) < (b)) ? (a) : (b)) |
| |
|
Event 6:
tvb_get_guint8(...) < 60 evaluates to false.
hide
|
|
| 543 | | | |
| 544 | | | |
| 545 | | | src = pinfo->circuit_id ^ CMD_FRAME; |
| 546 | | | srcaddr.type = AT_NONE; |
| 547 | | | srcaddr.len = 1; |
| 548 | | | srcaddr.data = (guint8*)&src; |
| 549 | | | |
| 550 | | | destaddr.type = AT_NONE; |
| 551 | | | destaddr.len = 1; |
| 552 | | | destaddr.data = (guint8*)&pinfo->circuit_id; |
| 553 | | | |
| 554 | [+] | | conv = find_conversation(pinfo->fd->num, &srcaddr, &destaddr, PT_NONE, pinfo->srcport, pinfo->destport, 0); |
 |
| 555 | | | if (conv) |
Event 14:
Taking true branch. conv evaluates to true.
hide
|
|
| 556 | | | { |
| 557 | [+] | | iap_conv = (iap_conversation_t*)conversation_get_proto_data(conv, proto_iap); |
 |
| 558 | | | while (1) |
Event 19:
Entering loop body. 1 evaluates to true.
hide
|
|
| 559 | | | { |
| 560 | | | if (iap_conv->iap_query_frame == pinfo->fd->num) |
Null Pointer Dereference
iap_conv is dereferenced here, but it is NULL. The issue can occur if the highlighted code executes. See related event 18. Show: All events | Only primary events |
|
| |