(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-gsm_a_bssmap.c) |
| |
| 1798 | | | be_cell_id_list(tvbuff_t *tvb, proto_tree *tree, guint32 offset, guint len, gchar *add_string, int string_len) |
| 1799 | | | { |
| 1800 | | | guint8 oct; |
| 1801 | | | guint16 consumed; |
| 1802 | | | guint8 disc; |
| 1803 | | | guint8 num_cells; |
| 1804 | | | guint32 curr_offset; |
| 1805 | | | proto_item *item = NULL; |
| 1806 | | | proto_tree *subtree = NULL; |
| 1807 | | | |
| 1808 | | | curr_offset = offset; |
| 1809 | | | |
| 1810 | | | oct = tvb_get_guint8(tvb, curr_offset); |
| 1811 | | | |
| 1812 | | | proto_tree_add_bits_item(tree, hf_gsm_a_bssmap_spare_bits, tvb, curr_offset<<3, 4, FALSE); |
| 1813 | | | |
| 1814 | | | disc = oct & 0x0f; |
| 1815 | | | proto_tree_add_item(tree, hf_gsm_a_bssmap_be_cell_id_disc, tvb, curr_offset, 1, FALSE); |
| 1816 | | | curr_offset++; |
| 1817 | | | |
| 1818 | | | NO_MORE_DATA_CHECK(len);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-gsm_a_common.h |
| |
227 | #define NO_MORE_DATA_CHECK(nmdc_len) \ |
228 | if ((nmdc_len) == (curr_offset - offset)) return(nmdc_len); |
| |
|
Event 1:
Skipping " if". len == curr_offset - offset evaluates to false.
hide
|
|
| 1819 | | | |
| 1820 | | | num_cells = 0; |
| 1821 | | | do |
| 1822 | | | { |
| 1823 | | | item = |
| 1824 | | | proto_tree_add_text(tree, |
| 1825 | | | tvb, curr_offset, -1, |
| 1826 | | | "Cell %u", |
| 1827 | | | num_cells + 1); |
| 1828 | | | |
| 1829 | | | subtree = proto_item_add_subtree(item, ett_cell_list); |
| 1830 | | | |
| 1831 | | | if (add_string) |
Event 2:
Taking true branch. add_string evaluates to true.
hide
|
|
| 1832 | | | add_string[0] = '\0'; |
| 1833 | | | |
| 1834 | | | consumed = |
| 1835 | | | be_cell_id_aux(tvb, subtree, curr_offset, len - (curr_offset - offset), add_string, string_len, disc); |
| 1836 | | | |
| 1837 | | | if (add_string && add_string[0] != '\0') |
| 1838 | | | { |
| 1839 | | | proto_item_append_text(item, "%s", add_string ? add_string : ""); |
Null Test After Dereference
This code tests the nullness of add_string, which has already been dereferenced. - If add_string were null, there would have been a prior null pointer dereference at packet-gsm_a_bssmap.c:1837, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 4. Show: All events | Only primary events |
|
| 1840 | | | } |
| 1841 | | | |
| 1842 | | | proto_item_set_len(item, consumed); |
| 1843 | | | |
| 1844 | | | curr_offset += consumed; |
| 1845 | | | |
| 1846 | | | num_cells++; |
| 1847 | | | } |
| 1848 | | | while ((len - (curr_offset - offset)) > 0 && consumed > 0); |
| 1849 | | | |
| 1850 | | | if (add_string) { |
| 1851 | | | g_snprintf(add_string, string_len, " - %u cell%s", |
| 1852 | | | num_cells, plurality(num_cells, "", "s")); |
| 1853 | | | } |
| 1854 | | | |
| 1855 | | | (len, curr_offset - offset);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-gsm_a_common.h |
| |
201 | #define (edc_len, edc_max_len) \ |
202 | if (((edc_len) > (edc_max_len))||lower_nibble) \ |
203 | { \ |
204 | proto_tree_add_text(tree, tvb, \ |
205 | curr_offset, (edc_len) - (edc_max_len), " Data"); \ |
206 | curr_offset += ((edc_len) - (edc_max_len)); \ |
207 | } |
| |
|
| 1856 | | | |
| 1857 | | | return(curr_offset - offset); |
| 1858 | | | } |
| |