(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-smb.c) |
| |
| 8715 | | | dissect_nt_trans_data_response(tvbuff_t *tvb, packet_info *pinfo, |
| 8716 | | | int offset, proto_tree *parent_tree, int len, |
| 8717 | | | nt_trans_data *ntd _U_, |
| 8718 | | | smb_nt_transact_info_t *nti) |
| 8719 | | | { |
| 8720 | | | proto_item *item = NULL; |
| 8721 | | | proto_tree *tree = NULL; |
| 8722 | | | smb_info_t *si; |
| 8723 | | | guint16 bcp; |
| 8724 | | | struct access_mask_info *ami=NULL; |
| 8725 | | | tvbuff_t *ioctl_tvb; |
| 8726 | | | |
| 8727 | | | si = (smb_info_t *)pinfo->private_data; |
| 8728 | | | DISSECTOR_ASSERT(si);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
117 | #define DISSECTOR_ASSERT(expression) \ |
118 | ((void) ((expression) ? (void)0 : \ |
119 | __DISSECTOR_ASSERT (expression, __FILE__, __LINE__))) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
138 | #define __DISSECTOR_ASSERT(expression, file, lineno) \ |
139 | (REPORT_DISSECTOR_BUG( \ |
140 | ep_strdup_printf("%s:%u: failed assertion \"%s\"", \ |
141 | file, lineno, __DISSECTOR_ASSERT_STRINGIFY(expression)))) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
106 | #define REPORT_DISSECTOR_BUG(message) \ |
107 | ((getenv("WIRESHARK_ABORT_ON_DISSECTOR_BUG") != NULL) ? \ |
108 | abort() : \ |
109 | THROW_MESSAGE(DissectorError, message)) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
226 | #define THROW_MESSAGE(x, y) \ |
227 | except_throw(XCEPT_GROUP_WIRESHARK, (x), (y)) |
| |
|
Event 1:
si evaluates to true.
hide
|
|
| 8729 | | | |
| 8730 | | | if(parent_tree){ |
Event 2:
Skipping " if". parent_tree evaluates to false.
hide
|
|
| 8731 | | | tvb_ensure_bytes_exist(tvb, offset, len); |
| 8732 | | | if(nti != NULL){ |
| 8733 | | | item = proto_tree_add_text(parent_tree, tvb, offset, len, |
| 8734 | | | "%s Data", |
| 8735 | | | val_to_str(nti->subcmd, nt_cmd_vals, "Unknown NT Transaction (%u)")); |
| 8736 | | | } else { |
| 8737 | | | |
| 8738 | | | |
| 8739 | | | |
| 8740 | | | |
| 8741 | | | item = proto_tree_add_text(parent_tree, tvb, offset, len, |
| 8742 | | | "Unknown NT Transaction Data (matching request not seen)"); |
| 8743 | | | } |
| 8744 | | | tree = proto_item_add_subtree(item, ett_smb_nt_trans_data); |
| 8745 | | | } |
| 8746 | | | |
| 8747 | | | if (nti == NULL) { |
Event 3:
Skipping " if". nti == (void *)0 evaluates to false.
hide
|
|
| 8748 | | | offset += len; |
| 8749 | | | return offset; |
| 8750 | | | } |
| 8751 | | | switch(nti->subcmd){ |
Event 4:
nti->subcmd evaluates to 6.
hide
|
|
| 8752 | | | case NT_TRANS_CREATE: |
| 8753 | | | break; |
| 8754 | | | case NT_TRANS_IOCTL: |
| 8755 | | | |
| 8756 | | | ioctl_tvb=tvb_new_subset(tvb, offset, MIN((int)len, tvb_length_remaining(tvb, offset)), len);
x /usr/include/glib-2.0/glib/gmacros.h |
| |
201 | #define MIN(a, b) (((a) < (b)) ? (a) : (b)) |
| |
|
| 8757 | | | dissect_smb2_ioctl_data(ioctl_tvb, pinfo, tree, top_tree, nti->ioctl_function, FALSE); |
| 8758 | | | |
| 8759 | | | offset += len; |
| 8760 | | | |
| 8761 | | | break; |
| 8762 | | | case NT_TRANS_SSD: |
| 8763 | | | break; |
| 8764 | | | case NT_TRANS_NOTIFY: |
| 8765 | | | break; |
| 8766 | | | case NT_TRANS_RENAME: |
| 8767 | | | |
| 8768 | | | break; |
| 8769 | | | case NT_TRANS_QSD: |
| 8770 | | | if(nti){ |
Null Test After Dereference
This code tests the nullness of nti, which has already been dereferenced. - If nti were null, there would have been a prior null pointer dereference at packet-smb.c:8751, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 5. Show: All events | Only primary events |
|
| 8771 | | | switch(nti->fid_type){ |
| 8772 | | | case SMB_FID_TYPE_FILE: |
| 8773 | | | ami= &smb_file_access_mask_info; |
| 8774 | | | break; |
| 8775 | | | case SMB_FID_TYPE_DIR: |
| 8776 | | | ami= &smb_dir_access_mask_info; |
| 8777 | | | break; |
| 8778 | | | } |
| 8779 | | | } |
| 8780 | | | offset = dissect_nt_sec_desc( |
| 8781 | | | tvb, offset, pinfo, tree, NULL, TRUE, len, ami); |
| 8782 | | | break; |
| 8783 | | | case NT_TRANS_GET_USER_QUOTA: |
| 8784 | | | bcp=len; |
| 8785 | | | offset = dissect_nt_user_quota(tvb, tree, offset, &bcp); |
| 8786 | | | break; |
| 8787 | | | case NT_TRANS_SET_USER_QUOTA: |
| 8788 | | | |
| 8789 | | | break; |
| 8790 | | | } |
| 8791 | | | |
| 8792 | | | return offset; |
| 8793 | | | } |
| |