(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/crypt/airpdcap.c) |
| |
| 1171 | | | AirPDcapRsna4WHandshake( |
| 1172 | | | PAIRPDCAP_CONTEXT ctx, |
| 1173 | | | const UCHAR *data, |
| 1174 | | | AIRPDCAP_SEC_ASSOCIATION *sa, |
| 1175 | | | PAIRPDCAP_KEY_ITEM key, |
| 1176 | | | INT offset) |
| 1177 | | | { |
| 1178 | | | AIRPDCAP_KEY_ITEM *tmp_key, pkt_key; |
| 1179 | | | AIRPDCAP_SEC_ASSOCIATION *tmp_sa; |
| 1180 | | | INT key_index; |
| 1181 | | | INT ret_value=1; |
| 1182 | | | UCHAR useCache=FALSE; |
| 1183 | | | UCHAR eapol[AIRPDCAP_EAPOL_MAX_LEN]; |
| 1184 | | | USHORT eapol_len; |
| 1185 | | | |
| 1186 | | | if (sa->key!=NULL) |
Event 1:
Skipping " if". sa->key != (void *)0 evaluates to false.
hide
|
|
| 1187 | | | useCache=TRUE; |
| 1188 | | | |
| 1189 | | | |
| 1190 | | | if (AIRPDCAP_EAP_KEY(data[offset+1])!=1) { |
Event 2:
Skipping " if". (data[offset + 1] >> 3 & 1) != 1 evaluates to false.
hide
|
|
| 1191 | | | AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "Group/STAKey message (not used)", AIRPDCAP_DEBUG_LEVEL_5); |
| 1192 | | | return AIRPDCAP_RET_NO_VALID_HANDSHAKE; |
| 1193 | | | } |
| 1194 | | | |
| 1195 | | | |
| 1196 | | | |
| 1197 | | | |
| 1198 | | | if(sa->handshake == 4) { |
Event 3:
Taking true branch. sa->handshake == 4 evaluates to true.
hide
|
|
| 1199 | | | tmp_sa=se_alloc(sizeof(AIRPDCAP_SEC_ASSOCIATION)); |
| 1200 | | | memcpy(tmp_sa, sa, sizeof(AIRPDCAP_SEC_ASSOCIATION)); |
| 1201 | | | sa->next=tmp_sa; |
| 1202 | | | } |
| 1203 | | | |
| 1204 | | | |
| 1205 | | | |
| 1206 | | | |
| 1207 | | | |
| 1208 | | | AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "4-way handshake...", AIRPDCAP_DEBUG_LEVEL_5); |
| 1209 | | | |
| 1210 | | | |
| 1211 | | | |
| 1212 | | | |
| 1213 | | | if (AIRPDCAP_EAP_INST(data[offset+1])==0 && |
Event 4:
Skipping " if". - (data[offset + 1] >> 6 & 1) == 0 evaluates to true.
- (data[offset + 1] >> 7 & 1) == 1 evaluates to true.
- (data[offset] & 1) == 0 evaluates to false.
hide
|
|
| 1214 | | | AIRPDCAP_EAP_ACK(data[offset+1])==1 && |
| 1215 | | | AIRPDCAP_EAP_MIC(data[offset])==0) |
| 1216 | | | { |
| 1217 | | | AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "4-way handshake message 1", AIRPDCAP_DEBUG_LEVEL_3); |
| 1218 | | | |
| 1219 | | | |
| 1220 | | | |
| 1221 | | | |
| 1222 | | | |
| 1223 | | | |
| 1224 | | | |
| 1225 | | | memcpy(sa->wpa.nonce, data+offset+12, 32); |
| 1226 | | | |
| 1227 | | | |
| 1228 | | | sa->wpa.key_ver=AIRPDCAP_EAP_KEY_DESCR_VER(data[offset+1]);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/crypt/airpdcap_int.h |
| |
84 | #define AIRPDCAP_EAP_KEY_DESCR_VER(KeyInfo_1) ((UCHAR)(KeyInfo_1 & 0x3)) |
| |
|
| 1229 | | | |
| 1230 | | | sa->handshake=1; |
| 1231 | | | |
| 1232 | | | return AIRPDCAP_RET_SUCCESS_HANDSHAKE; |
| 1233 | | | } |
| 1234 | | | |
| 1235 | | | |
| 1236 | | | if (AIRPDCAP_EAP_INST(data[offset+1])==0 && |
| 1237 | | | AIRPDCAP_EAP_ACK(data[offset+1])==0 && |
| 1238 | | | AIRPDCAP_EAP_MIC(data[offset])==1) |
| 1239 | | | { |
| 1240 | | | if (AIRPDCAP_EAP_SEC(data[offset])==0) { |
Event 6:
Taking true branch. (data[offset] >> 1 & 1) == 0 evaluates to true.
hide
|
|
| 1241 | | | |
| 1242 | | | |
| 1243 | | | |
| 1244 | | | |
| 1245 | | | if (data[offset+92]!=0 || data[offset+93]!=0) { |
| 1246 | | | |
| 1247 | | | AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "4-way handshake message 2", AIRPDCAP_DEBUG_LEVEL_3); |
| 1248 | | | |
| 1249 | | | |
| 1250 | | | |
| 1251 | | | |
| 1252 | | | |
| 1253 | | | |
| 1254 | | | |
| 1255 | | | |
| 1256 | | | for (key_index=0; key_index<(INT)ctx->keys_nr || useCache; key_index++) { |
| 1257 | | | |
| 1258 | | | if (!useCache) { |
| 1259 | | | AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "Try WPA key...", AIRPDCAP_DEBUG_LEVEL_3); |
| 1260 | | | tmp_key=&ctx->keys[key_index]; |
| 1261 | | | } else { |
| 1262 | | | |
| 1263 | | | if (sa->key!=NULL && |
| 1264 | | | (sa->key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PWD || |
| 1265 | | | sa->key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PSK || |
| 1266 | | | sa->key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PMK)) { |
| 1267 | | | AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "Try cached WPA key...", AIRPDCAP_DEBUG_LEVEL_3); |
| 1268 | | | tmp_key=sa->key; |
| 1269 | | | } else { |
| 1270 | | | AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "Cached key is of a wrong type, try WPA key...", AIRPDCAP_DEBUG_LEVEL_3); |
| 1271 | | | tmp_key=&ctx->keys[key_index]; |
| 1272 | | | } |
| 1273 | | | } |
| 1274 | | | |
| 1275 | | | |
| 1276 | | | if (tmp_key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PWD || |
| 1277 | | | tmp_key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PSK || |
| 1278 | | | tmp_key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PMK) |
| 1279 | | | { |
| 1280 | | | if (tmp_key->KeyType == AIRPDCAP_KEY_TYPE_WPA_PWD && tmp_key->UserPwd.SsidLen == 0 && ctx->pkt_ssid_len > 0 && ctx->pkt_ssid_len <= AIRPDCAP_WPA_SSID_MAX_LEN) { |
| 1281 | | | |
| 1282 | | | memcpy(&pkt_key, tmp_key, sizeof(pkt_key)); |
| 1283 | | | memcpy(&pkt_key.UserPwd.Ssid, ctx->pkt_ssid, ctx->pkt_ssid_len); |
| 1284 | | | pkt_key.UserPwd.SsidLen = ctx->pkt_ssid_len; |
| 1285 | | | AirPDcapRsnaPwd2Psk(pkt_key.UserPwd.Passphrase, pkt_key.UserPwd.Ssid, |
| 1286 | | | pkt_key.UserPwd.SsidLen, pkt_key.KeyData.Wpa.Psk); |
| 1287 | | | tmp_key = &pkt_key; |
| 1288 | | | } |
| 1289 | | | |
| 1290 | | | |
| 1291 | | | AirPDcapRsnaPrfX(sa, |
| 1292 | | | tmp_key->KeyData.Wpa.Pmk, |
| 1293 | | | data+offset+12, |
| 1294 | | | 512, |
| 1295 | | | sa->wpa.ptk); |
| 1296 | | | |
| 1297 | | | |
| 1298 | | | eapol_len=pntohs(data+offset-3)+4;
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/pint.h |
| |
37 | #define pntohs(p) ((guint16) \ |
38 | ((guint16)*((const guint8 *)(p)+0)<<8| \ |
39 | (guint16)*((const guint8 *)(p)+1)<<0)) |
| |
|
| 1299 | | | memcpy(eapol, &data[offset-5], (eapol_len<AIRPDCAP_EAPOL_MAX_LEN?eapol_len:AIRPDCAP_EAPOL_MAX_LEN)); |
| 1300 | | | ret_value=AirPDcapRsnaMicCheck(eapol, |
| 1301 | | | eapol_len, |
| 1302 | | | sa->wpa.ptk, |
| 1303 | [+] | | AIRPDCAP_EAP_KEY_DESCR_VER(data[offset+1]));
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/crypt/airpdcap_int.h |
| |
84 | #define AIRPDCAP_EAP_KEY_DESCR_VER(KeyInfo_1) ((UCHAR)(KeyInfo_1 & 0x3)) |
| |
|
 |
| 1304 | | | |
| 1305 | | | |
| 1306 | | | |
| 1307 | | | |
| 1308 | | | |
| 1309 | | | |
| 1310 | | | } |
| 1311 | | | |
| 1312 | | | if (!ret_value && |
| 1313 | | | (tmp_key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PWD || |
| 1314 | | | tmp_key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PSK || |
| 1315 | | | tmp_key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PMK)) |
| 1316 | | | { |
| 1317 | | | |
| 1318 | | | |
| 1319 | | | sa->key=tmp_key; |
| 1320 | | | |
| 1321 | | | if (key!=NULL) { |
Event 10:
Taking true branch. key != (void *)0 evaluates to true.
hide
|
|
| 1322 | | | memcpy(key, &tmp_key, sizeof(AIRPDCAP_KEY_ITEM)); |
Event 11:
168 is passed to memcpy() as the third argument.
hide
Event 12:
&tmp_key is passed to memcpy() as the second argument. - This points to the buffer that will be overrun later.
hide
Buffer Overrun
This code reads past the end of the buffer pointed to by &tmp_key. - memcpy() reads to the byte at offset 167 from the beginning of the buffer pointed to by &tmp_key, whose capacity is 4 bytes.
- The offset exceeds the capacity.
- The overrun occurs in stack memory.
The issue can occur if the highlighted code executes. See related events 11 and 12. Show: All events | Only primary events |
|
| 1323 | | | if (AIRPDCAP_EAP_KEY_DESCR_VER(data[offset+1])==AIRPDCAP_WPA_KEY_VER_NOT_CCMP)
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/crypt/airpdcap_int.h |
| |
84 | #define AIRPDCAP_EAP_KEY_DESCR_VER(KeyInfo_1) ((UCHAR)(KeyInfo_1 & 0x3)) |
| |
|
| 1324 | | | key->KeyType=AIRPDCAP_KEY_TYPE_TKIP; |
| 1325 | | | else if (AIRPDCAP_EAP_KEY_DESCR_VER(data[offset+1])==AIRPDCAP_WPA_KEY_VER_AES_CCMP)
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/crypt/airpdcap_int.h |
| |
84 | #define AIRPDCAP_EAP_KEY_DESCR_VER(KeyInfo_1) ((UCHAR)(KeyInfo_1 & 0x3)) |
| |
|
| 1326 | | | key->KeyType=AIRPDCAP_KEY_TYPE_CCMP; |
| 1327 | | | } |
| 1328 | | | |
| 1329 | | | break; |
| 1330 | | | } else { |
| 1331 | | | |
| 1332 | | | |
| 1333 | | | if (useCache==TRUE) { |
| 1334 | | | useCache=FALSE; |
| 1335 | | | key_index--; |
| |