(/home/sate/Testcases/c/cve/wireshark-1.2.0/wiretap/ngsniffer.c) |
| |
| 2405 | | | ng_file_read(void *buffer, size_t elementsize, size_t numelements, wtap *wth, |
| 2406 | | | gboolean is_random, int *err) |
| 2407 | | | { |
| 2408 | | | FILE_T infile; |
| 2409 | | | ngsniffer_comp_stream_t *comp_stream; |
| 2410 | | | size_t copybytes = elementsize * numelements; |
| 2411 | | | gint64 copied_bytes = 0; |
| 2412 | | | unsigned char *outbuffer = buffer; |
| 2413 | | | blob_info_t *blob; |
| 2414 | | | size_t bytes_to_copy; |
| 2415 | | | size_t bytes_left; |
| 2416 | | | |
| 2417 | | | if (is_random) { |
Event 1:
Taking true branch. is_random evaluates to true.
hide
|
|
| 2418 | | | infile = wth->random_fh; |
| 2419 | | | comp_stream = &wth->capture.ngsniffer->rand; |
| 2420 | | | } else { |
| 2421 | | | infile = wth->fh; |
| 2422 | | | comp_stream = &wth->capture.ngsniffer->seq; |
| 2423 | | | } |
| 2424 | | | |
| 2425 | | | if (wth->file_type == WTAP_FILE_NGSNIFFER_UNCOMPRESSED) { |
Event 2:
Skipping " if". wth->file_type == 29 evaluates to false.
hide
|
|
| 2426 | | | errno = WTAP_ERR_CANT_READ; |
| 2427 | | | copied_bytes = file_read(buffer, 1, copybytes, infile);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/wiretap/file_wrappers.h |
| |
36 | #define file_read(buf, bsize, count, file) gzread((file),(buf),(unsigned)((count)*(bsize))) |
| |
|
| 2428 | | | if ((size_t) copied_bytes != copybytes) |
| 2429 | | | *err = file_error(infile); |
| 2430 | | | return copied_bytes; |
| 2431 | | | } |
| 2432 | | | |
| 2433 | | | |
| 2434 | | | if (comp_stream->buf == NULL) { |
Event 3:
Skipping " if". comp_stream->buf == (void *)0 evaluates to false.
hide
|
|
| 2435 | | | comp_stream->buf = g_malloc(OUTBUF_SIZE); |
| 2436 | | | |
| 2437 | | | if (is_random) { |
| 2438 | | | |
| 2439 | | | |
| 2440 | | | |
| 2441 | | | |
| 2442 | | | |
| 2443 | | | wth->capture.ngsniffer->current_blob = |
| 2444 | | | wth->capture.ngsniffer->first_blob; |
| 2445 2454 |  | | [ Lines 2445 to 2454 omitted. ] |
| 2455 | | | g_list_append(wth->capture.ngsniffer->first_blob, blob); |
| 2456 | | | wth->capture.ngsniffer->last_blob = |
| 2457 | | | wth->capture.ngsniffer->first_blob; |
| 2458 | | | } |
| 2459 | | | } |
| 2460 | | | |
| 2461 | | | |
| 2462 | | | if (read_blob(infile, comp_stream, err) < 0) |
| 2463 | | | return -1; |
| 2464 | | | } |
| 2465 | | | while (copybytes > 0) { |
Event 4:
Entering loop body. copybytes > 0 evaluates to true.
hide
|
|
| 2466 | | | bytes_left = comp_stream->nbytes - comp_stream->nextout; |
| 2467 | | | if (bytes_left == 0) { |
Event 5:
Taking true branch. bytes_left == 0 evaluates to true.
hide
|
|
| 2468 | | | |
| 2469 | | | |
| 2470 | | | |
| 2471 | | | if (is_random) { |
Event 6:
Taking true branch. is_random evaluates to true.
hide
|
|
| 2472 | | | |
| 2473 | | | wth->capture.ngsniffer->current_blob = |
| 2474 | | | g_list_next(wth->capture.ngsniffer->current_blob);
x /usr/include/glib-2.0/glib/glist.h |
| |
113 | #define g_list_next(list) ((list) ? (((GList *)(list))->next) : NULL) |
| |
|
Event 7:
wth->capture.ngsniffer->current_blob evaluates to false.
hide
Event 8:
((char*)wth->capture)[84] is set to wth->capture.ngsniffer->current_blob ? ((GList *)wth->capture.ngsniffer->current_blob)->next : (void *)0, which evaluates to NULL. - Dereferenced later, causing the null pointer dereference.
hide
|
|
| 2475 | | | blob = wth->capture.ngsniffer->current_blob->data; |
Null Pointer Dereference
((char*)wth->capture)[84] is dereferenced here, but it is NULL. The issue can occur if the highlighted code executes. See related event 8. Show: All events | Only primary events |
|
| |