(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/reassemble.c) |
| |
| 641 | | | fragment_add_work(fragment_data *fd_head, tvbuff_t *tvb, int offset, |
| 642 | | | packet_info *pinfo, guint32 frag_offset, |
| 643 | | | guint32 frag_data_len, gboolean more_frags) |
| 644 | | | { |
| 645 | | | fragment_data *fd; |
| 646 | | | fragment_data *fd_i; |
| 647 | | | guint32 max, dfpos; |
| 648 | | | unsigned char *old_data; |
| 649 | | | |
| 650 | | | |
| 651 | | | fd = g_mem_chunk_alloc(fragment_data_chunk); |
| 652 | | | fd->next = NULL; |
| 653 | | | fd->flags = 0; |
| 654 | | | fd->frame = pinfo->fd->num; |
| 655 | | | if (fd->frame > fd_head->frame) |
Event 2:
Skipping " if". fd->frame > fd_head->frame evaluates to false.
hide
|
|
| 656 | | | fd_head->frame = fd->frame; |
| 657 | | | fd->offset = frag_offset; |
| 658 | | | fd->len = frag_data_len; |
| 659 | | | fd->data = NULL; |
| 660 | | | |
| 661 | | | |
| 662 | | | |
| 663 | | | |
| 664 | | | |
| 665 | | | if(fd_head->flags & FD_DEFRAGMENTED && (frag_offset+frag_data_len) >= fd_head->datalen && |
Event 3:
Skipping " if". fd_head->flags & 1 evaluates to false.
hide
|
|
| 666 | | | fd_head->flags & FD_PARTIAL_REASSEMBLY){ |
| 667 | | | for(fd_i=fd_head->next; fd_i; fd_i=fd_i->next){ |
| 668 | | | if( !fd_i->data ) { |
| 669 | | | fd_i->data = fd_head->data + fd_i->offset; |
| 670 | | | fd_i->flags |= FD_NOT_MALLOCED; |
| 671 | | | } |
| 672 | | | fd_i->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS); |
| 673 | | | } |
| 674 | | | fd_head->flags &= ~(FD_DEFRAGMENTED|FD_PARTIAL_REASSEMBLY|FD_DATALEN_SET); |
| 675 | | | fd_head->flags &= (~FD_TOOLONGFRAGMENT) & (~FD_MULTIPLETAILS); |
| 676 | | | fd_head->datalen=0; |
| 677 | | | fd_head->reassembled_in=0; |
| 678 | | | } |
| 679 | | | |
| 680 | | | if (!more_frags) { |
Event 4:
Taking true branch. more_frags evaluates to false.
hide
|
|
| 681 | | | |
| 682 | | | |
| 683 | | | |
| 684 | | | if (fd_head->flags & FD_DATALEN_SET) { |
Event 5:
Taking true branch. fd_head->flags & 1024 evaluates to true.
hide
|
|
| 685 | | | |
| 686 | | | |
| 687 | | | |
| 688 | | | if (fd_head->datalen != (fd->offset + fd->len) ){ |
Event 6:
Skipping " if". fd_head->datalen != fd->offset + fd->len evaluates to false.
hide
|
|
| 689 | | | |
| 690 | | | |
| 691 | | | |
| 692 | | | fd->flags |= FD_MULTIPLETAILS; |
| 693 | | | fd_head->flags |= FD_MULTIPLETAILS; |
| 694 | | | } |
| 695 | | | } else { |
| 696 | | | |
| 697 | | | |
| 698 | | | |
| 699 | | | fd_head->datalen = fd->offset + fd->len; |
| 700 | | | fd_head->flags |= FD_DATALEN_SET; |
| 701 | | | } |
| 702 | | | } |
| 703 | | | |
| 704 | | | |
| 705 | | | |
| 706 | | | |
| 707 | | | |
| 708 | | | |
| 709 | | | |
| 710 | | | |
| 711 | | | |
| 712 | | | if (fd_head->flags & FD_DEFRAGMENTED) { |
Event 7:
Skipping " if". fd_head->flags & 1 evaluates to false.
hide
|
|
| 713 | | | fd->flags |= FD_OVERLAP; |
| 714 | | | fd_head->flags |= FD_OVERLAP; |
| 715 | | | |
| 716 | | | if (fd->offset + fd->len > fd_head->datalen) { |
| 717 | | | fd->flags |= FD_TOOLONGFRAGMENT; |
| 718 | | | fd_head->flags |= FD_TOOLONGFRAGMENT; |
| 719 | | | } |
| 720 | | | |
| 721 | | | else if ( memcmp(fd_head->data+fd->offset, |
| 722 | | | tvb_get_ptr(tvb,offset,fd->len),fd->len) ){ |
| 723 | | | fd->flags |= FD_OVERLAPCONFLICT; |
| 724 | | | fd_head->flags |= FD_OVERLAPCONFLICT; |
| 725 | | | } |
| 726 | | | |
| 727 | | | LINK_FRAG(fd_head,fd); |
| 728 | | | return TRUE; |
| 729 | | | } |
| 730 | | | |
| 731 | | | |
| 732 | | | |
| 733 | | | |
| 734 | | | |
| 735 | | | |
| 736 | | | |
| 737 | | | |
| 738 | | | fd->data = g_malloc(fd->len); |
| 739 | | | tvb_memcpy(tvb, fd->data, offset, fd->len); |
| 740 | | | LINK_FRAG(fd_head,fd); |
| 741 | | | |
| 742 | | | |
| 743 | | | if( !(fd_head->flags & FD_DATALEN_SET) ){ |
Event 9:
Skipping " if". fd_head->flags & 1024 evaluates to true.
hide
|
|
| 744 | | | |
| 745 | | | |
| 746 | | | |
| 747 | | | return FALSE; |
| 748 | | | } |
| 749 | | | |
| 750 | | | |
| 751 | | | |
| 752 | | | |
| 753 | | | |
| 754 | | | |
| 755 | | | |
| 756 | | | |
| 757 | | | |
| 758 | | | |
| 759 | | | |
| 760 | | | |
| 761 | | | max = 0; |
| 762 | | | for (fd_i=fd_head->next;fd_i;fd_i=fd_i->next) { |
| 763 | | | if ( ((fd_i->offset)<=max) && |
| 764 | | | ((fd_i->offset+fd_i->len)>max) ){ |
| 765 | | | max = fd_i->offset+fd_i->len; |
| 766 | | | } |
| 767 | | | } |
| 768 | | | |
| 769 | | | if (max < (fd_head->datalen)) { |
Event 11:
Skipping " if". max < fd_head->datalen evaluates to false.
hide
|
|
| 770 | | | |
| 771 | | | |
| 772 | | | |
| 773 | | | |
| 774 | | | |
| 775 | | | return FALSE; |
| 776 | | | } |
| 777 | | | |
| 778 | | | |
| 779 | | | if (max > (fd_head->datalen)) { |
Event 12:
Taking true branch. max > fd_head->datalen evaluates to true.
hide
|
|
| 780 | | | |
| 781 | | | |
| 782 | | | |
| 783 | | | fd->flags |= FD_TOOLONGFRAGMENT; |
| 784 | | | fd_head->flags |= FD_TOOLONGFRAGMENT; |
| 785 | | | } |
| 786 | | | |
| 787 | | | |
| 788 | | | |
| 789 | | | |
| 790 | | | |
| 791 | | | old_data=fd_head->data; |
| 792 | | | fd_head->data = g_malloc(max); |
Event 13:
g_malloc is an Undefined Function.
hide
Event 14:
fd_head->data is set to g_malloc(max). - This determines the destination region in the copy operation later.
hide
|
|
| 793 | | | |
| 794 | | | |
| 795 | | | for (dfpos=0,fd_i=fd_head;fd_i;fd_i=fd_i->next) { |
Event 15:
dfpos is set to 0.
hide
Event 16:
fd_i is set to fd_head.
hide
Event 17:
Entering loop body. fd_i evaluates to true.
hide
|
|
| 796 | | | if (fd_i->len) { |
Event 18:
Taking true branch. fd_i->len evaluates to true.
hide
|
|
| 797 | | | |
| 798 | | | |
| 799 | | | |
| 800 | | | |
| 801 | | | |
| 802 | | | |
| 803 | | | |
| 804 | | | |
| 805 | | | |
| 806 | | | |
| 807 | | | |
| 808 | | | |
| 809 | | | if ( fd_i->offset+fd_i->len > dfpos ) { |
Event 19:
Taking true branch. fd_i->offset + fd_i->len > dfpos evaluates to true.
hide
|
|
| 810 | | | if (fd_i->offset+fd_i->len > max) |
Event 20:
Taking false branch. fd_i->offset + fd_i->len > max evaluates to false.
hide
|
|
| 811 | | | g_warning("Reassemble error in frame %u: offset %u + len %u > max %u",
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 812 | | | pinfo->fd->num, fd_i->offset, |
| 813 | | | fd_i->len, max); |
| 814 | | | else if (dfpos < fd_i->offset) |
Event 21:
Taking false branch. dfpos < fd_i->offset evaluates to false.
hide
Event 22:
Considering the case where fd_i->offset is no more than 0 so fd_head->offset must have been no more than 0. See related events 15 and 16.
hide
|
|
| 815 | | | g_warning("Reassemble error in frame %u: dfpos %u < offset %u",
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 816 | | | pinfo->fd->num, dfpos, fd_i->offset); |
| 817 | | | else if (dfpos-fd_i->offset > fd_i->len) |
Event 23:
Taking false branch. dfpos - fd_i->offset > fd_i->len evaluates to false.
hide
|
|
| 818 | | | g_warning("Reassemble error in frame %u: dfpos %u - offset %u > len %u",
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 819 | | | pinfo->fd->num, dfpos, fd_i->offset, |
| 820 | | | fd_i->len); |
| 821 | | | else { |
| 822 | | | if (fd_i->offset < dfpos) { |
Event 24:
Skipping " if". fd_i->offset < dfpos evaluates to false.
hide
Event 25:
Considering the case where fd_i->offset is at least 0 so fd_head->offset must have been equal to 0. See related events 15, 16, and 22.
hide
|
|
| 823 | | | fd_i->flags |= FD_OVERLAP; |
| 824 | | | fd_head->flags |= FD_OVERLAP; |
| 825 | | | if ( memcmp(fd_head->data+fd_i->offset, |
| 826 | | | fd_i->data, |
| 827 | | | MIN(fd_i->len,(dfpos-fd_i->offset))
x /usr/include/glib-2.0/glib/gmacros.h |
| |
201 | #define MIN(a, b) (((a) < (b)) ? (a) : (b)) |
| |
|
| 828 | | | ) ) { |
| 829 | | | fd_i->flags |= FD_OVERLAPCONFLICT; |
| 830 | | | fd_head->flags |= FD_OVERLAPCONFLICT; |
| 831 | | | } |
| 832 | | | } |
| 833 | | | memcpy(fd_head->data+dfpos, |
Event 27:
fd_head->data, which evaluates to g_malloc(max) from reassemble.c:792, is passed to memcpy() as the first argument. See related events 14 and 15.
hide
Overlapping Memory Regions
The same memory location is passed to memcpy() as both source and destination of the copy. - fd_head->data + dfpos and fd_i->data + dfpos - fd_i->offset have the same value. That value is g_malloc(max) from reassemble.c:792.
- fd_head->data + dfpos is passed to memcpy() as the first (destination) argument.
- fd_i->data + dfpos - fd_i->offset is passed to memcpy() as the second (source) argument.
The issue can occur if the highlighted code executes. See related events 26 and 27. Show: All events | Only primary events |
|
| 834 | | | fd_i->data+(dfpos-fd_i->offset), |
Event 26:
fd_i->data, which evaluates to g_malloc(max) from reassemble.c:792, is passed to memcpy() as the second argument. See related events 14, 15, 16, and 25.
hide
|
|
| 835 | | | fd_i->len-(dfpos-fd_i->offset)); |
| |