(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ros.c) |
| |
| 335 | | | static ros_call_response_t * |
| 336 | | | ros_match_call_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint invokeId, gboolean isInvoke) |
| 337 | | | { |
| 338 | | | ros_call_response_t rcr, *rcrp=NULL; |
| 339 | | | ros_conv_info_t *ros_info = ros_info_items; |
| 340 | | | |
| 341 | | | |
| 342 | | | |
| 343 | | | rcr.invokeId=invokeId; |
| 344 | | | rcr.is_request = isInvoke; |
| 345 | | | |
| 346 | | | if(isInvoke) { |
Event 1:
Taking true branch. isInvoke evaluates to true.
hide
|
|
| 347 | | | rcr.req_frame=pinfo->fd->num; |
| 348 | | | rcr.rep_frame=0; |
| 349 | | | } else { |
| 350 | | | rcr.req_frame=0; |
| 351 | | | rcr.rep_frame=pinfo->fd->num; |
| 352 | | | } |
| 353 | | | |
| 354 | | | rcrp=g_hash_table_lookup(ros_info->matched, &rcr); |
| 355 | | | |
| 356 | | | if(rcrp) { |
Event 3:
Taking true branch. rcrp evaluates to true.
hide
|
|
| 357 | | | |
| 358 | | | rcrp->is_request=rcr.is_request; |
| 359 | | | |
| 360 | | | } else { |
| 361 | | | |
| 362 | | | |
| 363 | | | |
| 364 | | | if(isInvoke) { |
| 365 | | | |
| 366 | | | |
| 367 | | | |
| 368 | | | |
| 369 | | | |
| 370 | | | rcr.invokeId=invokeId; |
| 371 | | | |
| 372 | | | rcrp=g_hash_table_lookup(ros_info->unmatched, &rcr); |
| 373 | | | |
| 374 | | | if(rcrp){ |
| 375 | | | g_hash_table_remove(ros_info->unmatched, rcrp); |
| 376 | | | } |
| 377 | | | |
| 378 | | | |
| 379 | | | if(!rcrp){ |
| 380 | | | rcrp=se_alloc(sizeof(ros_call_response_t)); |
| 381 | | | } |
| 382 | | | rcrp->invokeId=invokeId; |
| 383 | | | rcrp->req_frame=pinfo->fd->num; |
| 384 | | | rcrp->req_time=pinfo->fd->abs_ts; |
| 385 | | | rcrp->rep_frame=0; |
| 386 | | | rcrp->is_request=TRUE; |
| 387 | | | g_hash_table_insert(ros_info->unmatched, rcrp, rcrp); |
| 388 | | | return NULL; |
| 389 | | | |
| 390 | | | } else { |
| 391 | | | |
| 392 | | | |
| 393 | | | |
| 394 | | | rcr.invokeId=invokeId; |
| 395 | | | rcrp=g_hash_table_lookup(ros_info->unmatched, &rcr); |
| 396 | | | |
| 397 | | | if(rcrp){ |
| 398 | | | |
| 399 | | | if(!rcrp->rep_frame){ |
| 400 | | | g_hash_table_remove(ros_info->unmatched, rcrp); |
| 401 | | | rcrp->rep_frame=pinfo->fd->num; |
| 402 | | | rcrp->is_request=FALSE; |
| 403 | | | g_hash_table_insert(ros_info->matched, rcrp, rcrp); |
| 404 | | | } |
| 405 | | | } |
| 406 | | | } |
| 407 | | | } |
| 408 | | | |
| 409 | | | if(rcrp){ |
Null Test After Dereference
This code tests the nullness of rcrp, which has already been dereferenced. - If rcrp were null, there would have been a prior null pointer dereference at packet-ros.c:358, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 4. Show: All events | Only primary events |
|
| 410 | | | proto_item *item = NULL; |
| 411 | | | |
| 412 | | | if(rcrp->is_request){ |
| 413 | | | item=proto_tree_add_uint(tree, hf_ros_response_in, tvb, 0, 0, rcrp->rep_frame); |
| 414 | | | PROTO_ITEM_SET_GENERATED (item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 415 | | | } else { |
| 416 | | | nstime_t ns; |
| 417 | | | item=proto_tree_add_uint(tree, hf_ros_response_to, tvb, 0, 0, rcrp->req_frame); |
| 418 | | | PROTO_ITEM_SET_GENERATED (item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 419 | | | nstime_delta(&ns, &pinfo->fd->abs_ts, &rcrp->req_time); |
| 420 | | | item=proto_tree_add_time(tree, hf_ros_time, tvb, 0, 0, &ns); |
| 421 | | | PROTO_ITEM_SET_GENERATED (item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 422 | | | } |
| 423 | | | } |
| 424 | | | |
| 425 | | | return rcrp; |
| 426 | | | } |
| |