(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-sdp.c) |
| |
| 253 | | | dissect_sdp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) |
| 254 | | | { |
| 255 | | | proto_tree *sdp_tree; |
| 256 | | | proto_item *ti, *sub_ti; |
| 257 | | | gint offset = 0; |
| 258 | | | gint next_offset; |
| 259 | | | int linelen; |
| 260 | | | gboolean in_media_description; |
| 261 | | | guchar type; |
| 262 | | | guchar delim; |
| 263 | | | int datalen; |
| 264 | | | int tokenoffset; |
| 265 | | | int hf = -1; |
| 266 | | | char *string; |
| 267 | | | |
| 268 | | | address src_addr; |
| 269 | | | |
| 270 | | | transport_info_t transport_info; |
| 271 | | | |
| 272 | | | guint32 port=0; |
| 273 | | | gboolean is_rtp=FALSE; |
| 274 | | | gboolean is_srtp=FALSE; |
| 275 | | | gboolean is_t38=FALSE; |
| 276 | | | gboolean is_msrp=FALSE; |
| 277 | | | gboolean set_rtp=FALSE; |
| 278 | | | gboolean is_ipv4_addr=FALSE; |
| 279 | | | gboolean is_ipv6_addr=FALSE; |
| 280 | | | gboolean is_video=FALSE; |
| 281 | | | guint32 ipaddr[4]; |
| 282 | | | gint n,i; |
| 283 | | | sdp_packet_info *sdp_pi; |
| 284 | | | |
| 285 | | | |
| 286 | | | sdp_pi = ep_alloc(sizeof(sdp_packet_info)); |
| 287 | | | sdp_pi->summary_str[0] = '\0'; |
| 288 | | | |
| 289 | | | |
| 290 | | | transport_info.connection_address=NULL; |
| 291 | | | transport_info.connection_type=NULL; |
| 292 | | | transport_info.media_type=NULL; |
| 293 | | | for (n=0; n < SDP_NO_OF_PT; n++){ |
Event 1:
The loop is executed one or more times.
hide
|
|
| 294 | | | transport_info.encoding_name[n]=NULL; |
| 295 | | | } |
| 296 | | | for (n=0; n < SDP_MAX_RTP_CHANNELS; n++) |
| 297 | | | { |
| 298 | | | transport_info.media_port[n]=NULL; |
| 299 | | | transport_info.media_proto[n]=NULL; |
| 300 | | | transport_info.media[n].pt_count = 0; |
| 301 | | | transport_info.media[n].rtp_dyn_payload = |
| 302 | | | g_hash_table_new_full( g_int_hash, g_int_equal, g_free, g_free); |
| 303 | | | } |
| 304 | | | transport_info.media_count = 0; |
| 305 | | | |
| 306 | | | |
| 307 | | | |
| 308 | | | |
| 309 | | | |
| 310 | | | |
| 311 | | | |
| 312 | | | |
| 313 | | | |
| 314 | | | |
| 315 | | | |
| 316 | | | |
| 317 | | | |
| 318 | | | |
| 319 | | | |
| 320 | [+] | | if (check_col(pinfo->cinfo, COL_PROTOCOL)) |
 |
| 321 | | | col_append_str(pinfo->cinfo, COL_PROTOCOL, "/SDP"); |
| 322 | | | |
| 323 | [+] | | if (check_col(pinfo->cinfo, COL_INFO)) { |
 |
| 324 | | | |
| 325 | | | col_append_str(pinfo->cinfo, COL_INFO, ", with session description"); |
| 326 | | | } |
| 327 | | | |
| 328 | | | ti = proto_tree_add_item(tree, proto_sdp, tvb, offset, -1, FALSE); |
| 329 | | | sdp_tree = proto_item_add_subtree(ti, ett_sdp); |
| 330 | | | |
| 331 | | | |
| 332 | | | |
| 333 | | | |
| 334 | | | in_media_description = FALSE; |
| 335 | | | |
| 336 | [+] | | while (tvb_reported_length_remaining(tvb, offset) > 0) { |
 |
| 337 | | | |
| 338 | | | |
| 339 | | | |
| 340 | | | linelen = tvb_find_line_end_unquoted(tvb, offset, -1, &next_offset); |
| 341 | | | |
| 342 | | | |
| 343 | | | |
| 344 | | | |
| 345 | | | |
| 346 | | | |
| 347 | | | if (linelen < 2) |
| 348 | | | break; |
| 349 | | | |
| 350 | | | type = tvb_get_guint8(tvb,offset); |
| 351 | | | delim = tvb_get_guint8(tvb,offset + 1); |
| 352 | | | if (delim != '=') { |
| 353 | | | proto_item *ti = proto_tree_add_item(sdp_tree, hf_invalid, tvb, offset, linelen, FALSE); |
| 354 | | | expert_add_info_format(pinfo, ti, PI_MALFORMED, PI_NOTE, |
| 355 | | | "Invalid SDP line (no '=' delimiter)"); |
| 356 | | | offset = next_offset; |
| 357 | | | continue; |
| 358 | | | } |
| 359 | | | |
| 360 | | | |
| 361 | | | |
| 362 | | | |
| 363 | | | switch (type) { |
| 364 | | | case 'v': |
| 365 | | | hf = hf_protocol_version; |
| 366 | | | break; |
| 367 | | | case 'o': |
| 368 | | | hf = hf_owner; |
| 369 | | | break; |
| 370 | | | case 's': |
| 371 | | | hf = hf_session_name; |
| 372 | | | break; |
| 373 | | | case 'i': |
| 374 | | | if (in_media_description) { |
| 375 | | | hf = hf_media_title; |
| 376 | | | } |
| 377 | | | else{ |
| 378 | | | hf = hf_session_info; |
| 379 | | | } |
| 380 | | | break; |
| 381 | | | case 'u': |
| 382 | | | hf = hf_uri; |
| 383 | | | break; |
| 384 | | | case 'e': |
| 385 | | | hf = hf_email; |
| 386 | | | break; |
| 387 | | | case 'p': |
| 388 | | | hf = hf_phone; |
| 389 | | | break; |
| 390 | | | case 'c': |
| 391 | | | hf = hf_connection_info; |
| 392 | | | break; |
| 393 | | | case 'b': |
| 394 | | | hf = hf_bandwidth; |
| 395 | | | break; |
| 396 | | | case 't': |
| 397 | | | hf = hf_time; |
| 398 | | | break; |
| 399 | | | case 'r': |
| 400 | | | hf = hf_repeat_time; |
| 401 | | | break; |
| 402 | | | case 'm': |
| 403 | | | hf = hf_media; |
| 404 | | | in_media_description = TRUE; |
| 405 | | | break; |
| 406 | | | case 'k': |
| 407 | | | hf = hf_encryption_key; |
| 408 | | | break; |
| 409 | | | case 'a': |
| 410 | | | if (in_media_description) { |
| 411 | | | hf = hf_media_attribute; |
| 412 | | | } |
| 413 | | | else{ |
| 414 | | | hf = hf_session_attribute; |
| 415 | | | } |
| 416 | | | break; |
| 417 | | | case 'z': |
| 418 | | | hf = hf_timezone; |
| 419 | | | break; |
| 420 | | | default: |
| 421 | | | hf = hf_unknown; |
| 422 | | | break; |
| 423 | | | } |
| 424 | | | tokenoffset = 2; |
| 425 | | | if (hf == hf_unknown) |
| 426 | | | tokenoffset = 0; |
| 427 | | | string = (char*)tvb_get_ephemeral_string(tvb, offset + tokenoffset, |
| 428 | | | linelen - tokenoffset); |
| 429 | | | sub_ti = proto_tree_add_string(sdp_tree, hf, tvb, offset, linelen, |
| 430 | | | string); |
| 431 | | | call_sdp_subdissector(tvb_new_subset(tvb,offset+tokenoffset, |
| 432 | | | linelen-tokenoffset, |
| 433 | | | linelen-tokenoffset), |
| 434 | | | pinfo, |
| 435 | | | hf,sub_ti,&transport_info), |
| 436 | | | offset = next_offset; |
| 437 | | | } |
| 438 | | | |
| 439 | | | |
| 440 | | | |
| 441 | | | |
| 442 | | | |
| 443 | | | |
| 444 | | | |
| 445 | | | |
| 446 | | | for (n = 0; n < transport_info.media_count; n++) |
Event 13:
Continuing from loop body. Entering loop body. n < transport_info.media_count evaluates to true.
hide
|
|
| 447 | | | { |
| 448 | | | if(transport_info.media_port[n]!=NULL) { |
Event 14:
Taking true branch. transport_info.media_port[n] != (void *)0 evaluates to true.
hide
|
|
| 449 | | | port = atol(transport_info.media_port[n]); |
Event 15:
atol() returns a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - Determines the value that is cast in the Cast Alters Value warning later.
hide
Event 16:
port is set to atol(...). See related event 15.
hide
|
|
| 450 | | | } |
| 451 | | | if(transport_info.media_proto[n]!=NULL) { |
Event 17:
Skipping " if". transport_info.media_proto[n] != (void *)0 evaluates to false.
hide
|
|
| 452 | | | |
| 453 | | | |
| 454 | | | |
| 455 | | | if(global_sdp_establish_conversation){ |
| 456 | | | |
| 457 | | | is_rtp = (strcmp(transport_info.media_proto[n],"RTP/AVP")==0); |
| 458 | | | |
| 459 | | | is_srtp = (strcmp(transport_info.media_proto[n],"RTP/SAVP")==0); |
| 460 | | | |
| 461 | | | is_t38 = ( (strcmp(transport_info.media_proto[n],"UDPTL")==0) || |
| 462 | | | (strcmp(transport_info.media_proto[n],"udptl")==0) ); |
| 463 | | | |
| 464 | | | is_msrp = (strcmp(transport_info.media_proto[n],"msrp/tcp")==0); |
| 465 | | | } |
| 466 | | | } |
| 467 | | | |
| 468 | | | |
| 469 | | | if(transport_info.connection_address!=NULL) { |
Event 18:
Skipping " if". transport_info.connection_address != (void *)0 evaluates to false.
hide
|
|
| 470 | | | if(transport_info.connection_type!=NULL) { |
| 471 | | | if (strcmp(transport_info.connection_type,"IP4")==0) { |
| 472 | | | if(inet_pton(AF_INET,transport_info.connection_address, &ipaddr)==1 ) {
x /usr/include/bits/socket.h |
| |
78 | #define PF_INET 2 /* IP protocol family. */ |
| |
|
| 473 | | | |
| 474 | | | is_ipv4_addr=TRUE; |
| 475 | | | src_addr.type=AT_IPv4; |
| 476 | | | src_addr.len=4; |
| 477 | | | } |
| 478 | | | } |
| 479 | | | else if (strcmp(transport_info.connection_type,"IP6")==0){ |
| 480 | | | if (inet_pton(AF_INET6, transport_info.connection_address, &ipaddr)==1){
x /usr/include/bits/socket.h |
| |
86 | #define PF_INET6 10 /* IP version 6. */ |
| |
|
| 481 | | | |
| 482 | | | is_ipv6_addr=TRUE; |
| 483 | | | src_addr.type=AT_IPv6; |
| 484 | | | src_addr.len=16; |
| 485 | | | } |
| 486 | | | } |
| 487 | | | } |
| 488 | | | } |
| 489 | | | if (strcmp(transport_info.media_type,"video")==0){ |
Event 19:
Skipping " if". strcmp(...) == 0 evaluates to false.
hide
|
|
| 490 | | | is_video = TRUE; |
| 491 | | | } |
| 492 | | | set_rtp = FALSE; |
| 493 | | | |
| 494 | | | if((!pinfo->fd->flags.visited) && port!=0 && (is_rtp||is_srtp) && (is_ipv4_addr || is_ipv6_addr)){ |
| 495 | | | src_addr.data=(guint8*)&ipaddr; |
| 496 | | | if(rtp_handle){ |
Event 21:
Skipping " if". rtp_handle evaluates to false.
hide
|
|
| 497 | | | if (is_srtp) { |
| 498 | | | struct srtp_info *dummy_srtp_info = se_alloc0(sizeof(struct srtp_info)); |
| 499 | | | srtp_add_address(pinfo, &src_addr, port, 0, "SDP", pinfo->fd->num, is_video, |
| 500 | | | transport_info.media[n].rtp_dyn_payload, dummy_srtp_info); |
| 501 | | | } else { |
| 502 | | | rtp_add_address(pinfo, &src_addr, port, 0, "SDP", pinfo->fd->num, is_video, |
| 503 | | | transport_info.media[n].rtp_dyn_payload); |
| 504 | | | } |
| 505 | | | set_rtp = TRUE; |
| 506 | | | } |
| 507 | | | if(rtcp_handle){ |
Event 22:
Taking true branch. rtcp_handle evaluates to true.
hide
|
|
| 508 | | | port++; |
Event 23:
port is set to port + 1, which evaluates to atol(...) + 1 from packet-sdp.c:449. See related event 16.
hide
|
|
| 509 | [+] | | rtcp_add_address(pinfo, &src_addr, port, 0, "SDP", pinfo->fd->num); |
Event 24:
port, which evaluates to atol(...) + 1 from packet-sdp.c:449, is passed to rtcp_add_address() as the third argument. See related event 23.
hide
|
|
 |
| 510 | | | } |
| 511 | | | } |
| 512 | | | |
| 513 | | | |
| 514 | | | if((!pinfo->fd->flags.visited) && port!=0 && !set_rtp && is_t38 && is_ipv4_addr){ |
| 515 | | | src_addr.data=(guint8*)&ipaddr; |
| 516 | | | if(t38_handle){ |
| 517 | | | t38_add_address(pinfo, &src_addr, port, 0, "SDP", pinfo->fd->num); |
| 518 | | | } |
| 519 | | | } |
| 520 | | | |
| 521 | | | |
| 522 | | | |
| 523 | | | if (is_msrp ){ |
| 524 | | | if ((!pinfo->fd->flags.visited) && msrp_transport_address_set){ |
| 525 | | | if(msrp_handle){ |
| 526 | | | src_addr.type=AT_IPv4; |
| 527 | | | src_addr.len=4; |
| 528 | | | src_addr.data=(guint8*)&msrp_ipaddr; |
| 529 | | | msrp_add_address(pinfo, &src_addr, msrp_port_number, "SDP", pinfo->fd->num); |
| 530 | | | } |
| 531 | | | } |
| 532 | | | } |
| 533 | | | |
| 534 | | | |
| 535 | | | for (i = 0; i < transport_info.media[n].pt_count; i++) |
| 536 | | | { |
| 537 | | | |
| 538 | | | if ( (transport_info.media[n].pt[i] >=96) && (transport_info.media[n].pt[i] <=127) ) { |
| 539 | | | gchar *str_dyn_pt = g_hash_table_lookup(transport_info.media[n].rtp_dyn_payload, &transport_info.media[n].pt[i]); |
| 540 | | | if (str_dyn_pt) |
| 541 | | | g_snprintf(sdp_pi->summary_str, 50, "%s %s", sdp_pi->summary_str, str_dyn_pt); |
| 542 | | | else |
| 543 | | | g_snprintf(sdp_pi->summary_str, 50, "%s %d", sdp_pi->summary_str, transport_info.media[n].pt[i]); |
| 544 | | | } else |
| 545 | | | g_snprintf(sdp_pi->summary_str, 50, "%s %s", sdp_pi->summary_str, val_to_str(transport_info.media[n].pt[i], rtp_payload_type_short_vals, "%u")); |
| 546 | | | } |
| 547 | | | |
| 548 | | | |
| 549 | | | if (set_rtp == FALSE) |
| 550 | | | rtp_free_hash_dyn_payload(transport_info.media[n].rtp_dyn_payload); |
| 551 | | | |
| 552 | | | |
| 553 | | | if (is_t38) g_snprintf(sdp_pi->summary_str, 50, "%s t38", sdp_pi->summary_str); |
| |