(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-rtps.c) |
| |
| 5557 | | | static gboolean dissect_rtps(tvbuff_t *tvb, |
| 5558 | | | packet_info *pinfo, |
| 5559 | | | proto_tree *tree) { |
| 5560 | | | proto_item *ti = NULL; |
| 5561 | | | proto_tree *rtps_tree=NULL; |
| 5562 | | | gint offset = 0; |
| 5563 | | | proto_tree *rtps_submessage_tree; |
| 5564 | | | guint8 submessageId; |
| 5565 | | | guint8 flags; |
| 5566 | | | gboolean little_endian; |
| 5567 | | | gboolean is_ping = FALSE; |
| 5568 | | | gint next_submsg, ; |
| 5569 | | | struct SMCounterRecord *smcr_head = NULL; |
| 5570 | | | struct SMCounterRecord *smcr_last = NULL; |
| 5571 | | | const gboolean is_tcp = (pinfo->ptype == PT_TCP); |
Event 1:
pinfo->ptype == PT_TCP evaluates to false.
hide
|
|
| 5572 | | | const char * = NULL; |
| 5573 | | | |
| 5574 | | | if (is_tcp) { |
Event 2:
Skipping " if". is_tcp evaluates to false.
hide
|
|
| 5575 | | | |
| 5576 | | | |
| 5577 | | | |
| 5578 | | | |
| 5579 | | | offset = 4; |
| 5580 | | | } |
| 5581 | | | |
| 5582 | | | |
| 5583 | | | |
| 5584 | | | |
| 5585 | | | if (!tvb_bytes_exist(tvb, offset, 16)) return FALSE; |
Event 3:
Skipping " if". tvb_bytes_exist(...) evaluates to true.
hide
|
|
| 5586 | | | if (tvb_get_guint8(tvb,offset) != 'R') return FALSE; |
Event 4:
Skipping " if". tvb_get_guint8(...) != 82 evaluates to false.
hide
|
|
| 5587 | | | if (tvb_get_guint8(tvb,offset+1) != 'T') return FALSE; |
Event 5:
Skipping " if". tvb_get_guint8(...) != 84 evaluates to false.
hide
|
|
| 5588 | | | if (tvb_get_guint8(tvb,offset+2) != 'P') return FALSE; |
Event 6:
Skipping " if". tvb_get_guint8(...) != 80 evaluates to false.
hide
|
|
| 5589 | | | if (tvb_get_guint8(tvb,offset+3) != 'S') return FALSE; |
Event 7:
Skipping " if". tvb_get_guint8(...) != 83 evaluates to false.
hide
|
|
| 5590 | | | |
| 5591 | | | if (tvb_get_guint8(tvb,offset+4) != 1) return FALSE; |
Event 8:
Skipping " if". tvb_get_guint8(...) != 1 evaluates to false.
hide
|
|
| 5592 | | | |
| 5593 | | | |
| 5594 | | | if (check_col(pinfo->cinfo, COL_PROTOCOL)) { |
Event 9:
Skipping " if". check_col(...) evaluates to false.
hide
|
|
| 5595 | | | col_set_str(pinfo->cinfo, COL_PROTOCOL, "RTPS"); |
| 5596 | | | } |
| 5597 | | | |
| 5598 | | | if (check_col(pinfo->cinfo, COL_INFO)) { |
Event 10:
Skipping " if". check_col(...) evaluates to false.
hide
|
|
| 5599 | | | col_clear(pinfo->cinfo, COL_INFO); |
| 5600 | | | } |
| 5601 | | | |
| 5602 | | | |
| 5603 | | | if (tree) { |
Event 11:
Taking true branch. tree evaluates to true.
hide
|
|
| 5604 | | | guint8 nddsPing[8]; |
| 5605 | | | |
| 5606 | | | ti = proto_tree_add_item(tree, proto_rtps, tvb, 0, -1, FALSE); |
| 5607 | | | rtps_tree = proto_item_add_subtree(ti, ett_rtps); |
| 5608 | | | |
| 5609 | | | |
| 5610 | | | rtps_util_add_protocol_version(rtps_tree, tvb, offset+4); |
| 5611 | | | |
| 5612 | | | |
| 5613 | | | rtps_util_add_vendor_id(rtps_tree, tvb, offset+6, NULL, 0); |
| 5614 | | | |
| 5615 | | | tvb_memcpy(tvb, nddsPing, offset+8, 8); |
| 5616 | | | if (nddsPing[0] == 'N' && |
| 5617 | | | nddsPing[1] == 'D' && |
| 5618 | | | nddsPing[2] == 'D' && |
| 5619 | | | nddsPing[3] == 'S' && |
| 5620 | | | nddsPing[4] == 'P' && |
| 5621 | | | nddsPing[5] == 'I' && |
| 5622 | | | nddsPing[6] == 'N' && |
| 5623 | | | nddsPing[7] == 'G') { |
| 5624 | | | is_ping = TRUE; |
Event 13:
!0 evaluates to true.
hide
|
|
| 5625 | | | } |
| 5626 | | | |
| 5627 | | | if (!is_ping) { |
Event 14:
Skipping " if". is_ping evaluates to true.
hide
|
|
| 5628 | | | rtps_util_add_guid_prefix(rtps_tree, |
| 5629 | | | tvb, |
| 5630 | | | offset+8, |
| 5631 | | | hf_rtps_guid_prefix, |
| 5632 | | | hf_rtps_host_id, |
| 5633 | | | hf_rtps_app_id, |
| 5634 | | | hf_rtps_app_id_instance_id, |
| 5635 | | | hf_rtps_app_id_app_kind, |
| 5636 | | | NULL, |
| 5637 | | | NULL, |
| 5638 | | | 0); |
| 5639 | | | } |
| 5640 | | | } |
| 5641 | | | |
| 5642 | | | |
| 5643 | | | { |
| 5644 | | | int domain_id; |
| 5645 | | | int participant_idx; |
| 5646 | | | int nature; |
| 5647 | | | proto_item *ti; |
| 5648 | | | proto_tree *mapping_tree; |
| 5649 | | | |
| 5650 | | | domain_id = ((pinfo->destport - PORT_BASE)/10) % 100; |
| 5651 | | | participant_idx = (pinfo->destport - PORT_BASE) / 1000; |
| 5652 | | | nature = (pinfo->destport % 10); |
| 5653 | | | |
| 5654 | | | ti = proto_tree_add_text(rtps_tree, |
| 5655 | | | tvb, |
| 5656 | | | 0, |
| 5657 | | | 4, |
| 5658 | | | "Default port mapping: domainId=%d, " |
| 5659 | | | "participantIdx=%d, nature=%s", |
| 5660 | | | domain_id, |
| 5661 | | | participant_idx, |
| 5662 | | | val_to_str(nature, nature_type_vals, "%02x")); |
| 5663 | | | |
| 5664 | | | mapping_tree = proto_item_add_subtree(ti, ett_rtps_default_mapping); |
| 5665 | | | proto_tree_add_uint(mapping_tree, |
| 5666 | | | hf_rtps_domain_id, |
| 5667 | | | tvb, |
| 5668 | | | 0, |
| 5669 | | | 4, |
| 5670 | | | domain_id); |
| 5671 | | | proto_tree_add_uint(mapping_tree, |
| 5672 | | | hf_rtps_participant_idx, |
| 5673 | | | tvb, |
| 5674 | | | 0, |
| 5675 | | | 4, |
| 5676 | | | participant_idx); |
| 5677 | | | proto_tree_add_uint(mapping_tree, |
| 5678 | | | hf_rtps_nature_type, |
| 5679 | | | tvb, |
| 5680 | | | 0, |
| 5681 | | | 4, |
| 5682 | | | nature); |
| 5683 | | | |
| 5684 | | | } |
| 5685 | | | |
| 5686 | | | |
| 5687 | | | offset=16; |
| 5688 | | | |
| 5689 | | | while (tvb_reported_length_remaining(tvb, offset) > 0) { |
| 5690 | | | = NULL; |
| 5691 | | | submessageId = tvb_get_guint8(tvb, offset); |
| 5692 | | | |
| 5693 | | | |
| 5694 | | | if (submessageId & 0x80) { |
| 5695 | | | ti = proto_tree_add_text(rtps_tree, |
| 5696 | | | tvb, |
| 5697 | | | offset, |
| 5698 | | | -1, |
| 5699 | | | "Submessage: %s", |
| 5700 | | | val_to_str(submessageId, submessage_id_vals, |
| 5701 | | | "Vendor-specific (0x%02x)")); |
| 5702 | | | } else { |
| 5703 | | | ti = proto_tree_add_text(rtps_tree, |
| 5704 | | | tvb, |
| 5705 | | | offset, |
| 5706 | | | -1, |
| 5707 | | | "Submessage: %s", |
| 5708 | | | val_to_str(submessageId, submessage_id_vals, |
| 5709 | | | "Unknown (0x%02x)")); |
| 5710 | | | } |
| 5711 | | | rtps_submessage_tree = proto_item_add_subtree(ti, ett_rtps_submessage); |
| 5712 | | | |
| 5713 | | | |
| 5714 | | | if (submessageId & 0x80) { |
| 5715 | | | proto_tree_add_uint_format(rtps_submessage_tree, |
| 5716 | | | hf_rtps_sm_id, |
| 5717 | | | tvb, |
| 5718 | | | offset, |
| 5719 | | | 1, |
| 5720 | | | submessageId, |
| 5721 | | | "submessageId: Vendor-specific (0x%02x)", |
| 5722 | | | submessageId); |
| 5723 | | | } else { |
| 5724 | | | proto_tree_add_uint(rtps_submessage_tree, hf_rtps_sm_id, |
| 5725 | | | tvb, offset, 1, submessageId); |
| 5726 | | | } |
| 5727 | | | |
| 5728 | | | |
| 5729 | | | flags = tvb_get_guint8(tvb, offset + 1); |
| 5730 | | | |
| 5731 | | | |
| 5732 | | | little_endian = ((flags & FLAG_E) != 0); |
| 5733 | | | |
| 5734 | | | |
| 5735 | | | = NEXT_guint16(tvb, offset + 2, little_endian);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-rtps.c |
| |
663 | #define NEXT_guint16(tvb, offset, le) \ |
664 | (le ? tvb_get_letohs(tvb, offset) : tvb_get_ntohs(tvb, offset)) |
| |
|
| 5736 | | | next_submsg = offset + + 4; |
| 5737 | | | |
| 5738 | | | |
| 5739 | | | proto_item_set_len(ti, + 4); |
| 5740 | | | |
| 5741 | | | |
| 5742 | | | |
| 5743 | | | |
| 5744 | | | |
| 5745 | | | |
| 5746 | | | |
| 5747 | | | |
| 5748 | | | switch (submessageId) |
| 5749 | | | { |
| 5750 | | | case PAD: |
| 5751 | | | if (tree) { |
| 5752 | | | dissect_PAD(tvb, |
| 5753 | | | offset, |
| 5754 | | | flags, |
| 5755 | | | little_endian, |
| 5756 | | | , |
| 5757 | | | rtps_submessage_tree); |
| 5758 | | | } |
| 5759 | | | break; |
| 5760 | | | |
| 5761 | | | case DATA: |
| 5762 | | | if (tree) { |
| 5763 | | | dissect_DATA(tvb, |
| 5764 | | | offset, |
| 5765 | | | flags, |
| 5766 | | | little_endian, |
| 5767 | | | , |
| 5768 | | | rtps_submessage_tree, |
| 5769 | | | &); |
| 5770 | | | } |
| 5771 | | | break; |
| 5772 | | | |
| 5773 | | | case NOKEY_DATA: |
| 5774 | | | if (tree) { |
| 5775 | | | dissect_NOKEY_DATA(tvb, |
| 5776 | | | offset, |
| 5777 | | | flags, |
| 5778 | | | little_endian, |
| 5779 | | | , |
| 5780 | | | rtps_submessage_tree); |
| 5781 | | | } |
| 5782 | | | break; |
| 5783 | | | |
| 5784 | | | case ACKNACK: |
| 5785 | | | if (tree) { |
| 5786 | | | dissect_ACKNACK(tvb, |
| 5787 | | | offset, |
| 5788 | | | flags, |
| 5789 | | | little_endian, |
| 5790 | | | , |
| 5791 | | | rtps_submessage_tree); |
| 5792 | | | } |
| 5793 | | | break; |
| 5794 | | | |
| 5795 | | | case HEARTBEAT: |
| 5796 | | | if (tree) { |
| 5797 | | | dissect_HEARTBEAT(tvb, |
| 5798 | | | offset, |
| 5799 | | | flags, |
| 5800 | | | little_endian, |
| 5801 | | | , |
| 5802 | | | rtps_submessage_tree); |
| 5803 | | | } |
| 5804 | | | break; |
| 5805 | | | |
| 5806 | | | case GAP: |
| 5807 | | | if (tree) { |
| 5808 | | | dissect_GAP(tvb, |
| 5809 | | | offset, |
| 5810 | | | flags, |
| 5811 | | | little_endian, |
| 5812 | | | , |
| 5813 | | | rtps_submessage_tree); |
| 5814 | | | } |
| 5815 | | | break; |
| 5816 | | | |
| 5817 | | | case INFO_TS: |
| 5818 | | | if (tree) { |
| 5819 | | | dissect_INFO_TS(tvb, |
| 5820 | | | offset, |
| 5821 | | | flags, |
| 5822 | | | little_endian, |
| 5823 | | | , |
| 5824 | | | rtps_submessage_tree); |
| 5825 | | | } |
| 5826 | | | break; |
| 5827 | | | |
| 5828 | | | case INFO_SRC: |
| 5829 | | | if (tree) { |
| 5830 | | | dissect_INFO_SRC(tvb, |
| 5831 | | | offset, |
| 5832 | | | flags, |
| 5833 | | | little_endian, |
| 5834 | | | , |
| 5835 | | | rtps_submessage_tree); |
| 5836 | | | } |
| 5837 | | | break; |
| 5838 | | | |
| 5839 | | | case INFO_REPLY_IP4: |
| 5840 | | | if (tree) { |
| 5841 | | | dissect_INFO_REPLY_IP4(tvb, |
| 5842 | | | offset, |
| 5843 | | | flags, |
| 5844 | | | little_endian, |
| 5845 | | | , |
| 5846 | | | rtps_submessage_tree); |
| 5847 | | | } |
| 5848 | | | break; |
| 5849 | | | |
| 5850 | | | case INFO_DST: |
| 5851 | | | if (tree) { |
| 5852 | | | dissect_INFO_DST(tvb, |
| 5853 | | | offset, |
| 5854 | | | flags, |
| 5855 | | | little_endian, |
| 5856 | | | , |
| 5857 | | | rtps_submessage_tree); |
| 5858 | | | } |
| 5859 | | | break; |
| 5860 | | | |
| 5861 | | | case INFO_REPLY: |
| 5862 | | | if (tree) { |
| 5863 | | | dissect_INFO_REPLY(tvb, |
| 5864 | | | offset, |
| 5865 | | | flags, |
| 5866 | | | little_endian, |
| 5867 | | | , |
| 5868 | | | rtps_submessage_tree); |
| 5869 | | | } |
| 5870 | | | break; |
| 5871 | | | |
| 5872 | | | default: |
| 5873 | | | if (tree) { |
| 5874 | | | proto_tree_add_uint(rtps_submessage_tree, hf_rtps_sm_flags, |
| 5875 | | | tvb, offset + 1, 1, flags); |
| 5876 | | | proto_tree_add_uint(rtps_submessage_tree, |
| 5877 | | | , |
| 5878 | | | tvb, offset + 2, 2, next_submsg); |
| 5879 | | | } |
| 5880 | | | break; |
| 5881 | | | } |
| 5882 | | | |
| 5883 | | | |
| 5884 | | | smcr_last = sm_counter_add(smcr_last, submessageId, ); |
| 5885 | | | if (smcr_head == NULL) { |
| 5886 | | | smcr_head = smcr_last; |
| 5887 | | | } |
| 5888 | | | |
| 5889 | | | |
| 5890 | | | offset = next_submsg; |
| 5891 | | | } |
| 5892 | | | |
| 5893 | | | |
| 5894 | | | if ((pinfo != NULL) && (pinfo->cinfo != NULL) && |
Null Test After Dereference
This code tests the nullness of pinfo, which has already been dereferenced. - If pinfo were null, there would have been a prior null pointer dereference at packet-rtps.c:5652, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 15. Show: All events | Only primary events |
|
| 5895 | | | (check_col(pinfo->cinfo, COL_INFO))) { |
| 5896 | | | emem_strbuf_t *info_buf = ep_strbuf_new_label(NULL); |
| 5897 | | | struct SMCounterRecord *smcr_ptr = smcr_head; |
| 5898 | | | |
| 5899 | | | |
| 5900 | | | if (is_ping) { |
| 5901 | | | ep_strbuf_append(info_buf, "PING"); |
| 5902 | | | } else { |
| 5903 | | | |
| 5904 | | | while (smcr_ptr != NULL) { |
| 5905 | | | if (info_buf->len > 0) { |
| 5906 | | | ep_strbuf_append(info_buf, ", "); |
| 5907 | | | } |
| 5908 | | | |
| 5909 | | | |
| 5910 | | | |
| 5911 | | | |
| 5912 | | | |
| 5913 | | | |
| 5914 | | | |
| 5915 | | | |
| 5916 | | | |
| 5917 | | | ep_strbuf_append_printf(info_buf, "%s%s", |
| 5918 | | | val_to_str(smcr_ptr->id, |
| 5919 | | | submessage_id_vals, |
| 5920 | | | "Unknown[%02x]"), |
| 5921 | | | smcr_ptr-> ? smcr_ptr-> : ""); |
| 5922 | | | |
| 5923 | | | |
| 5924 | | | |
| 5925 | | | |
| 5926 | | | smcr_ptr = smcr_ptr->next; |
| 5927 | | | } |
| 5928 | | | } |
| 5929 | | | col_add_str(pinfo->cinfo, COL_INFO, info_buf->str); |
| 5930 | | | } |
| 5931 | | | sm_counter_free(smcr_head); |
| 5932 | | | |
| 5933 | | | |
| 5934 | | | |
| 5935 | | | return TRUE; |
| 5936 | | | |
| 5937 | | | } |
| |