(/home/sate/Testcases/c/cve/wireshark-1.2.0/plugins/wimax/packet-wmx.c) |
| |
| 728 | | | proto_tree *add_protocol_subtree(tlv_info_t *this, gint idx, proto_tree *tree, int hfindex, tvbuff_t *tvb, gint start, gint length, const char *format, ...) |
| 729 | | | { |
| 730 | | | |
| 731 | | | proto_tree *tlv_tree; |
| 732 | | | proto_item *tlv_item; |
| 733 | | | guint start_of_tlv; |
| 734 | | | gint tlv_value_length, tlv_val_offset; |
| 735 | | | guint8 size_of_tlv_length_field; |
| 736 | | | guint8 tlv_type; |
| 737 | | | guint32 tlv_value; |
| 738 | | | va_list ap; |
| 739 | | | gchar *message = NULL; |
| 740 | | | gchar *hex_fmt; |
| 741 | | | |
| 742 | | | |
| 743 | | | tlv_val_offset = get_tlv_value_offset(this); |
| 744 | | | start_of_tlv = start - tlv_val_offset; |
| 745 | | | tlv_value_length = get_tlv_length(this); |
| 746 | | | size_of_tlv_length_field = get_tlv_size_of_length(this); |
| 747 | [+] | | tlv_type = get_tlv_type(this); |
 |
| 748 | | | |
| 749 | | | |
| 750 | | | va_start(ap, format);
x /home/sate/codesonar-3.7p0/csurf/csinclude/stdarg.h |
| |
43 | #hard_define va_start(x, n) (*(char**)&(x) = (char*)(&__builtin_va_alist)) |
| |
|
| 751 | | | message = se_strdup_vprintf(format, ap); |
| 752 | | | va_end(ap); |
| 753 | | | tlv_item = proto_tree_add_protocol_format(tree, hfindex, tvb, start, length, "%s", message); |
| 754 | | | |
| 755 | | | tlv_item->finfo->start -= tlv_val_offset; |
| 756 | | | tlv_item->finfo->length += tlv_val_offset; |
| 757 | | | |
| 758 | | | tlv_tree = proto_item_add_subtree(tlv_item, *ett_tlv[tlv_type]); |
Buffer Underrun
This code reads before the beginning of the buffer ett_tlv. - The first underrun byte is at offset -4 from the beginning of the object.
- The underrun occurs in global memory.
The issue can occur if the highlighted code executes. See related event 3. Show: All events | Only primary events |
|
| |