(/home/sate/Testcases/c/cve/wireshark-1.2.0/plugins/profinet/packet-dcom-cba-acco.c) |
| |
| 3389 | | | dissect_ICBAAccoServer2_GetConnectionData_resp(tvbuff_t *tvb, int offset, |
| 3390 | | | packet_info *pinfo, proto_tree *tree, guint8 *drep) |
| 3391 | | | { |
| 3392 | | | guint32 u32Length; |
| 3393 | | | guint32 u32ArraySize; |
| 3394 | | | tvbuff_t *next_tvb; |
| 3395 | | | guint32 u32Pointer; |
| 3396 | | | guint32 u32HResult; |
| 3397 | | | proto_item *item; |
| 3398 | | | dcerpc_info *info = (dcerpc_info *)pinfo->private_data; |
| 3399 | | | cba_ldev_t **call = info->call_data->private_data; |
| 3400 | | | cba_ldev_t *cons_ldev = (call!=NULL) ? *call : NULL; |
Event 1:
call != (void *)0 evaluates to true.
hide
|
|
| 3401 | | | |
| 3402 | | | |
| 3403 | | | offset = dissect_dcom_that(tvb, offset, pinfo, tree, drep); |
| 3404 | | | |
| 3405 | | | if(cons_ldev == NULL) { |
Event 3:
Skipping " if". cons_ldev == (void *)0 evaluates to false.
hide
|
|
| 3406 | | | expert_add_info_format(pinfo, NULL, PI_UNDECODED, PI_NOTE, |
| 3407 | | | "No request info, response data ignored"); |
| 3408 | | | } |
| 3409 | | | |
| 3410 | | | item = proto_tree_add_boolean (tree, hf_cba_acco_dcom_call, tvb, offset, 0, FALSE); |
| 3411 | | | PROTO_ITEM_SET_GENERATED(item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
Event 4:
item evaluates to false.
hide
|
|
| 3412 | | | pinfo->profinet_type = 1; |
| 3413 | | | |
| 3414 | | | |
| 3415 | | | offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, drep, |
| 3416 | | | hf_cba_acco_cb_length, &u32Length); |
| 3417 | | | |
| 3418 | | | offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, drep, |
| 3419 | | | &u32Pointer); |
| 3420 | | | if (u32Pointer) { |
Event 5:
Taking true branch. u32Pointer evaluates to true.
hide
|
|
| 3421 | | | |
| 3422 | | | offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, drep, |
| 3423 | | | &u32ArraySize); |
| 3424 | | | |
| 3425 | | | |
| 3426 | | | |
| 3427 | | | next_tvb = tvb_new_subset(tvb, offset, -1, -1); |
| 3428 | | | |
| 3429 | | | offset += dissect_CBA_Connection_Data(next_tvb, pinfo, tree, (call != NULL) ? *call : NULL, NULL ); |
Null Test After Dereference
This code tests the nullness of call, which has already been dereferenced. - If call were null, there would have been a prior null pointer dereference at packet-dcom-cba-acco.c:3400, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 2. Show: All events | Only primary events |
|
| 3430 | | | |
| 3431 | | | |
| 3432 | | | |
| 3433 | | | } |
| 3434 | | | |
| 3435 | | | offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, drep, |
| 3436 | | | &u32HResult); |
| 3437 | | | |
| 3438 | | | |
| 3439 | | | if (check_col(pinfo->cinfo, COL_INFO)) { |
| 3440 | | | col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s", |
| 3441 | | | val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)") ); |
| 3442 | | | } |
| 3443 | | | |
| 3444 | | | return offset; |
| 3445 | | | } |
| |