(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-rtsp.c) |
| |
| 334 | | | rtsp_create_conversation(packet_info *pinfo, const guchar *line_begin, |
| 335 | | | size_t line_len, gint rdt_feature_level) |
| 336 | | | { |
| 337 | | | conversation_t *conv; |
| 338 | | | guchar buf[256]; |
| 339 | | | guchar *tmp; |
| 340 | | | gboolean rtp_transport = FALSE; |
| 341 | | | gboolean rdt_transport = FALSE; |
| 342 | | | guint c_data_port, c_mon_port; |
| 343 | | | guint s_data_port, s_mon_port; |
| 344 | | | gboolean is_video = FALSE; |
| 345 | | | |
| 346 | | | |
| 347 | | | if (line_len > sizeof(buf) - 1) |
Event 1:
Taking true branch. line_len > sizeof( buf ) - 1 evaluates to true.
hide
|
|
| 348 | | | { |
| 349 | | | |
| 350 | | | line_len = sizeof(buf) - 1; |
| 351 | | | } |
| 352 | | | memcpy(buf, line_begin, line_len); |
| 353 | | | buf[line_len] = '\0'; |
| 354 | | | |
| 355 | | | |
| 356 | | | tmp = buf + STRLEN_CONST(rtsp_transport); |
| 357 | | | while (*tmp && isspace(*tmp)) |
| 358 | | | tmp++; |
| 359 | | | |
| 360 | | | |
| 361 | | | if (g_ascii_strncasecmp(tmp, rtsp_rtp, strlen(rtsp_rtp)) == 0) |
Event 3:
g_ascii_strncasecmp is an Undefined Function.
hide
Event 4:
Taking true branch. g_ascii_strncasecmp(...) == 0 evaluates to true.
hide
|
|
| 362 | | | rtp_transport = TRUE; |
Event 5:
!0 evaluates to true.
hide
|
|
| 363 | | | else |
| 364 | | | if (g_ascii_strncasecmp(tmp, rtsp_real_rdt, strlen(rtsp_real_rdt)) == 0 || |
| 365 | | | g_ascii_strncasecmp(tmp, rtsp_real_tng, strlen(rtsp_real_tng)) == 0) |
| 366 | | | rdt_transport = TRUE; |
| 367 | | | else |
| 368 | | | { |
| 369 | | | |
| 370 | | | return; |
| 371 | | | } |
| 372 | | | |
| 373 | | | c_data_port = c_mon_port = 0; |
| 374 | | | s_data_port = s_mon_port = 0; |
| 375 | | | |
| 376 | | | |
| 377 | | | if ((tmp = strstr(buf, rtsp_sps))) { |
Event 6:
Skipping " if". tmp = strstr(buf, rtsp_sps) evaluates to false.
hide
|
|
| 378 | | | tmp += strlen(rtsp_sps); |
| 379 | | | if (sscanf(tmp, "%u-%u", &s_data_port, &s_mon_port) < 1) { |
| 380 | | | g_warning("Frame %u: rtsp: bad server_port",
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 381 | | | pinfo->fd->num); |
| 382 | | | return; |
| 383 | | | } |
| 384 | | | } |
| 385 | | | |
| 386 | | | if ((tmp = strstr(buf, rtsp_cps))) { |
Event 7:
Skipping " if". tmp = strstr(buf, rtsp_cps) evaluates to false.
hide
|
|
| 387 | | | tmp += strlen(rtsp_cps); |
| 388 | | | if (sscanf(tmp, "%u-%u", &c_data_port, &c_mon_port) < 1) { |
| 389 | | | g_warning("Frame %u: rtsp: bad client_port",
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 390 | | | pinfo->fd->num); |
| 391 | | | return; |
| 392 | | | } |
| 393 | | | } |
| 394 | | | |
| 395 | | | |
| 396 | | | |
| 397 | | | if (!c_data_port) { |
Event 8:
Taking true branch. c_data_port evaluates to false.
hide
|
|
| 398 | | | rtsp_conversation_data_t *data; |
| 399 | | | guint s_data_chan, s_mon_chan; |
| 400 | | | int i; |
| 401 | | | |
| 402 | | | |
| 403 | | | if ((tmp = strstr(buf, rtsp_inter)) == NULL) { |
Event 9:
Skipping " if". (tmp = strstr(...)) == (void *)0 evaluates to false.
hide
|
|
| 404 | | | |
| 405 | | | |
| 406 | | | |
| 407 | | | |
| 408 | | | return; |
| 409 | | | } |
| 410 | | | |
| 411 | | | |
| 412 | | | tmp += strlen(rtsp_inter); |
| 413 | | | |
| 414 | | | i = sscanf(tmp, "%u-%u", &s_data_chan, &s_mon_chan); |
| 415 | | | if (i < 1) |
Event 13:
Skipping " if". i < 1 evaluates to false.
hide
|
|
| 416 | | | { |
| 417 | | | g_warning("Frame %u: rtsp: bad interleaved", pinfo->fd->num);
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 418 | | | return; |
| 419 | | | } |
| 420 | | | |
| 421 | | | |
| 422 | | | conv = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype, |
| 423 | [+] | | pinfo->srcport, pinfo->destport, 0); |
 |
| 424 | | | |
| 425 | | | |
| 426 | | | if (!conv) |
Event 21:
Skipping " if". conv evaluates to true.
hide
|
|
| 427 | | | { |
| 428 | | | conv = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, |
| 429 | | | pinfo->ptype, pinfo->srcport, pinfo->destport, |
| 430 | | | 0); |
| 431 | | | } |
| 432 | | | |
| 433 | | | |
| 434 | | | data = conversation_get_proto_data(conv, proto_rtsp); |
| 435 | | | |
| 436 | | | |
| 437 | | | if (!data) |
Event 22:
Taking true branch. data evaluates to false.
hide
|
|
| 438 | | | { |
| 439 | [+] | | data = se_alloc(sizeof(rtsp_conversation_data_t)); |
 |
| 440 | | | conversation_add_proto_data(conv, proto_rtsp, data); |
| 441 | | | } |
| 442 | | | |
| 443 | | | |
| 444 | | | |
| 445 | | | if (rtp_transport) |
Event 28:
Taking true branch. rtp_transport evaluates to true.
hide
|
|
| 446 | | | { |
| 447 | | | if (s_data_chan < RTSP_MAX_INTERLEAVED) { |
Event 29:
Taking true branch. s_data_chan < 256 evaluates to true.
hide
|
|
| 448 | | | data->interleaved[s_data_chan].dissector = |
| 449 | | | rtp_handle; |
Type Underrun
The code could write outside data->interleaved (but inside *data). - data->interleaved evaluates to the value assigned to *buf at emem.c:493. See related event 27.
- The type of data->interleaved is struct <UNNAMED>[256].
- The index is s_data_chan. See related event 12.
- s_data_chan evaluates to the value assigned to s_data_chan at packet-rtsp.c:414, which is bounded above by 255.
- If s_data_chan is negative, an underrun will occur. The analysis cannot rule out the possibility of s_data_chan taking on one or more of these dangerous values, so has issued this warning.
The issue can occur if the highlighted code executes. See related events 12 and 27. Show: All events | Only primary events |
|
| |