(/home/sate/Testcases/c/cve/wireshark-1.2.0/gtk/voip_calls.c) |
| |
| 871 | | | SIPcalls_packet( void *ptr _U_, packet_info *pinfo, epan_dissect_t *edt _U_, const void *SIPinfo) |
| 872 | | | { |
| 873 | | | voip_calls_tapinfo_t *tapinfo = &the_tapinfo_struct; |
| 874 | | | |
| 875 | | | |
| 876 | | | |
| 877 | | | voip_calls_info_t *tmp_listinfo; |
| 878 | | | voip_calls_info_t *callsinfo = NULL; |
| 879 | | | sip_calls_info_t *tmp_sipinfo = NULL; |
| 880 | | | GList *list; |
| 881 | | | address tmp_src, tmp_dst; |
| 882 | | | gchar *frame_label = NULL; |
| 883 | | | gchar * = NULL; |
| 884 | | | |
| 885 | | | const sip_info_value_t *pi = SIPinfo; |
| 886 | | | |
| 887 | | | |
| 888 | | | if (pi->tap_call_id ==NULL){ |
Event 1:
Skipping " if". pi->tap_call_id == (void *)0 evaluates to false.
hide
|
|
| 889 | | | return 0; |
| 890 | | | } |
| 891 | | | |
| 892 | | | |
| 893 | | | list = g_list_first(tapinfo->callsinfo_list); |
| 894 | | | while (list) |
Event 3:
Entering loop body. list evaluates to true.
hide
|
|
| 895 | | | { |
| 896 | | | tmp_listinfo=list->data; |
| 897 | | | if (tmp_listinfo->protocol == VOIP_SIP){ |
Event 4:
Taking true branch. tmp_listinfo->protocol == VOIP_SIP evaluates to true.
hide
|
|
| 898 | | | tmp_sipinfo = tmp_listinfo->prot_info; |
| 899 | | | if (strcmp(tmp_sipinfo->call_identifier,pi->tap_call_id)==0){ |
Event 6:
Taking true branch. strcmp(...) == 0 evaluates to true.
hide
|
|
| 900 | | | callsinfo = (voip_calls_info_t*)(list->data); |
| 901 | | | break; |
| 902 | | | } |
| 903 | | | } |
| 904 | | | list = g_list_next (list);
x /usr/include/glib-2.0/glib/glist.h |
| |
113 | #define g_list_next(list) ((list) ? (((GList *)(list))->next) : NULL) |
| |
|
| 905 | | | } |
| 906 | | | |
| 907 | | | |
| 908 | | | if ((callsinfo==NULL) &&(pi->request_method!=NULL)){ |
Event 7:
Skipping " if". callsinfo == (void *)0 evaluates to false.
hide
|
|
| 909 | | | if (strcmp(pi->request_method,"INVITE")==0){ |
| 910 | | | callsinfo = g_malloc0(sizeof(voip_calls_info_t)); |
| 911 | | | callsinfo->call_active_state = VOIP_ACTIVE; |
| 912 | | | callsinfo->call_state = VOIP_CALL_SETUP; |
| 913 | | | callsinfo->from_identity=g_strdup(pi->tap_from_addr); |
| 914 | | | callsinfo->to_identity=g_strdup(pi->tap_to_addr); |
| 915 | | | COPY_ADDRESS(&(callsinfo->initial_speaker),&(pinfo->src));
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
107 | #define COPY_ADDRESS(to, from) { \ |
108 | guint8 *COPY_ADDRESS_data; \ |
109 | (to)->type = (from)->type; \ |
110 | (to)->len = (from)->len; \ |
111 | COPY_ADDRESS_data = g_malloc((from)->len); \ |
112 | memcpy(COPY_ADDRESS_data, (from)->data, (from)->len); \ |
113 | (to)->data = COPY_ADDRESS_data; \ |
114 | } |
| |
|
| 916 | | | callsinfo->first_frame_num=pinfo->fd->num; |
| 917 | | | callsinfo->selected=FALSE; |
| 918 | | | callsinfo->start_sec=(gint32) (pinfo->fd->rel_ts.secs); |
| 919 | | | callsinfo->start_usec=pinfo->fd->rel_ts.nsecs/1000; |
| 920 | | | callsinfo->protocol=VOIP_SIP; |
| 921 | | | callsinfo->prot_info=g_malloc(sizeof(sip_calls_info_t)); |
| 922 | | | callsinfo->free_prot_info = free_sip_info; |
| 923 | | | tmp_sipinfo = callsinfo->prot_info; |
| 924 | | | tmp_sipinfo->call_identifier = g_strdup(pi->tap_call_id); |
| 925 | | | tmp_sipinfo->sip_state = SIP_INVITE_SENT; |
| 926 | | | tmp_sipinfo->invite_cseq = pi->tap_cseq_number; |
| 927 | | | callsinfo->npackets = 0; |
| 928 | | | callsinfo->call_num = tapinfo->ncalls++; |
| 929 | | | tapinfo->callsinfo_list = g_list_append(tapinfo->callsinfo_list, callsinfo); |
| 930 | | | } |
| 931 | | | } |
| 932 | | | |
| 933 | | | if (callsinfo!=NULL){ |
Event 8:
Taking true branch. callsinfo != (void *)0 evaluates to true.
hide
|
|
| 934 | | | |
| 935 | | | |
| 936 | | | |
| 937 | | | COPY_ADDRESS(&(tmp_src), &(pinfo->src));
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
107 | #define COPY_ADDRESS(to, from) { \ |
108 | guint8 *COPY_ADDRESS_data; \ |
109 | (to)->type = (from)->type; \ |
110 | (to)->len = (from)->len; \ |
111 | COPY_ADDRESS_data = g_malloc((from)->len); \ |
112 | memcpy(COPY_ADDRESS_data, (from)->data, (from)->len); \ |
113 | (to)->data = COPY_ADDRESS_data; \ |
114 | } |
| |
|
| 938 | | | COPY_ADDRESS(&(tmp_dst), &(pinfo->dst));
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
107 | #define COPY_ADDRESS(to, from) { \ |
108 | guint8 *COPY_ADDRESS_data; \ |
109 | (to)->type = (from)->type; \ |
110 | (to)->len = (from)->len; \ |
111 | COPY_ADDRESS_data = g_malloc((from)->len); \ |
112 | memcpy(COPY_ADDRESS_data, (from)->data, (from)->len); \ |
113 | (to)->data = COPY_ADDRESS_data; \ |
114 | } |
| |
|
| 939 | | | |
| 940 | | | if (pi->request_method == NULL){ |
Event 11:
Taking true branch. pi->request_method == (void *)0 evaluates to true.
hide
|
|
| 941 | | | frame_label = g_strdup_printf("%u %s", pi->response_code, pi->reason_phrase ); |
| 942 | | | = g_strdup("SIP Status"); |
| 943 | | | |
| 944 | | | if ((tmp_sipinfo && pi->tap_cseq_number == tmp_sipinfo->invite_cseq)&&(ADDRESSES_EQUAL(&tmp_dst,&(callsinfo->initial_speaker)))){
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
92 | #define ADDRESSES_EQUAL(addr1, addr2) \ |
93 | ( \ |
94 | (addr1)->type == (addr2)->type && \ |
95 | ( \ |
96 | (addr1)->type == AT_NONE || \ |
97 | ( \ |
98 | (addr1)->len == (addr2)->len && \ |
99 | memcmp((addr1)->data, (addr2)->data, (addr1)->len) == 0 \ |
100 | ) \ |
101 | ) \ |
102 | ) |
| |
|
Null Test After Dereference
This code tests the nullness of tmp_sipinfo, which has already been dereferenced. - If tmp_sipinfo were null, there would have been a prior null pointer dereference at voip_calls.c:899, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 5. Show: All events | Only primary events |
|
| 945 | | | if ((pi->response_code > 199) && (pi->response_code<300) && (tmp_sipinfo->sip_state == SIP_INVITE_SENT)){ |
| 946 | | | tmp_sipinfo->sip_state = SIP_200_REC; |
| 947 | | | } |
| 948 | | | else if ((pi->response_code>299)&&(tmp_sipinfo->sip_state == SIP_INVITE_SENT)){ |
| 949 | | | callsinfo->call_state = VOIP_REJECTED; |
| 950 | | | tapinfo->rejected_calls++; |
| 951 | | | } |
| 952 | | | } |
| 953 | | | |
| 954 | | | } |
| 955 | | | else{ |
| 956 | | | frame_label = g_strdup(pi->request_method); |
| 957 | | | |
| 958 | | | if ((strcmp(pi->request_method,"INVITE")==0)&&(ADDRESSES_EQUAL(&tmp_src,&(callsinfo->initial_speaker)))){
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
92 | #define ADDRESSES_EQUAL(addr1, addr2) \ |
93 | ( \ |
94 | (addr1)->type == (addr2)->type && \ |
95 | ( \ |
96 | (addr1)->type == AT_NONE || \ |
97 | ( \ |
98 | (addr1)->len == (addr2)->len && \ |
99 | memcmp((addr1)->data, (addr2)->data, (addr1)->len) == 0 \ |
100 | ) \ |
101 | ) \ |
102 | ) |
| |
|
| 959 | | | tmp_sipinfo->invite_cseq = pi->tap_cseq_number; |
| 960 | | | callsinfo->call_state = VOIP_CALL_SETUP; |
| 961 | | | = g_strdup_printf("SIP From: %s To:%s", callsinfo->from_identity, callsinfo->to_identity); |
| 962 | | | } |
| 963 | | | else if ((strcmp(pi->request_method,"ACK")==0)&&(pi->tap_cseq_number == tmp_sipinfo->invite_cseq) |
| 964 | | | &&(ADDRESSES_EQUAL(&tmp_src,&(callsinfo->initial_speaker)))&&(tmp_sipinfo->sip_state==SIP_200_REC)
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
92 | #define ADDRESSES_EQUAL(addr1, addr2) \ |
93 | ( \ |
94 | (addr1)->type == (addr2)->type && \ |
95 | ( \ |
96 | (addr1)->type == AT_NONE || \ |
97 | ( \ |
98 | (addr1)->len == (addr2)->len && \ |
99 | memcmp((addr1)->data, (addr2)->data, (addr1)->len) == 0 \ |
100 | ) \ |
101 | ) \ |
102 | ) |
| |
|
| 965 | | | &&(callsinfo->call_state == VOIP_CALL_SETUP)){ |
| 966 | | | callsinfo->call_state = VOIP_IN_CALL; |
| 967 | | | = g_strdup("SIP Request"); |
| 968 | | | } |
| 969 | | | else if (strcmp(pi->request_method,"BYE")==0){ |
| 970 | | | callsinfo->call_state = VOIP_COMPLETED; |
| 971 | | | tapinfo->completed_calls++; |
| 972 | | | = g_strdup("SIP Request"); |
| 973 | | | } |
| 974 | | | else if ((strcmp(pi->request_method,"CANCEL")==0)&&(pi->tap_cseq_number == tmp_sipinfo->invite_cseq) |
| 975 | | | &&(ADDRESSES_EQUAL(&tmp_src,&(callsinfo->initial_speaker)))&&(callsinfo->call_state==VOIP_CALL_SETUP)){
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
92 | #define ADDRESSES_EQUAL(addr1, addr2) \ |
93 | ( \ |
94 | (addr1)->type == (addr2)->type && \ |
95 | ( \ |
96 | (addr1)->type == AT_NONE || \ |
97 | ( \ |
98 | (addr1)->len == (addr2)->len && \ |
99 | memcmp((addr1)->data, (addr2)->data, (addr1)->len) == 0 \ |
100 | ) \ |
101 | ) \ |
102 | ) |
| |
|
| 976 | | | callsinfo->call_state = VOIP_CANCELLED; |
| 977 | | | tmp_sipinfo->sip_state = SIP_CANCEL_SENT; |
| 978 | | | = g_strdup("SIP Request"); |
| 979 | | | } else { |
| 980 | | | = g_strdup("SIP Request"); |
| 981 | | | } |
| 982 | | | } |
| 983 | | | |
| 984 | | | callsinfo->stop_sec=(gint32) (pinfo->fd->rel_ts.secs); |
| 985 | | | callsinfo->stop_usec=pinfo->fd->rel_ts.nsecs/1000; |
| 986 | | | callsinfo->last_frame_num=pinfo->fd->num; |
| 987 | | | ++(callsinfo->npackets); |
| 988 | | | |
| 989 | | | ++(tapinfo->npackets); |
| 990 | | | |
| 991 | | | |
| 992 | | | add_to_graph(tapinfo, pinfo, frame_label, , callsinfo->call_num, &(pinfo->src), &(pinfo->dst), 1); |
| 993 | | | g_free(); |
| 994 | | | g_free(frame_label); |
| 995 | | | g_free((void *)tmp_src.data); |
| 996 | | | g_free((void *)tmp_dst.data); |
| 997 | | | |
| 998 | | | |
| 999 | | | if ( (sdp_summary != NULL) && (sdp_frame_num == pinfo->fd->num) ){ |
| 1000 | | | append_to_frame_graph(tapinfo, pinfo->fd->num, sdp_summary, NULL); |
| 1001 | | | g_free(sdp_summary); |
| 1002 | | | sdp_summary = NULL; |
| 1003 | | | } |
| 1004 | | | } |
| 1005 | | | |
| 1006 | | | tapinfo->redraw = TRUE; |
| 1007 | | | |
| 1008 | | | return 1; |
| 1009 | | | } |
| |