(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-bthci_cmd.c) |
| |
| 821 | | | dissect_bthci_cmd_cod(int type, tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree) |
| 822 | | | { |
| 823 | | | guint8 cod1, cod2; |
| 824 | | | proto_item *item; |
| 825 | | | |
| 826 | | | item = proto_tree_add_item(tree, type, tvb, offset, 3, TRUE); |
Event 1:
!0 evaluates to true.
hide
|
|
| 827 | | | |
| 828 | | | cod1 = tvb_get_guint8(tvb, offset+1); |
| 829 | | | cod2 = tvb_get_guint8(tvb, offset+2); |
| 830 | | | |
| 831 | | | if( (cod2 != 0) || (cod1 & 0x20) ) |
| 832 | | | { |
| 833 | | | char buf[128]; |
| 834 | | | |
| 835 | | | buf[0] = '\0'; |
Event 3:
The length of the string pointed to by buf is set to 0. - This determines the potentially dangerous position that will be accessed later.
hide
|
|
| 836 | | | |
| 837 | | | proto_item_append_text(item, " (%s - services:", val_to_str(cod1 & 0x1f, bthci_cmd_major_dev_class_vals, "???")); |
| 838 | | | if (cod2 & 0x80) g_strlcat(buf, " Information,", sizeof(buf)); |
Event 4:
Skipping " if". cod2 & 128 evaluates to false.
hide
|
|
| 839 | | | if (cod2 & 0x40) g_strlcat(buf, " Telephony,", sizeof(buf)); |
Event 5:
Skipping " if". cod2 & 64 evaluates to false.
hide
|
|
| 840 | | | if (cod2 & 0x20) g_strlcat(buf, " Audio,", sizeof(buf)); |
Event 6:
Skipping " if". cod2 & 32 evaluates to false.
hide
|
|
| 841 | | | if (cod2 & 0x10) g_strlcat(buf, " Object transfer,", sizeof(buf)); |
Event 7:
Skipping " if". cod2 & 16 evaluates to false.
hide
|
|
| 842 | | | if (cod2 & 0x08) g_strlcat(buf, " Capturing,", sizeof(buf)); |
Event 8:
Skipping " if". cod2 & 8 evaluates to false.
hide
|
|
| 843 | | | if (cod2 & 0x04) g_strlcat(buf, " Rendering,", sizeof(buf)); |
Event 9:
Skipping " if". cod2 & 4 evaluates to false.
hide
|
|
| 844 | | | if (cod2 & 0x02) g_strlcat(buf, " Networking,", sizeof(buf)); |
Event 10:
Skipping " if". cod2 & 2 evaluates to false.
hide
|
|
| 845 | | | if (cod2 & 0x01) g_strlcat(buf, " Positioning,", sizeof(buf)); |
Event 11:
Skipping " if". cod2 & 1 evaluates to false.
hide
|
|
| 846 | | | if (cod1 & 0x20) g_strlcat(buf, " Limited discoverable mode,", sizeof(buf)); |
Event 12:
Skipping " if". cod1 & 32 evaluates to false.
hide
|
|
| 847 | | | |
| 848 | | | buf[strlen(buf)-1] = '\0'; |
Event 13:
buf is passed to __builtin_strlen().
hide
Event 14:
__builtin_strlen() returns the length of the string pointed to by buf, which evaluates to 0. See related events 3 and 13.
hide
Buffer Underrun
This code writes before the beginning of the buffer buf. - The first underrun byte is at offset strlen(buf) - 1 from the beginning of the object. See related event 14.
- strlen(buf) - 1 evaluates to -1.
- The underrun occurs in stack memory.
The issue can occur if the highlighted code executes. See related event 14. Show: All events | Only primary events |
|
| |