(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-tcp.c) |
| |
| 597 | | | tcp_analyze_sequence_number(packet_info *pinfo, guint32 seq, guint32 ack, guint32 seglen, guint8 flags, guint32 window, struct tcp_analysis *tcpd) |
| 598 | | | { |
| 599 | | | tcp_unacked_t *ual=NULL; |
| 600 | | | int ackcount; |
| 601 | | | |
| 602 | | | #ifdef REMOVED |
| 603 | | | printf("analyze_sequence numbers frame:%u direction:%s\n",pinfo->fd->num,direction>=0?"FWD":"REW"); |
| 604 | | | printf("FWD list lastflags:0x%04x base_seq:0x%08x:\n",tcpd->fwd->lastsegmentflags,tcpd->fwd->base_seq);for(ual=tcpd->fwd->segments;ual;ual=ual->next)printf("Frame:%d Seq:%d Nextseq:%d\n",ual->frame,ual->seq,ual->nextseq); |
| 605 | | | printf("REV list lastflags:0x%04x base_seq:0x%08x:\n",tcpd->rev->lastsegmentflags,tcpd->rev->base_seq);for(ual=tcpd->rev->segments;ual;ual=ual->next)printf("Frame:%d Seq:%d Nextseq:%d\n",ual->frame,ual->seq,ual->nextseq); |
| 606 | | | #endif |
| 607 | | | |
| 608 | | | if (!tcpd) { |
Event 1:
Skipping " if". tcpd evaluates to true.
hide
|
|
| 609 | | | return; |
| 610 | | | } |
| 611 | | | |
| 612 | | | |
| 613 | | | |
| 614 | | | |
| 615 | | | |
| 616 | | | |
| 617 | | | |
| 618 | | | |
| 619 | | | |
| 620 | | | |
| 621 | | | if(tcpd->fwd->base_seq==0){ |
Event 2:
Skipping " if". tcpd->fwd->base_seq == 0 evaluates to false.
hide
|
|
| 622 | | | tcpd->fwd->base_seq = (flags & TH_SYN) ? seq : seq-1; |
| 623 | | | } |
| 624 | | | |
| 625 | | | |
| 626 | | | |
| 627 | | | |
| 628 | | | |
| 629 | | | |
| 630 | | | if( (tcpd->rev->base_seq==0) && (flags & TH_ACK) ){ |
Event 3:
Skipping " if". tcpd->rev->base_seq == 0 evaluates to false.
hide
|
|
| 631 | | | tcpd->rev->base_seq = (flags & TH_SYN) ? ack : ack-1; |
| 632 | | | } |
| 633 | | | |
| 634 | | | |
| 635 | | | |
| 636 | | | |
| 637 | | | |
| 638 | | | |
| 639 | | | |
| 640 | | | |
| 641 | | | |
| 642 | | | if( seglen==1 |
| 643 | | | && seq==tcpd->fwd->nextseq |
| 644 | | | && tcpd->rev->window==0 ){ |
| 645 | | | if(!tcpd->ta){ |
Event 5:
Skipping " if". tcpd->ta evaluates to true.
hide
|
|
| 646 | | | tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd); |
| 647 | | | } |
| 648 | | | tcpd->ta->flags|=TCP_A_ZERO_WINDOW_PROBE; |
| 649 | | | goto finished_fwd; |
| 650 | | | } |
| 651 | | | |
| 652 | | | |
| 653 | | | |
| 654 | | | |
| 655 | | | |
| 656 | | | |
| 657 | | | if( window==0 |
| 658 | | | && (flags&(TH_RST|TH_FIN|TH_SYN))==0 ){ |
| 659 | | | if(!tcpd->ta){ |
| 660 | | | tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd); |
| 661 | | | } |
| 662 | | | tcpd->ta->flags|=TCP_A_ZERO_WINDOW; |
| 663 | | | } |
| 664 | | | |
| 665 | | | |
| 666 | | | |
| 667 | | | |
| 668 | | | |
| 669 | | | |
| 670 | | | |
| 671 | | | |
| 672 | | | |
| 673 | | | |
| 674 | | | if( tcpd->fwd->nextseq |
| 675 | | | && GT_SEQ(seq, tcpd->fwd->nextseq) |
| 676 | | | && (flags&(TH_RST))==0 ){ |
| 677 | | | if(!tcpd->ta){ |
| 678 | | | tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd); |
| 679 | | | } |
| 680 | | | tcpd->ta->flags|=TCP_A_LOST_PACKET; |
| 681 | | | } |
| 682 | | | |
| 683 | | | |
| 684 | | | |
| 685 | | | |
| 686 | | | |
| 687 | | | |
| 688 | | | |
| 689 | | | |
| 690 | | | if( (seglen==0||seglen==1) |
| 691 | | | && seq==(tcpd->fwd->nextseq-1) |
| 692 | | | && (flags&(TH_SYN|TH_FIN|TH_RST))==0 ){ |
| 693 | | | if(!tcpd->ta){ |
| 694 | | | tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd); |
| 695 | | | } |
| 696 | | | tcpd->ta->flags|=TCP_A_KEEP_ALIVE; |
| 697 | | | } |
| 698 | | | |
| 699 | | | |
| 700 | | | |
| 701 | | | |
| 702 | | | |
| 703 | | | if( seglen==0 |
| 704 | | | && window |
| 705 | | | && window!=tcpd->fwd->window |
| 706 | | | && seq==tcpd->fwd->nextseq |
| 707 | | | && ack==tcpd->fwd->lastack |
| 708 | | | && (flags&(TH_SYN|TH_FIN|TH_RST))==0 ){ |
| 709 | | | if(!tcpd->ta){ |
| 710 | | | tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd); |
| 711 | | | } |
| 712 | | | tcpd->ta->flags|=TCP_A_WINDOW_UPDATE; |
| 713 | | | } |
| 714 | | | |
| 715 | | | |
| 716 | | | |
| 717 | | | |
| 718 | | | |
| 719 | | | |
| 720 | | | |
| 721 | | | |
| 722 | | | |
| 723 | | | |
| 724 | | | if( seglen>0 |
| 725 | | | && tcpd->fwd->win_scale!=-1 |
| 726 | | | && tcpd->rev->win_scale!=-1 |
| 727 | | | && (seq+seglen)==(tcpd->rev->lastack+(tcpd->rev->window<<tcpd->rev->win_scale)) |
| 728 | | | && (flags&(TH_SYN|TH_FIN|TH_RST))==0 ){ |
| 729 | | | if(!tcpd->ta){ |
| 730 | | | tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd); |
| 731 | | | } |
| 732 | | | tcpd->ta->flags|=TCP_A_WINDOW_FULL; |
| 733 | | | } |
| 734 | | | |
| 735 | | | |
| 736 | | | |
| 737 | | | |
| 738 | | | |
| 739 | | | |
| 740 | | | |
| 741 | | | if( seglen==0 |
| 742 | | | && window |
| 743 | | | && window==tcpd->fwd->window |
| 744 | | | && seq==tcpd->fwd->nextseq |
| 745 | | | && ack==tcpd->fwd->lastack |
| 746 | | | && (tcpd->rev->lastsegmentflags&TCP_A_KEEP_ALIVE) |
| 747 | | | && (flags&(TH_SYN|TH_FIN|TH_RST))==0 ){ |
| 748 | | | if(!tcpd->ta){ |
| 749 | | | tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd); |
| 750 | | | } |
| 751 | | | tcpd->ta->flags|=TCP_A_KEEP_ALIVE_ACK; |
| 752 | | | goto finished_fwd; |
| 753 | | | } |
| 754 | | | |
| 755 | | | |
| 756 | | | |
| 757 | | | |
| 758 | | | |
| 759 | | | |
| 760 | | | |
| 761 | | | |
| 762 | | | if( seglen==0 |
| 763 | | | && window==0 |
| 764 | | | && window==tcpd->fwd->window |
| 765 | | | && seq==tcpd->fwd->nextseq |
| 766 | | | && ack==tcpd->fwd->lastack |
| 767 | | | && (tcpd->rev->lastsegmentflags&TCP_A_ZERO_WINDOW_PROBE) |
| 768 | | | && (flags&(TH_SYN|TH_FIN|TH_RST))==0 ){ |
| 769 | | | if(!tcpd->ta){ |
| 770 | | | tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd); |
| 771 | | | } |
| 772 | | | tcpd->ta->flags|=TCP_A_ZERO_WINDOW_PROBE_ACK; |
| 773 | | | goto finished_fwd; |
| 774 | | | } |
| 775 | | | |
| 776 | | | |
| 777 | | | |
| 778 | | | |
| 779 | | | |
| 780 | | | |
| 781 | | | if( seglen==0 |
| 782 | | | && window |
| 783 | | | && window==tcpd->fwd->window |
| 784 | | | && seq==tcpd->fwd->nextseq |
| 785 | | | && ack==tcpd->fwd->lastack |
| 786 | | | && (flags&(TH_SYN|TH_FIN|TH_RST))==0 ){ |
| 787 | | | tcpd->fwd->dupacknum++; |
| 788 | | | if(!tcpd->ta){ |
| 789 | | | tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd); |
| 790 | | | } |
| 791 | | | tcpd->ta->flags|=TCP_A_DUPLICATE_ACK; |
| 792 | | | tcpd->ta->dupack_num=tcpd->fwd->dupacknum; |
| 793 | | | tcpd->ta->dupack_frame=tcpd->fwd->lastnondupack; |
| 794 | | | } |
| 795 | | | |
| 796 | | | |
| 797 | | | |
| 798 | | | finished_fwd: |
| 799 | | | |
| 800 | | | if( (!tcpd->ta) || !(tcpd->ta->flags&TCP_A_DUPLICATE_ACK) ){ |
Event 6:
Skipping " if". - tcpd->ta evaluates to true.
- tcpd->ta->flags & 16 evaluates to true.
hide
|
|
| 801 | | | tcpd->fwd->lastnondupack=pinfo->fd->num; |
| 802 | | | tcpd->fwd->dupacknum=0; |
| 803 | | | } |
| 804 | | | |
| 805 | | | |
| 806 | | | |
| 807 | | | |
| 808 | | | |
| 809 | | | |
| 810 | | | |
| 811 | | | |
| 812 | | | |
| 813 | | | |
| 814 | | | if( tcpd->rev->nextseq |
Event 8:
Skipping " if". - tcpd->rev->nextseq evaluates to true.
- (gint32)(tcpd->rev->nextseq - ack) < 0 evaluates to false.
hide
|
|
| 815 | | | && GT_SEQ(ack, tcpd->rev->nextseq ) |
| 816 | | | && (flags&(TH_ACK))!=0 ){ |
| 817 | | | |
| 818 | | | if(!tcpd->ta){ |
| 819 | | | tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd); |
| 820 | | | } |
| 821 | | | tcpd->ta->flags|=TCP_A_ACK_LOST_PACKET; |
| 822 | | | |
| 823 | | | |
| 824 | | | |
| 825 | | | tcpd->rev->nextseq=ack; |
| 826 | | | } |
| 827 | | | |
| 828 | | | |
| 829 | | | |
| 830 | | | |
| 831 | | | |
| 832 | | | |
| 833 | | | |
| 834 | | | |
| 835 | | | |
| 836 | | | |
| 837 | | | if( seglen>0 |
| 838 | | | && tcpd->fwd->nextseq |
| 839 | | | && (LT_SEQ(seq, tcpd->fwd->nextseq)) ){ |
| 840 | | | guint64 t; |
| 841 | | | |
| 842 | | | if(tcpd->ta && (tcpd->ta->flags&TCP_A_KEEP_ALIVE) ){ |
Null Test After Dereference
This code tests the nullness of tcpd->ta, which has already been dereferenced. - If tcpd->ta were null, there would have been a prior null pointer dereference at packet-tcp.c:800, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 7. Show: All events | Only primary events |
|
| 843 | | | goto finished_checking_retransmission_type; |
| 844 | | | } |
| 845 | | | |
| 846 | | | |
| 847 | | | |
| 848 | | | |
| 849 | | | |
| 850 | | | |
| 851 | | | |
| 852 | | | |
| 853 | | | t=(pinfo->fd->abs_ts.secs-tcpd->rev->lastacktime.secs)*1000000000; |
| 854 | | | t=t+(pinfo->fd->abs_ts.nsecs)-tcpd->rev->lastacktime.nsecs; |
| 855 | | | if( tcpd->rev->dupacknum>=2 |
| 856 | | | && tcpd->rev->lastack==seq |
| 857 | | | && t<20000000 ){ |
| 858 | | | if(!tcpd->ta){ |
| 859 | | | tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd); |
| 860 | | | } |
| 861 | | | tcpd->ta->flags|=TCP_A_FAST_RETRANSMISSION; |
| 862 | | | goto finished_checking_retransmission_type; |
| 863 | | | } |
| 864 | | | |
| 865 | | | |
| 866 | | | |
| 867 | | | |
| 868 | | | |
| 869 | | | t=(pinfo->fd->abs_ts.secs-tcpd->fwd->nextseqtime.secs)*1000000000; |
| 870 | | | t=t+(pinfo->fd->abs_ts.nsecs)-tcpd->fwd->nextseqtime.nsecs; |
| 871 | | | if( t<3000000 ){ |
| 872 | | | if(!tcpd->ta){ |
| 873 | | | tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd); |
| 874 | | | } |
| 875 | | | tcpd->ta->flags|=TCP_A_OUT_OF_ORDER; |
| 876 | | | goto finished_checking_retransmission_type; |
| 877 | | | } |
| 878 | | | |
| 879 | | | |
| 880 | | | if(!tcpd->ta){ |
| 881 | | | tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd); |
| 882 | | | } |
| 883 | | | tcpd->ta->flags|=TCP_A_RETRANSMISSION; |
| 884 | | | nstime_delta(&tcpd->ta->rto_ts, &pinfo->fd->abs_ts, &tcpd->fwd->nextseqtime); |
| 885 | | | tcpd->ta->rto_frame=tcpd->fwd->nextseqframe; |
| 886 | | | } |
| 887 | | | finished_checking_retransmission_type: |
| 888 | | | |
| 889 | | | |
| 890 | | | |
| 891 | | | TCP_UNACKED_NEW(ual);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/slab.h |
| |
56 | #define SLAB_ALLOC(item, type) \ |
57 | if(!type ## _free_list){ \ |
58 | int i; \ |
59 | union type ## slab_item *tmp; \ |
60 | tmp=g_malloc(NITEMS_PER_SLAB*sizeof(*tmp)); \ |
61 | for(i=0;i<NITEMS_PER_SLAB;i++){ \ |
62 | tmp[i].next_free = type ## _free_list; \ |
63 | type ## _free_list = &tmp[i]; \ |
64 | } \ |
65 | } \ |
66 | item = &(type ## _free_list->slab_item); \ |
67 | type ## _free_list = type ## _free_list->next_free; |
| |
|
| 892 | | | ual->next=tcpd->fwd->segments; |
| 893 | | | tcpd->fwd->segments=ual; |
| 894 | | | ual->frame=pinfo->fd->num; |
| 895 | | | ual->seq=seq; |
| 896 | | | ual->ts=pinfo->fd->abs_ts; |
| 897 | | | |
| 898 | | | |
| 899 | | | ual->nextseq=seq+seglen; |
| 900 | | | if( flags&(TH_SYN|TH_FIN) ){ |
| 901 | | | ual->nextseq+=1; |
| 902 | | | } |
| 903 | | | |
| 904 | | | |
| 905 | | | |
| 906 | | | |
| 907 | | | |
| 908 | | | |
| 909 | | | if(GT_SEQ(ual->nextseq, tcpd->fwd->nextseq) || !tcpd->fwd->nextseq) { |
| 910 | | | if( !tcpd->ta || !(tcpd->ta->flags&TCP_A_ZERO_WINDOW_PROBE) ){ |
| 911 | | | tcpd->fwd->nextseq=ual->nextseq; |
| 912 | | | tcpd->fwd->nextseqframe=pinfo->fd->num; |
| 913 | | | tcpd->fwd->nextseqtime.secs=pinfo->fd->abs_ts.secs; |
| 914 | | | tcpd->fwd->nextseqtime.nsecs=pinfo->fd->abs_ts.nsecs; |
| 915 | | | } |
| 916 | | | } |
| 917 | | | |
| 918 | | | |
| 919 | | | |
| 920 | | | tcpd->fwd->window=window; |
| 921 | | | tcpd->fwd->lastack=ack; |
| 922 | | | tcpd->fwd->lastacktime.secs=pinfo->fd->abs_ts.secs; |
| 923 | | | tcpd->fwd->lastacktime.nsecs=pinfo->fd->abs_ts.nsecs; |
| 924 | | | |
| 925 | | | |
| 926 | | | |
| 927 | | | |
| 928 | | | |
| 929 | | | if(tcpd->ta){ |
| 930 | | | tcpd->fwd->lastsegmentflags=tcpd->ta->flags; |
| 931 | | | } else { |
| 932 | | | tcpd->fwd->lastsegmentflags=0; |
| 933 | | | } |
| 934 | | | |
| 935 | | | |
| 936 | | | |
| 937 | | | |
| 938 | | | ackcount=0; |
| 939 | | | |
| 940 | | | while((ual=tcpd->rev->segments)){ |
| 941 | | | tcp_unacked_t *tmpual; |
| 942 | | | if(ack==ual->nextseq){ |
| 943 | | | tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd); |
| 944 | | | tcpd->ta->frame_acked=ual->frame; |
| 945 | | | nstime_delta(&tcpd->ta->ts, &pinfo->fd->abs_ts, &ual->ts); |
| 946 | | | } |
| 947 | | | if(GT_SEQ(ual->nextseq,ack)){ |
| 948 | | | break; |
| 949 | | | } |
| 950 | | | if(!ackcount){ |
| 951 | | | |
| 952 | | | } |
| 953 | | | ackcount++; |
| 954 | | | tmpual=tcpd->rev->segments->next; |
| 955 | | | |
| 956 | | | if (tcpd->rev->scps_capable) { |
| 957 | | | |
| 958 | | | if ((ual->nextseq - ual->seq) > tcpd->fwd->maxsizeacked) { |
| 959 | | | tcpd->fwd->maxsizeacked = (ual->nextseq - ual->seq); |
| 960 | | | } |
| 961 | | | } |
| 962 | | | |
| 963 | | | TCP_UNACKED_FREE(ual);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/slab.h |
| |
69 | #define SLAB_FREE(item, type) \ |
70 | { \ |
71 | ((union type ## slab_item *)item)->next_free = type ## _free_list; \ |
72 | type ## _free_list = (union type ## slab_item *)item; \ |
73 | } |
| |
|
| 964 | | | tcpd->rev->segments=tmpual; |
| 965 | | | } |
| 966 | | | |
| 967 | | | ual=tcpd->rev->segments; |
| 968 | | | while(ual && ual->next){ |
| 969 | | | tcp_unacked_t *tmpual; |
| 970 | | | if(GT_SEQ(ual->next->nextseq,ack)){ |
| 971 | | | ual=ual->next; |
| 972 | | | continue; |
| 973 | | | } |
| 974 | | | if(!ackcount){ |
| 975 | | | |
| 976 | | | } |
| 977 | | | ackcount++; |
| 978 | | | tmpual=ual->next->next; |
| 979 | | | |
| 980 | | | if (tcpd->rev->scps_capable) { |
| 981 | | | |
| 982 | | | if ((ual->next->nextseq - ual->next->seq) > tcpd->fwd->maxsizeacked){ |
| 983 | | | tcpd->fwd->maxsizeacked = (ual->next->nextseq - ual->next->seq); |
| 984 | | | } |
| 985 | | | } |
| 986 | | | |
| 987 | | | TCP_UNACKED_FREE(ual->next);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/slab.h |
| |
69 | #define SLAB_FREE(item, type) \ |
70 | { \ |
71 | ((union type ## slab_item *)item)->next_free = type ## _free_list; \ |
72 | type ## _free_list = (union type ## slab_item *)item; \ |
73 | } |
| |
|
| 988 | | | ual->next=tmpual; |
| 989 | | | ual=ual->next; |
| 990 | | | } |
| 991 | | | |
| 992 | | | |
| 993 | | | |
| 994 | | | |
| 995 | | | ual=tcpd->fwd->segments; |
| 996 | | | if (tcp_track_bytes_in_flight && seglen!=0 && ual) { |
| 997 | | | guint32 first_seq, last_seq, in_flight; |
| 998 | | | |
| 999 | | | first_seq = ual->seq - tcpd->fwd->base_seq; |
| 1000 | | | last_seq = ual->nextseq - tcpd->fwd->base_seq; |
| 1001 | | | while (ual) { |
| 1002 | | | if ((ual->nextseq-tcpd->fwd->base_seq)>last_seq) { |
| 1003 | | | last_seq = ual->nextseq-tcpd->fwd->base_seq; |
| 1004 | | | } |
| 1005 | | | if ((ual->seq-tcpd->fwd->base_seq)<first_seq) { |
| 1006 | | | first_seq = ual->seq-tcpd->fwd->base_seq; |
| 1007 | | | } |
| 1008 | | | ual = ual->next; |
| 1009 | | | } |
| 1010 | | | in_flight = last_seq-first_seq; |
| 1011 | | | |
| 1012 | | | if (in_flight>0 && in_flight<2000000000) { |
| 1013 | | | if(!tcpd->ta){ |
| 1014 | | | tcp_analyze_get_acked_struct(pinfo->fd->num, TRUE, tcpd); |
| 1015 | | | } |
| 1016 | | | tcpd->ta->bytes_in_flight = in_flight; |
| 1017 | | | } |
| 1018 | | | } |
| 1019 | | | |
| 1020 | | | } |
| |