(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ssl.c) |
| |
| 1284 | | | dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, |
| 1285 | | | proto_tree *tree, guint32 offset, |
| 1286 | | | guint *conv_version, gboolean *need_desegmentation, |
| 1287 | | | SslDecryptSession* ssl, gboolean first_record_in_frame _U_) |
| 1288 | | | { |
| 1289 | | | |
| 1290 | | | |
| 1291 | | | |
| 1292 | | | |
| 1293 | | | |
| 1294 | | | |
| 1295 | | | |
| 1296 | | | |
| 1297 | | | |
| 1298 | | | |
| 1299 | | | |
| 1300 | | | |
| 1301 | | | |
| 1302 | | | |
| 1303 | | | |
| 1304 | | | |
| 1305 | | | |
| 1306 | | | |
| 1307 | | | |
| 1308 | | | guint32 record_length; |
| 1309 | | | guint16 version; |
| 1310 | | | guint8 content_type; |
| 1311 | | | guint8 next_byte; |
| 1312 | | | proto_tree *ti; |
| 1313 | | | proto_tree *ssl_record_tree; |
| 1314 | | | SslAssociation* association; |
| 1315 | | | guint32 available_bytes; |
| 1316 | | | ti = NULL; |
| 1317 | | | ssl_record_tree = NULL; |
| 1318 | | | available_bytes = 0; |
| 1319 | | | |
| 1320 | [+] | | available_bytes = tvb_length_remaining(tvb, offset); |
 |
| 1321 | | | |
| 1322 | | | |
| 1323 | | | if ((*conv_version==SSL_VER_TLS || *conv_version==SSL_VER_TLSv1DOT1 || *conv_version==SSL_VER_TLSv1DOT2) && |
Event 12:
Skipping " if". - *conv_version == 3 evaluates to false.
- *conv_version == 4 evaluates to false.
- *conv_version == 7 evaluates to true.
- available_bytes >= 1 evaluates to false.
hide
Event 13:
Considering the case where *conv_version must have been equal to 7.
hide
|
|
| 1324 | | | (available_bytes >=1 ) && !ssl_is_valid_content_type(tvb_get_guint8(tvb, offset))) { |
| 1325 | | | proto_tree_add_text(tree, tvb, offset, available_bytes, "Ignored Unknown Record"); |
| 1326 | | | if (check_col(pinfo->cinfo, COL_INFO)) |
| 1327 | | | col_append_str(pinfo->cinfo, COL_INFO, "Ignored Unknown Record"); |
| 1328 | | | if (check_col(pinfo->cinfo, COL_PROTOCOL)) |
| 1329 | | | col_set_str(pinfo->cinfo, COL_PROTOCOL, ssl_version_short_names[*conv_version]); |
| 1330 | | | return offset + available_bytes; |
| 1331 | | | } |
| 1332 | | | |
| 1333 | | | |
| 1334 | | | |
| 1335 | | | |
| 1336 | | | if (ssl_desegment && pinfo->can_desegment) { |
Event 14:
Skipping " if". - ssl_desegment evaluates to true.
- pinfo->can_desegment evaluates to false.
hide
|
|
| 1337 | | | |
| 1338 | | | |
| 1339 | | | |
| 1340 | | | if (available_bytes < 5) { |
| 1341 | | | |
| 1342 | | | |
| 1343 | | | |
| 1344 | | | |
| 1345 | | | |
| 1346 | | | pinfo->desegment_offset = offset; |
| 1347 | | | pinfo->desegment_len = 5 - available_bytes; |
| 1348 | | | *need_desegmentation = TRUE; |
| 1349 | | | return offset; |
| 1350 | | | } |
| 1351 | | | } |
| 1352 | | | |
| 1353 | | | |
| 1354 | | | |
| 1355 | | | |
| 1356 | | | content_type = tvb_get_guint8(tvb, offset); |
| 1357 | | | version = tvb_get_ntohs(tvb, offset + 1); |
| 1358 | | | record_length = tvb_get_ntohs(tvb, offset + 3); |
| 1359 | | | |
| 1360 | [+] | | if (ssl_is_valid_content_type(content_type)) { |
 |
| 1361 | | | |
| 1362 | | | |
| 1363 | | | |
| 1364 | | | |
| 1365 | | | if (ssl_desegment && pinfo->can_desegment) { |
| 1366 | | | |
| 1367 | | | |
| 1368 | | | |
| 1369 | | | if (available_bytes < record_length + 5) { |
| 1370 | | | |
| 1371 | | | |
| 1372 | | | |
| 1373 | | | |
| 1374 | | | |
| 1375 | | | pinfo->desegment_offset = offset; |
| 1376 | | | |
| 1377 | | | |
| 1378 | | | |
| 1379 | | | |
| 1380 | | | |
| 1381 | | | |
| 1382 | | | |
| 1383 | | | |
| 1384 | | | pinfo->desegment_len = DESEGMENT_ONE_MORE_SEGMENT; |
| 1385 | | | *need_desegmentation = TRUE; |
| 1386 | | | return offset; |
| 1387 | | | } |
| 1388 | | | } |
| 1389 | | | |
| 1390 | | | } else { |
| 1391 | | | |
| 1392 | | | |
| 1393 | | | |
| 1394 | | | |
| 1395 | | | if (check_col(pinfo->cinfo, COL_INFO)) |
Event 17:
Taking true branch. check_col(...) evaluates to true.
hide
|
|
| 1396 | | | col_append_str(pinfo->cinfo, COL_INFO, "Continuation Data"); |
| 1397 | | | |
| 1398 | | | |
| 1399 | | | if (check_col(pinfo->cinfo, COL_PROTOCOL)) |
Event 18:
Taking true branch. check_col(...) evaluates to true.
hide
|
|
| 1400 | | | { |
| 1401 | | | col_set_str(pinfo->cinfo, COL_PROTOCOL, |
| 1402 | | | ssl_version_short_names[*conv_version]); |
Buffer Overrun
This code reads past the end of ssl_version_short_names. - The first byte read is at offset 4 * *conv_version from the beginning of ssl_version_short_names, whose capacity is 28 bytes.
- The offset exceeds the capacity.
- 4 * *conv_version is equal to 28.
- The overrun occurs in global memory.
The issue can occur if the highlighted code executes. See related event 13. Show: All events | Only primary events |
|
| |