(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-netbios.c) |
| |
| 797 | | | dissect_netb_status_resp( tvbuff_t *tvb, int offset, proto_tree *tree) |
| 798 | | | |
| 799 | | | { |
| 800 | | | guint8 status_response = tvb_get_guint8( tvb, offset + NB_DATA1); |
| 801 | | | proto_item *td2; |
| 802 | | | proto_tree *data2_tree; |
| 803 | | | guint16 data2; |
| 804 | | | |
| 805 | | | nb_call_name_type( tvb, offset, tree); |
| 806 | | | if (status_response == 0) { |
Event 1:
Taking false branch. status_response == 0 evaluates to false.
hide
|
|
| 807 | | | proto_tree_add_text(tree, tvb, offset + NB_DATA1, 1, |
| 808 | | | "Status response: NetBIOS 1.x or 2.0"); |
| 809 | | | } else { |
| 810 | | | proto_tree_add_text(tree, tvb, offset + NB_DATA1, 1, |
| 811 | | | "Status response: NetBIOS 2.1, %u names sent so far", |
| 812 | | | status_response); |
| 813 | | | } |
| 814 | | | data2 = tvb_get_letohs( tvb, offset + NB_DATA2); |
| 815 | | | |
| 816 | | | td2 = proto_tree_add_text(tree, tvb, offset + NB_DATA2, 2, "Status: 0x%04x", |
| 817 | | | data2); |
| 818 | | | data2_tree = proto_item_add_subtree(td2, ett_netb_status); |
| 819 | | | if (data2 & 0x8000) { |
Event 2:
Taking true branch. data2 & 32768 evaluates to true.
hide
|
|
| 820 | | | proto_tree_add_text(data2_tree, tvb, offset, 2, "%s", |
| 821 | | | decode_boolean_bitfield(data2, 0x8000, 8*2, |
| 822 | [+] | | "Data length exceeds maximum frame size", NULL)); |
Event 3:
NULL is passed to decode_boolean_bitfield() as the fifth argument. - Dereferenced later, causing the null pointer dereference.
hide
|
|
 |
| |