(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ldap.c) |
| |
| 759 | | | static ldap_call_response_t * |
| 760 | | | ldap_match_call_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint messageId, guint protocolOpTag) |
| 761 | | | { |
| 762 | | | ldap_call_response_t lcr, *lcrp=NULL; |
| 763 | | | ldap_conv_info_t *ldap_info = (ldap_conv_info_t *)pinfo->private_data; |
| 764 | | | |
| 765 | | | |
| 766 | | | |
| 767 | | | lcr.messageId=messageId; |
| 768 | | | switch(protocolOpTag){ |
Event 1:
protocolOpTag evaluates to implicit-default.
hide
|
|
| 769 | | | case LDAP_REQ_BIND: |
| 770 | | | case LDAP_REQ_SEARCH: |
| 771 | | | case LDAP_REQ_MODIFY: |
| 772 | | | case LDAP_REQ_ADD: |
| 773 | | | case LDAP_REQ_DELETE: |
| 774 | | | case LDAP_REQ_MODRDN: |
| 775 | | | case LDAP_REQ_COMPARE: |
| 776 | | | case LDAP_REQ_EXTENDED: |
| 777 | | | lcr.is_request=TRUE; |
| 778 | | | lcr.req_frame=pinfo->fd->num; |
| 779 | | | lcr.rep_frame=0; |
| 780 | | | break; |
| 781 | | | case LDAP_RES_BIND: |
| 782 | | | case LDAP_RES_SEARCH_ENTRY: |
| 783 | | | case LDAP_RES_SEARCH_REF: |
| 784 | | | case LDAP_RES_SEARCH_RESULT: |
| 785 | | | case LDAP_RES_MODIFY: |
| 786 | | | case LDAP_RES_ADD: |
| 787 | | | case LDAP_RES_DELETE: |
| 788 | | | case LDAP_RES_MODRDN: |
| 789 | | | case LDAP_RES_COMPARE: |
| 790 | | | case LDAP_RES_EXTENDED: |
| 791 | | | lcr.is_request=FALSE; |
| 792 | | | lcr.req_frame=0; |
| 793 | | | lcr.rep_frame=pinfo->fd->num; |
| 794 | | | break; |
| 795 | | | } |
| 796 | | | lcrp=g_hash_table_lookup(ldap_info->matched, &lcr); |
| 797 | | | |
| 798 | | | if(lcrp){ |
Event 3:
Taking true branch. lcrp evaluates to true.
hide
|
|
| 799 | | | |
| 800 | | | lcrp->is_request=lcr.is_request; |
| 801 | | | |
| 802 | | | } else { |
| 803 | | | |
| 804 | | | |
| 805 | | | |
| 806 | | | switch(protocolOpTag){ |
| 807 | | | case LDAP_REQ_BIND: |
| 808 | | | case LDAP_REQ_SEARCH: |
| 809 | | | case LDAP_REQ_MODIFY: |
| 810 | | | case LDAP_REQ_ADD: |
| 811 | | | case LDAP_REQ_DELETE: |
| 812 | | | case LDAP_REQ_MODRDN: |
| 813 | | | case LDAP_REQ_COMPARE: |
| 814 | | | case LDAP_REQ_EXTENDED: |
| 815 | | | |
| 816 | | | |
| 817 | | | |
| 818 | | | |
| 819 | | | |
| 820 | | | |
| 821 | | | lcr.messageId=messageId; |
| 822 | | | lcrp=g_hash_table_lookup(ldap_info->unmatched, &lcr); |
| 823 | | | if(lcrp){ |
| 824 | | | g_hash_table_remove(ldap_info->unmatched, lcrp); |
| 825 | | | } |
| 826 | | | |
| 827 | | | if(!lcrp){ |
| 828 | | | lcrp=se_alloc(sizeof(ldap_call_response_t)); |
| 829 | | | } |
| 830 | | | lcrp->messageId=messageId; |
| 831 | | | lcrp->req_frame=pinfo->fd->num; |
| 832 | | | lcrp->req_time=pinfo->fd->abs_ts; |
| 833 | | | lcrp->rep_frame=0; |
| 834 | | | lcrp->protocolOpTag=protocolOpTag; |
| 835 | | | lcrp->is_request=TRUE; |
| 836 | | | g_hash_table_insert(ldap_info->unmatched, lcrp, lcrp); |
| 837 | | | return NULL; |
| 838 | | | break; |
| 839 | | | case LDAP_RES_BIND: |
| 840 | | | case LDAP_RES_SEARCH_ENTRY: |
| 841 | | | case LDAP_RES_SEARCH_REF: |
| 842 | | | case LDAP_RES_SEARCH_RESULT: |
| 843 | | | case LDAP_RES_MODIFY: |
| 844 | | | case LDAP_RES_ADD: |
| 845 | | | case LDAP_RES_DELETE: |
| 846 | | | case LDAP_RES_MODRDN: |
| 847 | | | case LDAP_RES_COMPARE: |
| 848 | | | case LDAP_RES_EXTENDED: |
| 849 | | | |
| 850 | | | |
| 851 | | | |
| 852 | | | lcr.messageId=messageId; |
| 853 | | | lcrp=g_hash_table_lookup(ldap_info->unmatched, &lcr); |
| 854 | | | |
| 855 | | | if(lcrp){ |
| 856 | | | |
| 857 | | | if(!lcrp->rep_frame){ |
| 858 | | | g_hash_table_remove(ldap_info->unmatched, lcrp); |
| 859 | | | lcrp->rep_frame=pinfo->fd->num; |
| 860 | | | lcrp->is_request=FALSE; |
| 861 | | | g_hash_table_insert(ldap_info->matched, lcrp, lcrp); |
| 862 | | | } |
| 863 | | | } |
| 864 | | | |
| 865 | | | break; |
| 866 | | | } |
| 867 | | | |
| 868 | | | } |
| 869 | | | |
| 870 | | | |
| 871 | | | if(lcrp){ |
Null Test After Dereference
This code tests the nullness of lcrp, which has already been dereferenced. - If lcrp were null, there would have been a prior null pointer dereference at packet-ldap.c:800, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 4. Show: All events | Only primary events |
|
| 872 | | | proto_item *it; |
| 873 | | | |
| 874 | | | if(lcrp->is_request){ |
| 875 | | | it=proto_tree_add_uint(tree, hf_ldap_response_in, tvb, 0, 0, lcrp->rep_frame); |
| 876 | | | PROTO_ITEM_SET_GENERATED(it);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 877 | | | } else { |
| 878 | | | nstime_t ns; |
| 879 | | | it=proto_tree_add_uint(tree, hf_ldap_response_to, tvb, 0, 0, lcrp->req_frame); |
| 880 | | | PROTO_ITEM_SET_GENERATED(it);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 881 | | | nstime_delta(&ns, &pinfo->fd->abs_ts, &lcrp->req_time); |
| 882 | | | it=proto_tree_add_time(tree, hf_ldap_time, tvb, 0, 0, &ns); |
| 883 | | | PROTO_ITEM_SET_GENERATED(it);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 884 | | | } |
| 885 | | | } |
| 886 | | | |
| 887 | | | return lcrp; |
| 888 | | | } |
| |