(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-dcerpc.c) |
| |
| 3417 | | | dissect_dcerpc_cn_resp (tvbuff_t *tvb, gint offset, packet_info *pinfo, |
| 3418 | | | proto_tree *dcerpc_tree, proto_tree *tree, |
| 3419 | | | e_dce_cn_common_hdr_t *hdr) |
| 3420 | | | { |
| 3421 | | | dcerpc_call_value *value = NULL; |
| 3422 | | | conversation_t *conv; |
| 3423 | | | guint16 ctx_id; |
| 3424 | | | dcerpc_auth_info auth_info; |
| 3425 | | | guint32 alloc_hint; |
| 3426 | | | proto_item *pi; |
| 3427 | | | proto_item *parent_pi; |
| 3428 | | | e_uuid_t obj_id_null = DCERPC_UUID_NULL;
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-dcerpc.h |
| |
38 | #define DCERPC_UUID_NULL { 0,0,0, {0,0,0,0,0,0,0,0} } |
| |
|
| 3429 | | | |
| 3430 | | | offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, dcerpc_tree, hdr->drep, |
| 3431 | | | hf_dcerpc_cn_alloc_hint, &alloc_hint); |
| 3432 | | | |
| 3433 | | | offset = dissect_dcerpc_uint16 (tvb, offset, pinfo, dcerpc_tree, hdr->drep, |
| 3434 | | | hf_dcerpc_cn_ctx_id, &ctx_id); |
| 3435 | | | parent_pi = proto_tree_get_parent(dcerpc_tree); |
| 3436 | | | if(parent_pi != NULL) { |
Event 1:
Skipping " if". parent_pi != (void *)0 evaluates to false.
hide
|
|
| 3437 | | | proto_item_append_text(parent_pi, " Ctx: %u", ctx_id); |
| 3438 | | | } |
| 3439 | | | |
| 3440 | | | if (check_col (pinfo->cinfo, COL_DCE_CTX)) { |
Event 2:
Skipping " if". check_col(...) evaluates to false.
hide
|
|
| 3441 | | | if(pinfo->dcectxid == 0) { |
| 3442 | | | col_append_fstr (pinfo->cinfo, COL_DCE_CTX, "%u", ctx_id); |
| 3443 | | | } else { |
| 3444 | | | |
| 3445 | | | |
| 3446 | | | col_append_fstr (pinfo->cinfo, COL_DCE_CTX, "#%u", ctx_id); |
| 3447 | | | } |
| 3448 | | | } |
| 3449 | | | |
| 3450 | | | |
| 3451 | | | |
| 3452 | | | pinfo->dcectxid = ctx_id; |
| 3453 | | | |
| 3454 | | | if (check_col (pinfo->cinfo, COL_INFO)) { |
Event 3:
Skipping " if". check_col(...) evaluates to false.
hide
|
|
| 3455 | | | col_append_fstr (pinfo->cinfo, COL_INFO, " ctx_id: %u", ctx_id); |
| 3456 | | | } |
| 3457 | | | |
| 3458 | | | offset = dissect_dcerpc_uint8 (tvb, offset, pinfo, dcerpc_tree, hdr->drep, |
| 3459 | | | hf_dcerpc_cn_cancel_count, NULL); |
| 3460 | | | |
| 3461 | | | offset++; |
| 3462 | | | |
| 3463 | | | |
| 3464 | | | |
| 3465 | | | |
| 3466 | | | |
| 3467 | | | dissect_dcerpc_cn_auth (tvb, offset, pinfo, dcerpc_tree, hdr, FALSE, &auth_info); |
| 3468 | | | |
| 3469 | | | conv = find_conversation (pinfo->fd->num, &pinfo->src, &pinfo->dst, pinfo->ptype, |
| 3470 | | | pinfo->srcport, pinfo->destport, 0); |
| 3471 | | | |
| 3472 | | | if (!conv) { |
Event 4:
Taking false branch. conv evaluates to true.
hide
|
|
| 3473 | | | |
| 3474 | | | show_stub_data (tvb, offset, dcerpc_tree, &auth_info, TRUE); |
| 3475 | | | } else { |
| 3476 | | | dcerpc_matched_key matched_key, *new_matched_key; |
| 3477 | | | |
| 3478 | | | |
| 3479 | | | |
| 3480 | | | |
| 3481 | | | |
| 3482 | | | |
| 3483 | | | matched_key.frame = pinfo->fd->num; |
| 3484 | | | matched_key.call_id = hdr->call_id; |
| 3485 | | | value=g_hash_table_lookup(dcerpc_matched, &matched_key); |
| 3486 | | | if(!value){ |
Event 6:
Skipping " if". value evaluates to true.
hide
|
|
| 3487 | | | dcerpc_cn_call_key call_key; |
| 3488 | | | dcerpc_call_value *call_value; |
| 3489 | | | |
| 3490 | | | call_key.conv=conv; |
| 3491 | | | call_key.call_id=hdr->call_id; |
| 3492 | | | call_key.smb_fid=dcerpc_get_transport_salt(pinfo); |
| 3493 | | | |
| 3494 | | | if((call_value=g_hash_table_lookup(dcerpc_cn_calls, &call_key))){ |
| 3495 | | | |
| 3496 | | | |
| 3497 | | | if(call_value->req_frame<pinfo->fd->num){ |
| 3498 | | | new_matched_key = se_alloc(sizeof (dcerpc_matched_key)); |
| 3499 | | | *new_matched_key = matched_key; |
| 3500 | | | g_hash_table_insert (dcerpc_matched, new_matched_key, call_value); |
| 3501 | | | value = call_value; |
| 3502 | | | if(call_value->rep_frame==0){ |
| 3503 | | | call_value->rep_frame=pinfo->fd->num; |
| 3504 | | | } |
| 3505 | | | } |
| 3506 | | | } |
| 3507 | | | } |
| 3508 | | | |
| 3509 | | | if (value) { |
Event 7:
Taking true branch. value evaluates to true.
hide
|
|
| 3510 | | | dcerpc_info *di; |
| 3511 | | | |
| 3512 | | | di=get_next_di(); |
| 3513 | | | |
| 3514 | | | di->conv = conv; |
| 3515 | | | di->call_id = hdr->call_id; |
| 3516 | | | di->smb_fid = dcerpc_get_transport_salt(pinfo); |
| 3517 | | | di->ptype = PDU_RESP; |
| 3518 | | | di->call_data = value; |
| 3519 | | | |
| 3520 | | | proto_tree_add_uint (dcerpc_tree, hf_dcerpc_opnum, tvb, 0, 0, value->opnum); |
| 3521 | | | |
| 3522 | | | |
| 3523 | | | if (value && dcerpc_tree && memcmp(&value->object_uuid, &obj_id_null, sizeof(obj_id_null)) != 0) { |
Null Test After Dereference
This code tests the nullness of value, which has already been dereferenced. - If value were null, there would have been a prior null pointer dereference at packet-dcerpc.c:3520, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 8. Show: All events | Only primary events |
|
| 3524 | | | pi = proto_tree_add_guid_format (dcerpc_tree, hf_dcerpc_obj_id, tvb, |
| 3525 | | | offset, 0, (e_guid_t *) &value->object_uuid, "Object UUID: %s", |
| 3526 | | | guid_to_str((e_guid_t *) &value->object_uuid)); |
| 3527 | | | PROTO_ITEM_SET_GENERATED(pi);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 3528 | | | } |
| 3529 | | | |
| 3530 | | | |
| 3531 | | | if(value->req_frame!=0){ |
| 3532 | | | nstime_t delta_ts; |
| 3533 | | | pi = proto_tree_add_uint(dcerpc_tree, hf_dcerpc_request_in, |
| 3534 | | | tvb, 0, 0, value->req_frame); |
| 3535 | | | PROTO_ITEM_SET_GENERATED(pi);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 3536 | | | if(parent_pi != NULL) { |
| 3537 | | | proto_item_append_text(parent_pi, ", [Req: #%u]", value->req_frame); |
| 3538 | | | } |
| 3539 | | | nstime_delta(&delta_ts, &pinfo->fd->abs_ts, &value->req_time); |
| 3540 | | | pi = proto_tree_add_time(dcerpc_tree, hf_dcerpc_time, tvb, offset, 0, &delta_ts); |
| 3541 | | | PROTO_ITEM_SET_GENERATED(pi);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 3542 | | | } else { |
| 3543 | | | pi = proto_tree_add_text(dcerpc_tree, |
| 3544 | | | tvb, 0, 0, "No request to this DCE/RPC call found"); |
| 3545 | | | expert_add_info_format(pinfo, pi, PI_SEQUENCE, PI_NOTE, |
| 3546 | | | "No request to this DCE/RPC call found"); |
| 3547 | | | } |
| 3548 | | | |
| 3549 | | | dissect_dcerpc_cn_stub (tvb, offset, pinfo, dcerpc_tree, tree, |
| 3550 | | | hdr, di, &auth_info, alloc_hint, |
| 3551 | | | value->rep_frame); |
| 3552 | | | } else { |
| 3553 | | | |
| 3554 | | | pi = proto_tree_add_text(dcerpc_tree, tvb, offset, 0, "No bind info for this interface Context ID - capture start too late?"); |
| 3555 | | | PROTO_ITEM_SET_GENERATED(pi);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 3556 | | | expert_add_info_format(pinfo, pi, PI_UNDECODED, PI_NOTE, "No bind info for interface Context ID:%u", |
| 3557 | | | ctx_id); |
| 3558 | | | show_stub_data (tvb, offset, dcerpc_tree, &auth_info, TRUE); |
| 3559 | | | } |
| 3560 | | | } |
| 3561 | | | |
| 3562 | | | |
| 3563 | | | dissect_dcerpc_verifier (tvb, pinfo, dcerpc_tree, hdr, &auth_info); |
| 3564 | | | } |
| |