(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-radius.c) |
| |
| 1298 | | | dissect_radius(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) |
| 1299 | | | { |
| 1300 | | | proto_tree *radius_tree = NULL; |
| 1301 | | | proto_tree *avptree = NULL; |
| 1302 | | | proto_item *ti, *hidden_item; |
| 1303 | | | proto_item *avptf; |
| 1304 | | | guint avplength; |
| 1305 | | | e_radiushdr rh; |
| 1306 | | | radius_info_t *rad_info; |
| 1307 | | | |
| 1308 | | | |
| 1309 | | | conversation_t* conversation; |
| 1310 | | | radius_call_info_key radius_call_key; |
| 1311 | | | radius_call_info_key *new_radius_call_key = NULL; |
| 1312 | | | radius_call_t *radius_call = NULL; |
| 1313 | | | nstime_t delta; |
| 1314 | | | static address null_address = { AT_NONE, 0, NULL }; |
| 1315 | | | |
| 1316 | | | |
| 1317 | | | |
| 1318 | | | if(!is_radius(tvb)){ |
Event 1:
Skipping " if". is_radius(tvb) evaluates to true.
hide
|
|
| 1319 | | | return 0; |
| 1320 | | | } |
| 1321 | | | |
| 1322 | | | |
| 1323 | | | if (check_col(pinfo->cinfo, COL_PROTOCOL)) |
Event 2:
Taking true branch. check_col(...) evaluates to true.
hide
|
|
| 1324 | | | col_set_str(pinfo->cinfo, COL_PROTOCOL, "RADIUS"); |
| 1325 | | | if (check_col(pinfo->cinfo, COL_INFO)) |
Event 3:
Skipping " if". check_col(...) evaluates to false.
hide
|
|
| 1326 | | | col_clear(pinfo->cinfo, COL_INFO); |
| 1327 | | | |
| 1328 | | | rh.rh_code=tvb_get_guint8(tvb,0); |
| 1329 | | | rh.rh_ident=tvb_get_guint8(tvb,1); |
| 1330 | | | rh.rh_pktlength=tvb_get_ntohs(tvb,2); |
| 1331 | | | |
| 1332 | | | |
| 1333 | | | |
| 1334 | | | rad_info = ep_alloc(sizeof(radius_info_t)); |
| 1335 | | | rad_info->code = 0; |
| 1336 | | | rad_info->ident = 0; |
| 1337 | | | rad_info->req_time.secs = 0; |
| 1338 | | | rad_info->req_time.nsecs = 0; |
| 1339 | | | rad_info->is_duplicate = FALSE; |
| 1340 | | | rad_info->request_available = FALSE; |
| 1341 | | | rad_info->req_num = 0; |
| 1342 | | | rad_info->rspcode = 0; |
| 1343 | | | |
| 1344 | | | rad_info->code = rh.rh_code; |
| 1345 | | | rad_info->ident = rh.rh_ident; |
| 1346 | | | tap_queue_packet(radius_tap, pinfo, rad_info); |
| 1347 | | | |
| 1348 | | | |
| 1349 | | | if (check_col(pinfo->cinfo, COL_INFO)) |
Event 4:
Skipping " if". check_col(...) evaluates to false.
hide
|
|
| 1350 | | | { |
| 1351 | | | col_add_fstr(pinfo->cinfo,COL_INFO,"%s(%d) (id=%d, l=%d)", |
| 1352 | | | val_to_str(rh.rh_code,radius_vals,"Unknown Packet"), |
| 1353 | | | rh.rh_code, rh.rh_ident, rh.rh_pktlength); |
| 1354 | | | } |
| 1355 | | | |
| 1356 | | | |
| 1357 | | | if (tree) |
Event 5:
Taking true branch. tree evaluates to true.
hide
|
|
| 1358 | | | { |
| 1359 | | | |
| 1360 | | | DISSECTOR_ASSERT(proto_registrar_get_byname("radius.code"));
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
117 | #define DISSECTOR_ASSERT(expression) \ |
118 | ((void) ((expression) ? (void)0 : \ |
119 | __DISSECTOR_ASSERT (expression, __FILE__, __LINE__))) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
138 | #define __DISSECTOR_ASSERT(expression, file, lineno) \ |
139 | (REPORT_DISSECTOR_BUG( \ |
140 | ep_strdup_printf("%s:%u: failed assertion \"%s\"", \ |
141 | file, lineno, __DISSECTOR_ASSERT_STRINGIFY(expression)))) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
106 | #define REPORT_DISSECTOR_BUG(message) \ |
107 | ((getenv("WIRESHARK_ABORT_ON_DISSECTOR_BUG") != NULL) ? \ |
108 | abort() : \ |
109 | THROW_MESSAGE(DissectorError, message)) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/exceptions.h |
| |
226 | #define THROW_MESSAGE(x, y) \ |
227 | except_throw(XCEPT_GROUP_WIRESHARK, (x), (y)) |
| |
|
Event 6:
proto_registrar_get_byname(...) evaluates to true.
hide
|
|
| 1361 | | | |
| 1362 | | | ti = proto_tree_add_item(tree,proto_radius, tvb, 0, rh.rh_pktlength, FALSE); |
| 1363 | | | |
| 1364 | | | radius_tree = proto_item_add_subtree(ti, ett_radius); |
| 1365 | | | |
| 1366 | | | proto_tree_add_uint(radius_tree,hf_radius_code, tvb, 0, 1, rh.rh_code); |
| 1367 | | | |
| 1368 | | | proto_tree_add_uint_format(radius_tree,hf_radius_id, tvb, 1, 1, rh.rh_ident, |
| 1369 | | | "Packet identifier: 0x%01x (%d)", rh.rh_ident, rh.rh_ident); |
| 1370 | | | } |
| 1371 | | | |
| 1372 | | | |
| 1373 | | | |
| 1374 | | | |
| 1375 | | | if (rh.rh_pktlength < HDR_LENGTH) |
Event 7:
Skipping " if". rh.rh_pktlength < 4 + 16 evaluates to false.
hide
|
|
| 1376 | | | { |
| 1377 | | | if (tree) |
| 1378 | | | { |
| 1379 | | | proto_tree_add_uint_format(radius_tree, hf_radius_length, |
| 1380 | | | tvb, 2, 2, rh.rh_pktlength, |
| 1381 | | | "Length: %u (bogus, < %u)", |
| 1382 | | | rh.rh_pktlength, HDR_LENGTH); |
| 1383 | | | } |
| 1384 | | | goto end_of_radius; |
| 1385 | | | } |
| 1386 | | | avplength = rh.rh_pktlength - HDR_LENGTH; |
| 1387 | | | if (tree) |
Event 8:
Taking true branch. tree evaluates to true.
hide
|
|
| 1388 | | | { |
| 1389 | | | proto_tree_add_uint(radius_tree, hf_radius_length, tvb, |
| 1390 | | | 2, 2, rh.rh_pktlength); |
| 1391 | | | |
| 1392 | | | proto_tree_add_item(radius_tree, hf_radius_authenticator, tvb, 4,AUTHENTICATOR_LENGTH,FALSE); |
| 1393 | | | } |
| 1394 | | | tvb_memcpy(tvb,authenticator,4,AUTHENTICATOR_LENGTH); |
| 1395 | | | |
| 1396 | | | if (tree) { |
Event 9:
Taking true branch. tree evaluates to true.
hide
|
|
| 1397 | | | |
| 1398 | | | |
| 1399 | | | switch (rh.rh_code) |
Event 10:
rh.rh_code evaluates to 40.
hide
|
|
| 1400 | | | { |
| 1401 | | | case RADIUS_ACCESS_REQUEST: |
| 1402 | | | case RADIUS_ACCOUNTING_REQUEST: |
| 1403 | | | case RADIUS_ACCESS_PASSWORD_REQUEST: |
| 1404 | | | case RADIUS_ASCEND_ACCESS_EVENT_REQUEST: |
| 1405 | | | case RADIUS_DISCONNECT_REQUEST: |
| 1406 | | | case RADIUS_CHANGE_FILTER_REQUEST: |
| 1407 | | | hidden_item = proto_tree_add_boolean(radius_tree, hf_radius_req, tvb, 0, 0, TRUE); |
Event 11:
!0 evaluates to true.
hide
|
|
| 1408 | | | PROTO_ITEM_SET_HIDDEN(hidden_item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
319 | #define PROTO_ITEM_SET_HIDDEN(proto_item) \ |
320 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_HIDDEN) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
Event 12:
hidden_item evaluates to true.
hide
|
|
| 1409 | | | |
| 1410 | | | |
| 1411 | | | |
| 1412 | | | |
| 1413 | | | |
| 1414 | | | |
| 1415 | | | |
| 1416 | | | |
| 1417 | | | |
| 1418 | | | |
| 1419 | | | |
| 1420 | | | |
| 1421 | | | |
| 1422 | | | |
| 1423 | | | |
| 1424 | | | conversation = find_conversation(pinfo->fd->num, &pinfo->src, |
| 1425 | | | &null_address, pinfo->ptype, pinfo->srcport, |
| 1426 | | | pinfo->destport, 0); |
| 1427 | | | if (conversation == NULL) |
Event 13:
Skipping " if". conversation == (void *)0 evaluates to false.
hide
|
|
| 1428 | | | { |
| 1429 | | | |
| 1430 | | | conversation = conversation_new(pinfo->fd->num, &pinfo->src, |
| 1431 | | | &null_address, pinfo->ptype, pinfo->srcport, |
| 1432 | | | pinfo->destport, 0); |
| 1433 | | | } |
| 1434 | | | |
| 1435 | | | |
| 1436 | | | radius_call_key.code = rh.rh_code; |
| 1437 | | | radius_call_key.ident = rh.rh_ident; |
| 1438 | | | radius_call_key.conversation = conversation; |
| 1439 | | | radius_call_key.req_time = pinfo->fd->abs_ts; |
| 1440 | | | |
| 1441 | | | |
| 1442 | | | radius_call = g_hash_table_lookup(radius_calls, &radius_call_key); |
| 1443 | | | if (radius_call != NULL) |
Event 15:
Taking true branch. radius_call != (void *)0 evaluates to true.
hide
|
|
| 1444 | | | { |
| 1445 | | | |
| 1446 | | | |
| 1447 | | | if (pinfo->fd->num != radius_call->req_num) |
Event 16:
Skipping " if". pinfo->fd->num != radius_call->req_num evaluates to false.
hide
|
|
| 1448 | | | { |
| 1449 | | | |
| 1450 | | | rad_info->is_duplicate = TRUE; |
| 1451 | | | rad_info->req_num = radius_call->req_num; |
| 1452 | | | if (check_col(pinfo->cinfo, COL_INFO)) |
| 1453 | | | { |
| 1454 | | | col_append_fstr(pinfo->cinfo, COL_INFO, |
| 1455 | | | ", Duplicate Request ID:%u", |
| 1456 | | | rh.rh_ident); |
| 1457 | | | } |
| 1458 | | | if (tree) |
| 1459 | | | { |
| 1460 | | | proto_item* item; |
| 1461 | | | hidden_item = proto_tree_add_uint(radius_tree, hf_radius_dup, tvb, 0,0, rh.rh_ident); |
| 1462 | | | PROTO_ITEM_SET_HIDDEN(hidden_item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
319 | #define PROTO_ITEM_SET_HIDDEN(proto_item) \ |
320 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_HIDDEN) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 1463 | | | item = proto_tree_add_uint(radius_tree, hf_radius_req_dup, tvb, 0,0, rh.rh_ident); |
| 1464 | | | PROTO_ITEM_SET_GENERATED(item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 1465 | | | } |
| 1466 | | | } |
| 1467 | | | } |
| 1468 | | | else |
| 1469 | | | { |
| 1470 | | | |
| 1471 | | | |
| 1472 | | | |
| 1473 | | | |
| 1474 | | | |
| 1475 | | | new_radius_call_key = g_mem_chunk_alloc(radius_call_info_key_chunk); |
| 1476 | | | *new_radius_call_key = radius_call_key; |
| 1477 | | | radius_call = g_mem_chunk_alloc(radius_call_info_value_chunk); |
| 1478 | | | radius_call->req_num = pinfo->fd->num; |
| 1479 | | | radius_call->rsp_num = 0; |
| 1480 | | | radius_call->ident = rh.rh_ident; |
| 1481 | | | radius_call->code = rh.rh_code; |
| 1482 | | | radius_call->responded = FALSE; |
| 1483 | | | radius_call->req_time=pinfo->fd->abs_ts; |
| 1484 | | | radius_call->rspcode = 0; |
| 1485 | | | |
| 1486 | | | |
| 1487 | | | g_hash_table_insert(radius_calls, new_radius_call_key, radius_call); |
| 1488 | | | } |
| 1489 | | | if (radius_call && radius_call->rsp_num) |
Null Test After Dereference
This code tests the nullness of radius_call, which has already been dereferenced. - If radius_call were null, there would have been a prior null pointer dereference at packet-radius.c:1447, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 17. Show: All events | Only primary events |
|
| 1490 | | | { |
| 1491 | | | proto_item* item = proto_tree_add_uint_format(radius_tree, hf_radius_rsp_frame, |
| 1492 | | | tvb, 0, 0, radius_call->rsp_num, |
| 1493 | | | "The response to this request is in frame %u", |
| 1494 | | | radius_call->rsp_num); |
| 1495 | | | PROTO_ITEM_SET_GENERATED(item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 1496 | | | } |
| 1497 | | | break; |
| 1498 | | | case RADIUS_ACCESS_ACCEPT: |
| 1499 | | | case RADIUS_ACCESS_REJECT: |
| 1500 | | | case RADIUS_ACCOUNTING_RESPONSE: |
| 1501 | | | case RADIUS_ACCESS_PASSWORD_ACK: |
| 1502 | | | case RADIUS_ACCESS_PASSWORD_REJECT: |
| 1503 | | | case RADIUS_ASCEND_ACCESS_EVENT_RESPONSE: |
| 1504 | | | case RADIUS_DISCONNECT_REQUEST_ACK: |
| 1505 | | | case RADIUS_DISCONNECT_REQUEST_NAK: |
| 1506 | | | case RADIUS_CHANGE_FILTER_REQUEST_ACK: |
| 1507 | | | case RADIUS_CHANGE_FILTER_REQUEST_NAK: |
| 1508 | | | hidden_item = proto_tree_add_boolean(radius_tree, hf_radius_rsp, tvb, 0, 0, TRUE); |
| 1509 | | | PROTO_ITEM_SET_HIDDEN(hidden_item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
319 | #define PROTO_ITEM_SET_HIDDEN(proto_item) \ |
320 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_HIDDEN) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 1510 | | | |
| 1511 | | | |
| 1512 | | | |
| 1513 | | | |
| 1514 | | | |
| 1515 | | | |
| 1516 | | | |
| 1517 | | | |
| 1518 | | | |
| 1519 | | | |
| 1520 | | | |
| 1521 | | | |
| 1522 | | | |
| 1523 | | | |
| 1524 | | | |
| 1525 | | | conversation = find_conversation(pinfo->fd->num, &null_address, |
| 1526 | | | &pinfo->dst, pinfo->ptype, pinfo->srcport, |
| 1527 | | | pinfo->destport, 0); |
| 1528 | | | if (conversation != NULL) |
| 1529 | | | { |
| 1530 | | | |
| 1531 | | | |
| 1532 | | | |
| 1533 | | | radius_call_key.code = rh.rh_code; |
| 1534 | | | radius_call_key.ident = rh.rh_ident; |
| 1535 | | | radius_call_key.conversation = conversation; |
| 1536 | | | radius_call_key.req_time = pinfo->fd->abs_ts; |
| 1537 | | | |
| 1538 | | | radius_call = g_hash_table_lookup(radius_calls, &radius_call_key); |
| 1539 | | | if (radius_call) |
| 1540 | | | { |
| 1541 | | | |
| 1542 | | | if (radius_call->req_num) |
| 1543 | | | { |
| 1544 | | | proto_item* item; |
| 1545 | | | rad_info->request_available = TRUE; |
| 1546 | | | rad_info->req_num = radius_call->req_num; |
| 1547 | | | radius_call->responded = TRUE; |
| 1548 | | | |
| 1549 | | | item = proto_tree_add_uint_format(radius_tree, hf_radius_req_frame, |
| 1550 | | | tvb, 0, 0, radius_call->req_num, |
| 1551 | | | "This is a response to a request in frame %u", |
| 1552 | | | radius_call->req_num); |
| 1553 | | | PROTO_ITEM_SET_GENERATED(item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 1554 | | | nstime_delta(&delta, &pinfo->fd->abs_ts, &radius_call->req_time); |
| 1555 | | | item = proto_tree_add_time(radius_tree, hf_radius_time, tvb, 0, 0, &delta); |
| 1556 | | | PROTO_ITEM_SET_GENERATED(item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 1557 | | | } |
| 1558 | | | |
| 1559 | | | if (radius_call->rsp_num == 0) |
| 1560 | | | { |
| 1561 | | | |
| 1562 | | | |
| 1563 | | | |
| 1564 | | | radius_call->rsp_num = pinfo->fd->num; |
| 1565 | | | } |
| 1566 | | | else |
| 1567 | | | { |
| 1568 | | | |
| 1569 | | | |
| 1570 | | | if ( (radius_call->rsp_num != pinfo->fd->num) && (radius_call->rspcode == rh.rh_code) ) |
| 1571 | | | { |
| 1572 | | | |
| 1573 | | | rad_info->is_duplicate = TRUE; |
| 1574 | | | if (check_col(pinfo->cinfo, COL_INFO)) |
| 1575 | | | { |
| 1576 | | | col_append_fstr(pinfo->cinfo, COL_INFO, |
| 1577 | | | ", Duplicate Response ID:%u", |
| 1578 | | | rh.rh_ident); |
| 1579 | | | } |
| 1580 | | | if (tree) |
| 1581 | | | { |
| 1582 | | | proto_item* item; |
| 1583 | | | hidden_item = proto_tree_add_uint(radius_tree, hf_radius_dup, tvb, 0,0, rh.rh_ident); |
| 1584 | | | PROTO_ITEM_SET_HIDDEN(hidden_item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
319 | #define PROTO_ITEM_SET_HIDDEN(proto_item) \ |
320 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_HIDDEN) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 1585 | | | item = proto_tree_add_uint(radius_tree, hf_radius_rsp_dup, |
| 1586 | | | tvb, 0, 0, rh.rh_ident); |
| 1587 | | | PROTO_ITEM_SET_GENERATED(item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 1588 | | | } |
| 1589 | | | } |
| 1590 | | | } |
| 1591 | | | |
| 1592 | | | radius_call->rspcode = rh.rh_code; |
| 1593 | | | rad_info->rspcode = rh.rh_code; |
| 1594 | | | } |
| 1595 | | | } |
| 1596 | | | break; |
| 1597 | | | default: |
| 1598 | | | break; |
| 1599 | | | } |
| 1600 | | | |
| 1601 | | | if (radius_call) |
| 1602 | | | { |
| 1603 | | | rad_info->req_time.secs = radius_call->req_time.secs; |
| 1604 | | | rad_info->req_time.nsecs = radius_call->req_time.nsecs; |
| 1605 | | | } |
| 1606 | | | |
| 1607 | | | if (avplength > 0) { |
| 1608 | | | |
| 1609 | | | avptf = proto_tree_add_text(radius_tree, tvb, HDR_LENGTH, |
| 1610 | | | avplength, "Attribute Value Pairs"); |
| 1611 | | | avptree = proto_item_add_subtree(avptf, ett_radius_avp); |
| 1612 | | | |
| 1613 | | | dissect_attribute_value_pairs(avptree, pinfo, tvb, HDR_LENGTH, |
| 1614 | | | avplength); |
| 1615 | | | } |
| 1616 | | | } |
| 1617 | | | |
| 1618 | | | end_of_radius: |
| 1619 | | | return tvb_length(tvb); |
| 1620 | | | } |
| |