(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ncp2222.inc) |
| |
| 9328 | | | dissect_nds_request(tvbuff_t *tvb, packet_info *pinfo, |
| 9329 | | | guint32 nw_connection, guint8 sequence, |
| 9330 | | | guint16 type, proto_tree *ncp_tree) |
| 9331 | | | { |
| 9332 | | | guint8 func, subfunc = 0; |
| 9333 | | | ncp_req_hash_value *request_value = NULL; |
| 9334 | | | ncp_req_eid_hash_value *request_eid_value = NULL; |
| 9335 | | | const ncp_record *ncp_rec = NULL; |
| 9336 | | | conversation_t *conversation; |
| 9337 | | | ptvcursor_t *ptvc = NULL; |
Event 1:
ptvc is set to NULL. - Dereferenced later, causing the null pointer dereference.
hide
|
|
| 9338 | | | proto_tree *temp_tree = NULL; |
| 9339 | | | gboolean run_req_cond = FALSE; |
| 9340 | | | gboolean run_info_str = FALSE; |
| 9341 | | | guint8 nds_verb = 0; |
| 9342 | | | const char *verb_string = ""; |
| 9343 | | | guint32 nds_frag = 0; |
| 9344 | | | gboolean added_arrow; |
| 9345 | | | nds_val pvalues[9], prot_flags[1]; |
| 9346 | | | guint8 nds_version = 0; |
| 9347 | | | guint32 foffset = 0; |
| 9348 | | | char global_object_name[256]; |
| 9349 | | | guint32 global_eid=0; |
| 9350 | | | gboolean resolve_eid=FALSE; |
| 9351 | | | guint32 global_flags=0, nds_prot_flags=0; |
| 9352 | | | int i; |
| 9353 | | | |
| 9354 | | | for (i = 0; i < 9; i++) { |
| 9355 | | | pvalues[i].vtype = 0; |
| 9356 | | | pvalues[i].vvalue = 0; |
| 9357 | | | pvalues[i].vlength = 0; |
| 9358 | | | pvalues[i].voffset = 0; |
| 9359 | | | pvalues[i].hfname = 0; |
| 9360 | | | pvalues[i].vdesc = ""; |
| 9361 | | | pvalues[i].vstring = NULL; |
| 9362 | | | pvalues[i].mvtype = 0; |
| 9363 | | | pvalues[i].vflags = 0; |
| 9364 | | | } |
| 9365 | | | |
| 9366 | | | global_object_name[0] = '\0'; |
| 9367 | | | |
| 9368 | | | func = tvb_get_guint8(tvb, 6); |
| 9369 | | | subfunc = tvb_get_guint8(tvb, 7); |
| 9370 | | | |
| 9371 | | | ncp_rec = ncp_record_find(func, subfunc); |
| 9372 | | | |
| 9373 | | | |
| 9374 | | | nds_frag = tvb_get_letohl(tvb, 8); |
| 9375 | | | |
| 9376 | | | |
| 9377 | | | if (nds_frag == 0xffffffff) { |
Event 3:
Skipping " if". nds_frag == 4294967295 evaluates to false.
hide
|
|
| 9378 | | | |
| 9379 | | | nds_verb = tvb_get_guint8(tvb, 24); |
| 9380 | | | if (nds_verb == 0xfe) |
| 9381 | | | { |
| 9382 | | | nds_version = nds_verb; |
| 9383 | | | nds_verb = tvb_get_guint8(tvb, 32); |
| 9384 | | | foffset = 36; |
| 9385 | | | } |
| 9386 | | | else |
| 9387 | | | { |
| 9388 11712 |  | | [ Lines 9388 to 11712 omitted. ] |
| 11713 | | | pvalues[5].hfname= hf_nds_iterator; |
| 11714 | | | pvalues[5].mvtype = MVTYPE_PROCESS_ITERATOR; |
| 11715 | | | foffset = foffset+pvalues[5].vlength; |
| 11716 | | | break; |
| 11717 | | | default: |
| 11718 | | | pvalues[0].vtype = VTYPE_NONE; |
| 11719 | | | break; |
| 11720 | | | } |
| 11721 | | | } |
| 11722 | | | |
| 11723 | [+] | | if (check_col(pinfo->cinfo, COL_INFO)) { |
 |
| 11724 | | | if (ncp_rec) { |
| 11725 | | | col_set_str(pinfo->cinfo, COL_PROTOCOL, "NDS"); |
| 11726 | | | if (nds_frag != 0xffffffff) { |
| 11727 | | | col_add_fstr(pinfo->cinfo, COL_INFO, "C Continue NDS Fragment 0x%08x", nds_frag); |
| 11728 | | | } |
| 11729 | | | else { |
| 11730 | | | col_add_fstr(pinfo->cinfo, COL_INFO, "C NDS %s", verb_string); |
| 11731 | | | } |
| 11732 | | | run_info_str = TRUE; |
| 11733 | | | } |
| 11734 | | | else { |
| 11735 | | | col_add_fstr(pinfo->cinfo, COL_INFO, |
| 11736 | | | "C Unknown Function %d (0x%02x)", |
| 11737 | | | func, func); |
| 11738 | | | } |
| 11739 | | | |
| 11740 | | | } |
| 11741 | | | |
| 11742 | | | |
| 11743 | | | |
| 11744 | | | |
| 11745 | | | |
| 11746 | | | |
| 11747 | | | |
| 11748 | | | |
| 11749 | | | conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, |
| 11750 | [+] | | PT_NCP, nw_connection, nw_connection, 0); |
 |
| 11751 | | | if (conversation == NULL) { |
Event 13:
Skipping " if". conversation == (void *)0 evaluates to false.
hide
|
|
| 11752 | | | |
| 11753 | | | conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, |
| 11754 | | | PT_NCP, nw_connection, nw_connection, 0); |
| 11755 | | | } |
| 11756 | | | |
| 11757 | | | if (!pinfo->fd->flags.visited) { |
Event 14:
Skipping " if". pinfo->fd->flags.visited evaluates to true.
hide
|
|
| 11758 | | | request_value = ncp_hash_insert(conversation, sequence, ncp_rec); |
| 11759 | | | request_value->req_frame_num = pinfo->fd->num; |
| 11760 | | | request_value->req_frame_time=pinfo->fd->abs_ts; |
| 11761 | | | |
| 11762 | | | |
| 11763 | | | |
| 11764 | | | |
| 11765 | | | |
| 11766 | | | |
| 11767 | | | |
| 11768 | | | |
| 11769 | | | if (ncp_rec && !ncp_tree) { |
| 11770 | | | run_req_cond = TRUE; |
| 11771 | | | } |
| 11772 | | | |
| 11773 | | | request_value->nds_frag_num = nds_frag; |
| 11774 | | | } |
| 11775 | | | |
| 11776 | | | |
| 11777 | | | |
| 11778 | | | |
| 11779 | | | |
| 11780 | | | if ((run_info_str || run_req_cond) && !ncp_tree) { |
Event 15:
Skipping " if". - run_info_str evaluates to false.
- run_req_cond evaluates to false.
hide
|
|
| 11781 | | | proto_item *ti; |
| 11782 | | | |
| 11783 | | | temp_tree = proto_tree_create_root(); |
| 11784 | | | proto_tree_set_visible(temp_tree, FALSE); |
| 11785 | | | ti = proto_tree_add_item(temp_tree, proto_ncp, tvb, 0, -1, FALSE); |
| 11786 | | | ncp_tree = proto_item_add_subtree(ti, ett_ncp); |
| 11787 | | | } |
| 11788 | | | |
| 11789 | | | if (ncp_tree) { |
Event 16:
Taking true branch. ncp_tree evaluates to true.
hide
|
|
| 11790 | | | |
| 11791 | | | |
| 11792 | | | |
| 11793 | | | |
| 11794 | | | |
| 11795 | | | |
| 11796 | | | |
| 11797 | | | |
| 11798 | | | CLEANUP_PUSH(free_proto_tree, temp_tree);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/except.h |
| |
124 | #define except_cleanup_push(F, C) \ |
125 | { \ |
126 | struct except_stacknode except_sn; \ |
127 | struct except_cleanup except_cl; \ |
128 | except_setup_clean(&except_sn, &except_cl, F, C) |
| |
|
| 11799 | | | |
| 11800 | | | #ifdef FAKE_TREE_IS_VISIBLE |
| 11801 | | | PTREE_DATA(ncp_tree)->visible=1;
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
346 | #define PTREE_DATA(proto_tree) ((proto_tree)->tree_data) |
| |
|
| 11802 | | | #endif |
| 11803 | | | |
| 11804 | | | request_value = ncp_hash_lookup(conversation, sequence); |
| 11805 | | | switch (type) { |
Event 17:
Executing default case.
hide
|
|
| 11806 | | | case NCP_BROADCAST_SLOT: |
| 11807 | | | ; |
| 11808 | | | break; |
| 11809 | | | |
| 11810 | | | case NCP_SERVICE_REQUEST: |
| 11811 | | | |
| 11812 | | | ptvc = ptvcursor_new(ncp_tree, tvb, 7); |
| 11813 | | | if (ncp_rec && ncp_rec->request_ptvc) |
| 11814 | | | { |
| 11815 | | | clear_repeat_vars(); |
| 11816 11992 |  | | [ Lines 11816 to 11992 omitted. ] |
| 11993 | | | { |
| 11994 | | | request_value->nds_request_verb = nds_verb; |
| 11995 | | | request_value->nds_version = nds_version; |
| 11996 | | | g_strlcpy(request_value->object_name, global_object_name, 256); |
| 11997 | | | request_value->req_nds_flags = global_flags; |
| 11998 | | | request_value->req_nds_prot_flags = nds_prot_flags; |
| 11999 | | | } |
| 12000 | | | } |
| 12001 | | | break; |
| 12002 | | | |
| 12003 | | | default: |
| 12004 | | | ; |
| 12005 | | | break; |
| 12006 | | | } |
| 12007 | [+] | | ptvcursor_free(ptvc); |
Event 18:
ptvc, which evaluates to NULL, is passed to ptvcursor_free(). See related event 1.
hide
|
|
 |
| |