(/home/sate/Testcases/c/cve/wireshark-1.2.0/wiretap/daintree-sna.c) |
| |
| 132 | | | daintree_sna_read(wtap *wth, int *err, gchar **err_info _U_, gint64 *data_offset) |
| 133 | | | { |
| 134 | | | guint64 seconds; |
| 135 | | | |
| 136 | | | *data_offset = wth->data_offset; |
| 137 | | | |
| 138 | | | |
| 139 | | | |
| 140 | | | do { |
| 141 | | | if (file_gets(readLine, DAINTREE_MAX_LINE_SIZE, wth->fh) == NULL) { |
| 142 | | | *err = file_error(wth->fh); |
| 143 | | | return FALSE; |
| 144 | | | } |
| 145 | | | wth->data_offset += strlen(readLine); |
| 146 | | | } while (readLine[0] == ); |
Event 3:
Leaving loop. readLine[0] == daintree_magic_text[0] evaluates to false.
hide
|
|
| 147 | | | |
| 148 | | | |
| 149 | | | if (sscanf(readLine, "%*s %" G_GINT64_MODIFIER "u.%u %u %s", |
Event 5:
"%*s %llu.%u %u %s" is passed to __isoc99_sscanf() as the second argument.
hide
|
|
| 150 | | | &seconds, &wth->phdr.ts.nsecs, |
| 151 | | | &wth->phdr.len, readData) != 4) { |
Event 4:
readData is passed to __isoc99_sscanf() as the sixth argument. - This points to the buffer that will be overrun later.
hide
Buffer Overrun
This code could write past the end of the buffer pointed to by readData. - __isoc99_sscanf() writes an unknown and potentially dangerous [?unknown and potentially dangerous: the value cannot be determined and may come from program input] number of bytes starting at the beginning of the buffer pointed to by readData, whose capacity is 256 bytes.
- The number of bytes written could exceed the number of allocated bytes.
- If the access length is higher than 256, an overrun will occur. The analysis cannot rule out this possibility, so has issued this warning.
- The overrun occurs in static memory.
The issue can occur if the highlighted code executes. See related events 4 and 5. Show: All events | Only primary events |
|
| |