(/home/sate/Testcases/c/cve/wireshark-1.2.0/wiretap/daintree-sna.c) |
| |
| 186 | | | daintree_sna_seek_read(wtap *wth, gint64 seek_off, union |
| 187 | | | * _U_, guchar *pd, int len, int *err, |
| 188 | | | gchar **err_info _U_) |
| 189 | | | { |
| 190 | | | guint pkt_len; |
| 191 | | | |
| 192 | [+] | | if(file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
x /usr/include/stdio.h |
| |
141 | #define SEEK_SET 0 /* Seek from beginning of file. */ |
| |
|
 |
| 193 | | | return FALSE; |
| 194 | | | |
| 195 | | | |
| 196 | | | |
| 197 | | | do { |
| 198 | | | if (file_gets(seekLine, DAINTREE_MAX_LINE_SIZE, wth->random_fh) == NULL) { |
| 199 | | | *err = file_error(wth->random_fh); |
| 200 | | | return FALSE; |
| 201 | | | } |
| 202 | | | } while (seekLine[0] == ); |
Event 6:
Leaving loop. seekLine[0] == daintree_magic_text[0] evaluates to false.
hide
|
|
| 203 | | | |
| 204 | | | |
| 205 | | | if (sscanf(seekLine, "%*s %*u.%*u %*u %s", seekData) != 1) { |
Event 7:
seekData is passed to __isoc99_sscanf() as the third argument. - This points to the buffer that will be overrun later.
hide
Event 8:
"%*s %*u.%*u %*u %s" is passed to __isoc99_sscanf() as the second argument.
hide
Buffer Overrun
This code could write past the end of the buffer pointed to by seekData. - __isoc99_sscanf() writes an unknown and potentially dangerous [?unknown and potentially dangerous: the value cannot be determined and may come from program input] number of bytes starting at the beginning of the buffer pointed to by seekData, whose capacity is 256 bytes.
- The number of bytes written could exceed the number of allocated bytes.
- If the access length is higher than 256, an overrun will occur. The analysis cannot rule out this possibility, so has issued this warning.
- The overrun occurs in static memory.
The issue can occur if the highlighted code executes. See related events 7 and 8. Show: All events | Only primary events |
|
| |