(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ldap.c) |
| |
| 3347 | | | dissect_ldap_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean is_mscldap) |
| 3348 | | | { |
| 3349 | | | int offset = 0; |
| 3350 | | | conversation_t *conversation; |
| 3351 | | | gboolean doing_sasl_security = FALSE; |
| 3352 | | | guint length_remaining; |
| 3353 | | | ldap_conv_info_t *ldap_info = NULL; |
| 3354 | | | proto_item *ldap_item = NULL; |
| 3355 | | | proto_tree *ldap_tree = NULL; |
| 3356 | | | |
| 3357 | | | ldm_tree = NULL; |
| 3358 | | | |
| 3359 | | | |
| 3360 | | | |
| 3361 | | | |
| 3362 | | | conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, |
| 3363 | | | pinfo->ptype, pinfo->srcport, |
| 3364 | | | pinfo->destport, 0); |
| 3365 | | | if (conversation == NULL) { |
Event 1:
Taking true branch. conversation == (void *)0 evaluates to true.
hide
|
|
| 3366 | | | |
| 3367 | | | conversation = conversation_new(pinfo->fd->num, &pinfo->src, &pinfo->dst, |
| 3368 | | | pinfo->ptype, pinfo->srcport, |
| 3369 | | | pinfo->destport, 0); |
| 3370 | | | |
| 3371 | | | } |
| 3372 | | | |
| 3373 | | | |
| 3374 | | | |
| 3375 | | | |
| 3376 | [+] | | ldap_info = conversation_get_proto_data(conversation, proto_ldap); |
 |
| 3377 | | | if (ldap_info == NULL) { |
Event 4:
Skipping " if". ldap_info == (void *)0 evaluates to false.
hide
|
|
| 3378 | | | |
| 3379 | | | |
| 3380 | | | |
| 3381 | | | ldap_info = g_malloc(sizeof(ldap_conv_info_t)); |
| 3382 | | | ldap_info->auth_type = 0; |
| 3383 | | | ldap_info->auth_mech = 0; |
| 3384 | | | ldap_info->first_auth_frame = 0; |
| 3385 | | | ldap_info->matched=g_hash_table_new(ldap_info_hash_matched, ldap_info_equal_matched); |
| 3386 | | | ldap_info->unmatched=g_hash_table_new(ldap_info_hash_unmatched, ldap_info_equal_unmatched); |
| 3387 | | | ldap_info->num_results = 0; |
| 3388 | | | ldap_info->start_tls_frame = 0; |
| 3389 | | | ldap_info->start_tls_pending = FALSE; |
| 3390 | | | |
| 3391 | | | conversation_add_proto_data(conversation, proto_ldap, ldap_info); |
| 3392 | | | |
| 3393 | | | ldap_info->next = ldap_info_items; |
| 3394 | | | ldap_info_items = ldap_info; |
| 3395 | | | |
| 3396 | | | } |
| 3397 | | | |
| 3398 | | | switch (ldap_info->auth_type) { |
Event 5:
ldap_info->auth_type evaluates to 3.
hide
|
|
| 3399 | | | case LDAP_AUTH_SASL: |
| 3400 | | | |
| 3401 | | | |
| 3402 | | | |
| 3403 | | | if (ldap_info->first_auth_frame != 0 && |
| 3404 | | | pinfo->fd->num >= ldap_info->first_auth_frame) { |
| 3405 | | | doing_sasl_security = TRUE; |
Event 7:
!0 evaluates to true.
hide
|
|
| 3406 | | | } |
| 3407 | | | } |
| 3408 | | | |
| 3409 | [+] | | length_remaining = tvb_ensure_length_remaining(tvb, offset); |
 |
| 3410 | | | |
| 3411 | | | |
| 3412 | | | |
| 3413 | | | |
| 3414 | | | |
| 3415 | | | |
| 3416 | | | if(!doing_sasl_security && (tvb_bytes_exist(tvb, offset, 5)) |
Event 20:
Skipping " if". doing_sasl_security evaluates to true.
hide
|
|
| 3417 | | | &&(tvb_get_ntohl(tvb, offset)<=(guint)(tvb_reported_length_remaining(tvb, offset)-4)) |
| 3418 | | | &&(tvb_get_guint8(tvb, offset+4)==0x60) ){ |
| 3419 | | | ldap_info->auth_type=LDAP_AUTH_SASL; |
| 3420 | | | ldap_info->first_auth_frame=pinfo->fd->num; |
| 3421 | | | ldap_info->auth_mech=g_strdup("GSS-SPNEGO"); |
| 3422 | | | doing_sasl_security=TRUE; |
| 3423 | | | } |
| 3424 | | | |
| 3425 | | | |
| 3426 | | | |
| 3427 | | | |
| 3428 | | | |
| 3429 | | | if (check_col(pinfo->cinfo, COL_PROTOCOL)) col_set_str(pinfo->cinfo, COL_PROTOCOL, pinfo->current_proto); |
Event 21:
Taking true branch. check_col(...) evaluates to true.
hide
|
|
| 3430 | | | |
| 3431 | | | if(last_frame_seen == pinfo->fd->num) { |
Event 22:
Taking true branch. last_frame_seen == pinfo->fd->num evaluates to true.
hide
|
|
| 3432 | | | |
| 3433 | [+] | | if (check_col(pinfo->cinfo, COL_INFO)) { |
 |
| 3434 | | | col_append_str(pinfo->cinfo, COL_INFO, "| "); |
| 3435 | | | col_set_fence(pinfo->cinfo, COL_INFO); |
| 3436 | | | } |
| 3437 | | | } else |
| 3438 | | | if (check_col(pinfo->cinfo, COL_INFO)) col_clear(pinfo->cinfo, COL_INFO); |
| 3439 | | | |
| 3440 | | | last_frame_seen = pinfo->fd->num; |
| 3441 | | | |
| 3442 | | | ldap_item = proto_tree_add_item(tree, is_mscldap?proto_cldap:proto_ldap, tvb, 0, -1, FALSE); |
Event 26:
is_mscldap evaluates to false.
hide
|
|
| 3443 | [+] | | ldap_tree = proto_item_add_subtree(ldap_item, ett_ldap); |
 |
| 3444 | | | |
| 3445 | | | |
| 3446 | | | |
| 3447 | | | |
| 3448 | | | |
| 3449 | | | |
| 3450 | | | |
| 3451 | | | |
| 3452 | | | |
| 3453 | | | |
| 3454 | | | |
| 3455 | | | |
| 3456 | | | |
| 3457 | | | |
| 3458 | | | |
| 3459 | | | |
| 3460 | | | |
| 3461 | | | |
| 3462 | [+] | | if (doing_sasl_security && tvb_get_guint8(tvb, offset) == 0) { |
Event 28:
Skipping " if". doing_sasl_security evaluates to true.
hide
|
|
 |
| 3463 | | | proto_item *sasl_item = NULL; |
| 3464 | | | proto_tree *sasl_tree = NULL; |
| 3465 | | | tvbuff_t *sasl_tvb; |
| 3466 | | | guint sasl_len, sasl_msg_len, length; |
| 3467 | | | |
| 3468 | | | |
| 3469 | | | |
| 3470 | | | |
| 3471 | | | |
| 3472 | | | |
| 3473 | | | |
| 3474 | | | |
| 3475 | | | |
| 3476 | | | |
| 3477 | | | |
| 3478 | | | |
| 3479 | | | |
| 3480 | [+] | | sasl_len = tvb_get_ntohl(tvb, offset); |
 |
| 3481 | | | sasl_msg_len = sasl_len + 4; |
| 3482 | | | if (sasl_msg_len < 4) { |
Event 44:
Skipping " if". sasl_msg_len < 4 evaluates to false.
hide
|
|
| 3483 | | | |
| 3484 | | | |
| 3485 | | | |
| 3486 | | | |
| 3487 | | | |
| 3488 | | | |
| 3489 | | | show_reported_bounds_error(tvb, pinfo, tree); |
| 3490 | | | return; |
| 3491 | | | } |
| 3492 | | | |
| 3493 | | | |
| 3494 | | | |
| 3495 | | | |
| 3496 | | | |
| 3497 | | | |
| 3498 | | | |
| 3499 | | | |
| 3500 | | | |
| 3501 | | | |
| 3502 | | | |
| 3503 | | | |
| 3504 | | | |
| 3505 | | | |
| 3506 | | | length = length_remaining; |
| 3507 | | | if (length > sasl_msg_len) length = sasl_msg_len; |
Event 45:
Skipping " if". length > sasl_msg_len evaluates to false.
hide
|
|
| 3508 | | | sasl_tvb = tvb_new_subset(tvb, offset, length, sasl_msg_len); |
| 3509 | | | |
| 3510 | | | if (ldap_tree) { |
Event 46:
Skipping " if". ldap_tree evaluates to false.
hide
|
|
| 3511 | | | proto_tree_add_uint(ldap_tree, hf_ldap_sasl_buffer_length, sasl_tvb, 0, 4, |
| 3512 | | | sasl_len); |
| 3513 | | | |
| 3514 | | | sasl_item = proto_tree_add_text(ldap_tree, sasl_tvb, 0, sasl_msg_len, "SASL Buffer"); |
| 3515 | | | sasl_tree = proto_item_add_subtree(sasl_item, ett_ldap_sasl_blob); |
| 3516 | | | } |
| 3517 | | | |
| 3518 | | | if (ldap_info->auth_mech != NULL && |
| 3519 | | | ((strcmp(ldap_info->auth_mech, "GSS-SPNEGO") == 0) || |
| 3520 | | | |
| 3521 | | | (strcmp(ldap_info->auth_mech, "GSSAPI") == 0))) { |
| 3522 | | | tvbuff_t *gssapi_tvb, *plain_tvb = NULL, *decr_tvb= NULL; |
| 3523 | | | int ver_len; |
| 3524 | | | int length; |
| 3525 | | | |
| 3526 | | | |
| 3527 | | | |
| 3528 | | | |
| 3529 | | | |
| 3530 | | | |
| 3531 | | | |
| 3532 | | | |
| 3533 | | | |
| 3534 | [+] | | length = tvb_length_remaining(sasl_tvb, 4); |
 |
| 3535 | | | if ((guint)length > sasl_len) |
Cast Alters Value
length is cast from int to unsigned int. - length evaluates to -1.
- Negative values cannot be stored as unsigned int. Casting them to unsigned int can cause data loss or sign change.
The issue can occur if the highlighted code executes. See related event 52. Show: All events | Only primary events |
|
| |