(/home/sate/Testcases/c/cve/wireshark-1.2.0/disabled_protos.c) |
| |
| 166 | | | read_disabled_protos_list_file(const char *ff_path, FILE *ff, |
| 167 | | | GList **flp) |
| 168 | | | { |
| 169 | | | protocol_def *prot; |
| 170 | | | int c; |
| 171 | | | char *prot_name; |
| 172 | | | int prot_name_len; |
| 173 | | | int prot_name_index; |
| 174 | | | int line = 1; |
| 175 | | | |
| 176 | | | |
| 177 | | | |
| 178 | | | prot_name_len = INIT_BUF_SIZE; |
| 179 | | | prot_name = g_malloc(prot_name_len + 1); |
| 180 | | | |
| 181 | | | for (line = 1; ; line++) { |
| 182 | | | |
| 183 | | | |
| 184 | | | |
| 185 | | | |
| 186 | | | while ((c = getc(ff)) != EOF && isspace(c)) { |
| 187 | | | if (c == '\n') { |
| 188 | | | |
| 189 | | | continue; |
| 190 | | | } |
| 191 | | | } |
| 192 | | | |
| 193 | | | if (c == EOF) { |
Event 3:
Skipping " if". c == -1 evaluates to false.
hide
|
|
| 194 | | | if (ferror(ff)) |
| 195 | | | goto error; |
| 196 | | | else |
| 197 | | | break; |
| 198 | | | } |
| 199 | | | ungetc(c, ff); |
| 200 | | | |
| 201 | | | |
| 202 | | | prot_name_index = 0; |
| 203 | | | for (;;) { |
Event 5:
During loop iterations, prot_name_index is set to prot_name_index + 1, which evaluates to a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - This determines the position accessed in the buffer during the buffer overrun later.
hide
|
|
| 204 | | | c = getc(ff); |
| 205 | | | if (c == EOF) |
| 206 | | | break; |
| 207 | | | if (isspace(c)) |
| 208 | | | break; |
| 209 | | | if (c == '#') |
| 210 | | | break; |
| 211 | | | |
| 212 | | | if (prot_name_index >= prot_name_len) { |
| 213 | | | |
| 214 | | | prot_name_len *= 2; |
| 215 | | | prot_name = g_realloc(prot_name, prot_name_len + 1); |
| 216 | | | } |
| 217 | | | prot_name[prot_name_index] = c; |
| 218 | | | prot_name_index++; |
| 219 | | | } |
| 220 | | | |
| 221 | | | if (isspace(c) && c != '\n') { |
| 222 | | | |
| 223 | | | while ((c = getc(ff)) != EOF && c != '\n' && isspace(c)) |
| 224 | | | ; |
| 225 | | | if (c != EOF && c != '\n' && c != '#') { |
Event 8:
Skipping " if". - c != -1 evaluates to true.
- c != 10 evaluates to false.
hide
|
|
| 226 | | | |
| 227 | | | |
| 228 | | | g_warning("'%s' line %d has stuff after the protocol name.",
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 229 | | | ff_path, line); |
| 230 | | | } |
| 231 | | | } |
| 232 | | | if (c != EOF && c != '\n') { |
Event 9:
Skipping " if". - c != -1 evaluates to true.
- c != 10 evaluates to false.
hide
|
|
| 233 | | | |
| 234 | | | while ((c = getc(ff)) != EOF && c != '\n') |
| 235 | | | ; |
| 236 | | | } |
| 237 | | | |
| 238 | | | if (c == EOF) { |
Event 10:
Skipping " if". c == -1 evaluates to false.
hide
|
|
| 239 | | | if (ferror(ff)) |
| 240 | | | goto error; |
| 241 | | | else { |
| 242 | | | |
| 243 | | | g_warning("'%s' line %d doesn't have a newline.", ff_path,
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 244 | | | line); |
| 245 | | | } |
| 246 | | | break; |
| 247 | | | } |
| 248 | | | |
| 249 | | | |
| 250 | | | if (prot_name_index >= prot_name_len) { |
Event 11:
Taking true branch. prot_name_index >= prot_name_len evaluates to true.
hide
|
|
| 251 | | | |
| 252 | | | prot_name_len *= 2; |
| 253 | | | prot_name = g_realloc(prot_name, prot_name_len + 1); |
Event 12:
g_realloc is an Undefined Function.
hide
Event 13:
prot_name is set to g_realloc(...). - This points to the buffer that will be overrun later.
hide
|
|
| 254 | | | } |
| 255 | | | prot_name[prot_name_index] = '\0'; |
Buffer Overrun
This code could write past the end of the buffer pointed to by prot_name. - prot_name evaluates to g_realloc(...) from disabled_protos.c:253.
- The code writes 1 byte starting at offset prot_name_index from the beginning of the buffer pointed to by prot_name.
- The number of bytes written could exceed the number of allocated bytes beyond that offset.
- prot_name_index evaluates to the value assigned to prot_name_index at disabled_protos.c:203, plus 1, which is bounded below by 1. See related event 5.
- The capacity of the buffer pointed to by prot_name, in bytes, is the capacity of the buffer pointed to by g_realloc(...) at disabled_protos.c:253. See related event 13.
- If prot_name_index plus 1 is higher than the capacity of the buffer pointed to by g_realloc(...) at disabled_protos.c:253, an overrun will occur. The analysis cannot rule out this possibility, so has issued this warning.
The issue can occur if the highlighted code executes. See related events 5 and 13. Show: All events | Only primary events |
|
| |