(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/crypt/airpdcap.c) |
| |
| 337 | | | AirPDcapDecryptWPABroadcastKey(P_EAPOL_RSN_KEY pEAPKey, guint8 *decryption_key, PAIRPDCAP_SEC_ASSOCIATION sa) |
| 338 | | | { |
| 339 | | | guint8 new_key[32]; |
| 340 | | | guint8 key_version; |
| 341 | | | guint8 *szEncryptedKey; |
| 342 | | | guint16 key_len = 0; |
| 343 | | | static AIRPDCAP_KEY_ITEM dummy_key; |
| 344 | | | |
| 345 | | | |
| 346 | | | |
| 347 | | | |
| 348 | | | |
| 349 | | | key_version = AIRPDCAP_EAP_KEY_DESCR_VER(pEAPKey->key_information[1]);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/crypt/airpdcap_int.h |
| |
84 | #define AIRPDCAP_EAP_KEY_DESCR_VER(KeyInfo_1) ((UCHAR)(KeyInfo_1 & 0x3)) |
| |
|
| 350 | | | if (key_version == AIRPDCAP_WPA_KEY_VER_NOT_CCMP){ |
Event 1:
Taking true branch. key_version == 1 evaluates to true.
hide
|
|
| 351 | | | |
| 352 | | | key_len = pntohs(pEAPKey->key_length);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/pint.h |
| |
37 | #define pntohs(p) ((guint16) \ |
38 | ((guint16)*((const guint8 *)(p)+0)<<8| \ |
39 | (guint16)*((const guint8 *)(p)+1)<<0)) |
| |
|
| 353 | | | }else if (key_version == AIRPDCAP_WPA_KEY_VER_AES_CCMP){ |
| 354 | | | |
| 355 | | | key_len = pntohs(pEAPKey->key_data_len);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/pint.h |
| |
37 | #define pntohs(p) ((guint16) \ |
38 | ((guint16)*((const guint8 *)(p)+0)<<8| \ |
39 | (guint16)*((const guint8 *)(p)+1)<<0)) |
| |
|
| 356 | | | } |
| 357 | | | if (key_len > sizeof(RSN_IE) || key_len == 0) { |
Event 2:
Skipping " if". - key_len > sizeof( RSN_IE ) evaluates to false.
- key_len == 0 evaluates to false.
hide
|
|
| 358 | | | return; |
| 359 | | | } |
| 360 | | | |
| 361 | | | |
| 362 | | | szEncryptedKey = g_memdup(pEAPKey->ie, key_len); |
| 363 | | | |
| 364 | | | DEBUG_DUMP("Encrypted Broadcast key:", szEncryptedKey, key_len); |
| 365 | | | DEBUG_DUMP("KeyIV:", pEAPKey->key_iv, 16); |
| 366 | | | DEBUG_DUMP("decryption_key:", decryption_key, 16); |
| 367 | | | |
| 368 | | | |
| 369 | | | memcpy(new_key, pEAPKey->key_iv, 16); |
| 370 | | | memcpy(new_key+16, decryption_key, 16); |
| 371 | | | DEBUG_DUMP("FullDecrKey:", new_key, 32); |
| 372 | | | |
| 373 | | | if (key_version == AIRPDCAP_WPA_KEY_VER_NOT_CCMP){ |
Event 4:
Taking true branch. key_version == 1 evaluates to true.
hide
|
|
| 374 | | | guint8 dummy[256]; |
| 375 | | | |
| 376 | | | |
| 377 | | | |
| 378 | | | |
| 379 | | | rc4_state_struct rc4_state; |
| 380 | | | crypt_rc4_init(&rc4_state, new_key, sizeof(new_key)); |
| 381 | | | |
| 382 | | | |
| 383 | [+] | | crypt_rc4(&rc4_state, dummy, 256); |
Event 5:
dummy is passed to crypt_rc4() as the second argument.
hide
Event 6:
crypt_rc4() does not initialize dummy. - This may be because of a failure case or other special case for crypt_rc4().
hide
|
|
 |
| |