(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ncp2222.inc) |
| |
| 8997 | | | dissect_ncp_reply(tvbuff_t *tvb, packet_info *pinfo, |
| 8998 | | | guint32 nw_connection, guint8 sequence, guint16 type, |
| 8999 | | | proto_tree *ncp_tree, struct novell_tap *ncp_tap) |
| 9000 | | | { |
| 9001 | | | conversation_t *conversation = NULL; |
| 9002 | | | ncp_req_hash_value *request_value = NULL; |
| 9003 | | | const ncp_record *ncp_rec = NULL; |
| 9004 | | | int *req_cond_results; |
| 9005 | | | guint8 completion_code=0; |
| 9006 | | | ptvcursor_t *ptvc = NULL; |
| 9007 | | | const char *error_string; |
| 9008 | | | guint32 nds_offset = 0; |
| 9009 | | | guint32 nds_error_code = 0; |
| 9010 | | | guint32 nds_reply_buffer = 0; |
| 9011 | | | const char *nds_error_string = NULL; |
| 9012 | | | guint32 nds_frag=0; |
| 9013 | | | proto_item *expert_item; |
| 9014 | | | guint8 conn_stat; |
| 9015 | | | |
| 9016 | | | |
| 9017 | | | #ifdef FAKE_TREE_IS_VISIBLE |
| 9018 | | | if (ncp_tree) { |
Event 1:
Skipping " if". ncp_tree evaluates to false.
hide
|
|
| 9019 | | | PTREE_DATA(ncp_tree)->visible=1;
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
346 | #define PTREE_DATA(proto_tree) ((proto_tree)->tree_data) |
| |
|
| 9020 | | | } |
| 9021 | | | #endif |
| 9022 | | | |
| 9023 | | | if (!pinfo->fd->flags.visited) { |
Event 2:
Taking true branch. pinfo->fd->flags.visited evaluates to false.
hide
|
|
| 9024 | | | |
| 9025 | | | conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, |
| 9026 | | | PT_NCP, nw_connection, nw_connection, 0); |
| 9027 | | | if (conversation != NULL) { |
Event 3:
Taking false branch. conversation != (void *)0 evaluates to false.
hide
|
|
| 9028 | | | |
| 9029 | | | |
| 9030 | | | request_value = ncp_hash_lookup(conversation, sequence); |
| 9031 | | | if (request_value) { |
| 9032 | | | ncp_rec = request_value->ncp_rec; |
| 9033 | | | } |
| 9034 | | | p_add_proto_data(pinfo->fd, proto_ncp, (void*) request_value); |
| 9035 | | | } |
| 9036 | | | |
| 9037 | | | |
| 9038 | | | |
| 9039 | | | |
| 9040 | | | |
| 9041 | | | |
| 9042 | | | |
| 9043 | | | |
| 9044 | | | else { |
| 9045 | | | conversation = find_conversation(pinfo->fd->num, |
| 9046 | | | &pinfo->src, &pinfo->dst, PT_NCP, 65535, 65535, 0); |
| 9047 | | | if (conversation != NULL) { |
Event 4:
Taking false branch. conversation != (void *)0 evaluates to false.
hide
|
|
| 9048 | | | |
| 9049 | | | |
| 9050 | | | request_value = ncp_hash_lookup(conversation, |
| 9051 | | | sequence); |
| 9052 | | | if (request_value) { |
| 9053 | | | ncp_rec = request_value->ncp_rec; |
| 9054 | | | } |
| 9055 | | | p_add_proto_data(pinfo->fd, proto_ncp, |
| 9056 | | | (void*) request_value); |
| 9057 | | | } |
| 9058 | | | else { |
| 9059 | | | conversation = find_conversation(pinfo->fd->num, |
| 9060 | | | &pinfo->src, &pinfo->dst, PT_NCP, 0, 0, 0); |
| 9061 | | | if (conversation != NULL) { |
Event 5:
Taking true branch. conversation != (void *)0 evaluates to true.
hide
|
|
| 9062 | | | |
| 9063 | | | |
| 9064 | | | request_value = ncp_hash_lookup(conversation, |
| 9065 | | | sequence); |
| 9066 | | | if (request_value) { |
Event 6:
Taking true branch. request_value evaluates to true.
hide
|
|
| 9067 | | | ncp_rec = request_value->ncp_rec; |
| 9068 | | | } |
| 9069 | | | p_add_proto_data(pinfo->fd, proto_ncp, |
| 9070 | | | (void*) request_value); |
| 9071 | | | } |
| 9072 | | | |
| 9073 | | | |
| 9074 | | | } |
| 9075 | | | } |
| 9076 | | | } |
| 9077 | | | else { |
| 9078 | | | request_value = p_get_proto_data(pinfo->fd, proto_ncp); |
| 9079 | | | if (request_value) { |
| 9080 | | | ncp_rec = request_value->ncp_rec; |
| 9081 | | | } |
| 9082 | | | } |
| 9083 | | | |
| 9084 | | | |
| 9085 | | | |
| 9086 | | | |
| 9087 | | | |
| 9088 | | | |
| 9089 | | | tap_queue_packet(ncp_tap->stat, pinfo, request_value); |
| 9090 | | | |
| 9091 | | | if (check_col(pinfo->cinfo, COL_PROTOCOL)) { |
Event 8:
Skipping " if". check_col(...) evaluates to false.
hide
|
|
| 9092 | | | if (ncp_rec && ncp_rec->func==0x68 && |
| 9093 | | | (ncp_rec->subfunc==0x02 || ncp_rec->subfunc==0x01)) { |
| 9094 | | | col_set_str(pinfo->cinfo, COL_PROTOCOL, "NDS"); |
| 9095 | | | } |
| 9096 | | | } |
| 9097 | | | |
| 9098 | | | |
| 9099 | | | |
| 9100 | | | |
| 9101 | | | |
| 9102 | | | completion_code = tvb_get_guint8(tvb, 6); |
| 9103 | | | if (completion_code == 0) { |
Event 9:
Taking true branch. completion_code == 0 evaluates to true.
hide
|
|
| 9104 | | | if(type == NCP_POSITIVE_ACK) |
Event 10:
Taking false branch. type == 39321 evaluates to false.
hide
|
|
| 9105 | | | { |
| 9106 | | | error_string = "Server Busy, Request Being Processed"; |
| 9107 | | | } |
| 9108 | | | else |
| 9109 | | | { |
| 9110 | | | error_string = "OK"; |
| 9111 | | | } |
| 9112 | | | } else { |
| 9113 | | | if (ncp_rec && ncp_rec->errors) { |
| 9114 | | | error_string = ncp_error_string(ncp_rec->errors, completion_code); |
| 9115 | | | } |
| 9116 | | | else { |
| 9117 | | | error_string = "Original Request Packet not Found"; |
| 9118 | | | } |
| 9119 | | | } |
| 9120 | | | if (type == NCP_SERVICE_REPLY && ncp_rec && ncp_rec->func==0x68 && |
Event 11:
Skipping " if". - type == 13107 evaluates to true.
- ncp_rec evaluates to true.
- ncp_rec->func == 104 evaluates to false.
hide
|
|
| 9121 | | | ncp_rec->subfunc==0x02 && (tvb_reported_length_remaining(tvb, 8) >= 8)) |
| 9122 | | | { |
| 9123 | | | nds_offset = 8; |
| 9124 | | | nds_reply_buffer = tvb_get_letohl(tvb, nds_offset); |
| 9125 | | | nds_offset += 4; |
| 9126 | | | nds_frag = tvb_get_letohl(tvb, nds_offset); |
| 9127 | | | nds_offset += 4; |
| 9128 | | | |
| 9129 | | | |
| 9130 | | | |
| 9131 | | | |
| 9132 | | | |
| 9133 | | | if (tvb_reported_length_remaining(tvb, nds_offset) >= 4) |
| 9134 | | | { |
| 9135 | | | |
| 9136 | | | nds_error_code = tvb_get_letohl(tvb, nds_offset); |
| 9137 | | | nds_error_string = match_strval(nds_error_code, nds_reply_errors); |
| 9138 | | | if (nds_error_string == NULL) |
| 9139 | | | { |
| 9140 | | | nds_error_string = "NDS Error - No Definition Found"; |
| 9141 | | | } |
| 9142 | | | } |
| 9143 | | | } |
| 9144 | | | if (check_col(pinfo->cinfo, COL_INFO)) { |
Event 12:
Skipping " if". check_col(...) evaluates to false.
hide
|
|
| 9145 | | | col_add_fstr(pinfo->cinfo, COL_INFO, "%s %s", |
| 9146 | | | type == NCP_SERVICE_REPLY ? "R" : "ACK", |
| 9147 | | | nds_error_string ? nds_error_string : error_string); |
| 9148 | | | } |
| 9149 | | | |
| 9150 | | | if (ncp_tree) { |
Event 13:
Skipping " if". ncp_tree evaluates to false.
hide
|
|
| 9151 | | | |
| 9152 | | | if (request_value) { |
| 9153 | | | nstime_t ns; |
| 9154 | | | |
| 9155 | | | proto_tree_add_uint(ncp_tree, hf_ncp_req_frame_num, tvb, 0, 0, |
| 9156 | | | request_value->req_frame_num); |
| 9157 | | | nstime_delta(&ns, &pinfo->fd->abs_ts, &request_value->req_frame_time); |
| 9158 | | | proto_tree_add_time(ncp_tree, hf_ncp_req_frame_time, tvb, 0, 0, &ns); |
| 9159 | | | } |
| 9160 | | | |
| 9161 | | | |
| 9162 | | | |
| 9163 | | | |
| 9164 | | | |
| 9165 | | | if (ncp_rec) { |
| 9166 | | | proto_tree_add_uint_format(ncp_tree, hf_ncp_func, tvb, 6, 0, |
| 9167 | | | ncp_rec->func, "Function: %u (0x%02X), %s", |
| 9168 | | | ncp_rec->func, ncp_rec->func, ncp_rec->name); |
| 9169 | | | if (ncp_requires_subfunc(ncp_rec->func)) { |
| 9170 | | | proto_tree_add_uint_format(ncp_tree, hf_ncp_subfunc, tvb, 6, 0, |
| 9171 | | | ncp_rec->subfunc, "SubFunction: %u (0x%02x)", |
| 9172 | | | ncp_rec->subfunc, ncp_rec->subfunc); |
| 9173 | | | } |
| 9174 | | | } |
| 9175 | | | } |
| 9176 | | | |
| 9177 | | | expert_item = proto_tree_add_uint_format(ncp_tree, hf_ncp_completion_code, tvb, 6, 1, |
| 9178 | | | completion_code, "Completion Code: %d (0x89%02x), %s", |
| 9179 | | | completion_code, completion_code, error_string); |
| 9180 | | | if ((completion_code != 0 || type == NCP_POSITIVE_ACK) && ncp_echo_err) { |
Event 14:
Skipping " if". - completion_code != 0 evaluates to false.
- type == 39321 evaluates to false.
hide
|
|
| 9181 | | | expert_add_info_format(pinfo, expert_item, |
| 9182 | | | PI_RESPONSE_CODE, PI_ERROR, |
| 9183 | | | "Error: %d (0x89%02x) %s", completion_code, |
| 9184 | | | completion_code, error_string); |
| 9185 | | | } |
| 9186 | | | |
| 9187 | | | conn_stat = tvb_get_guint8(tvb, 7); |
| 9188 | | | expert_item = proto_tree_add_item(ncp_tree, hf_ncp_connection_status, tvb, |
| 9189 | | | 7, 1, FALSE); |
| 9190 | | | if (conn_stat != 0 && conn_stat != 0x40 ) { |
Event 15:
Skipping " if". conn_stat != 0 evaluates to false.
hide
|
|
| 9191 | | | if (check_col(pinfo->cinfo, COL_INFO)) { |
| 9192 | | | col_set_str(pinfo->cinfo, COL_INFO, |
| 9193 | | | "Error: Bad Connection Status"); |
| 9194 | | | } |
| 9195 | | | if (ncp_echo_err) { |
| 9196 | | | expert_add_info_format(pinfo, expert_item, |
| 9197 | | | PI_RESPONSE_CODE, PI_ERROR, |
| 9198 | | | "Error: Bad Connection Status"); |
| 9199 | | | } |
| 9200 | | | return; |
| 9201 | | | } |
| 9202 | | | |
| 9203 | | | |
| 9204 | | | |
| 9205 | | | |
| 9206 | | | if (type != NCP_SERVICE_REPLY || completion_code != 0) |
Event 16:
Skipping " if". - type != 13107 evaluates to false.
- completion_code != 0 evaluates to false.
hide
|
|
| 9207 | | | return; |
| 9208 | | | |
| 9209 | | | if (ncp_rec) { |
Event 17:
Taking true branch. ncp_rec evaluates to true.
hide
|
|
| 9210 | | | |
| 9211 | | | if (ncp_rec->func == 0x5c && request_value) |
Event 18:
Skipping " if". ncp_rec->func == 92 evaluates to false.
hide
|
|
| 9212 | | | { |
| 9213 | | | dissect_sss_reply(tvb, pinfo, ncp_tree, ncp_rec->subfunc, request_value); |
| 9214 | | | } |
| 9215 | | | |
| 9216 | | | if (ncp_rec->func == 0x5e && request_value) |
Event 19:
ncp_rec->func == 94 evaluates to true.
hide
Null Test After Dereference
This code tests the nullness of request_value, which has already been dereferenced. - If request_value were null, there would have been a prior null pointer dereference at packet-ncp2222.inc:9067, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 7. Show: All events | Only primary events |
|
| 9217 | | | { |
| 9218 | | | dissect_nmas_reply(tvb, pinfo, ncp_tree, ncp_rec->func, ncp_rec->subfunc, request_value); |
| 9219 | | | } |
| 9220 | | | |
| 9221 | | | if (ncp_rec->func == 0x68 && ncp_rec->subfunc == 0x01) |
| 9222 | | | { |
| 9223 | | | dissect_nds_ping_reply(tvb, pinfo, ncp_tree, |
| 9224 | | | request_value); |
| 9225 | | | } |
| 9226 | | | |
| 9227 | | | if (ncp_rec->func == 0x68 && ncp_rec->subfunc == 0x02) |
| 9228 | | | { |
| 9229 | | | dissect_nds_reply(tvb, pinfo, ncp_tree, nds_error_code, |
| 9230 | | | nds_error_string, request_value, conversation); |
| 9231 | | | } |
| 9232 | | | |
| 9233 | | | if ((ncp_rec->func == 0x57 || ncp_rec->func == 0x59) && ncp_rec->subfunc == 0x14) { |
| 9234 | | | dissect_ncp_8x20reply(tvb, ncp_tree, ncp_rec, request_value); |
| 9235 | | | } |
| 9236 | | | |
| 9237 | | | if (ncp_rec->func == 0x17 && ncp_rec->subfunc == 0x1a) { |
| 9238 | | | dissect_ncp_23_26_reply(tvb, ncp_tree); |
| 9239 | | | } |
| 9240 | | | if (ncp_rec->func == 5 && ncp_echo_conn) { |
| 9241 | | | expert_add_info_format(pinfo, NULL, PI_RESPONSE_CODE, PI_CHAT, "Connection Destroyed"); |
| 9242 | | | } |
| 9243 | | | if (ncp_rec->reply_ptvc) { |
| 9244 | | | |
| 9245 | | | |
| 9246 | | | |
| 9247 | | | |
| 9248 | | | |
| 9249 | | | |
| 9250 | | | |
| 9251 | | | |
| 9252 | | | |
| 9253 | | | if (!ncp_tree) |
| 9254 | | | return; |
| 9255 | | | |
| 9256 | | | |
| 9257 | | | |
| 9258 | | | |
| 9259 | | | |
| 9260 | | | |
| 9261 | | | |
| 9262 | | | |
| 9263 | | | |
| 9264 | | | if (completion_code != 0 && tvb_length(tvb) == 8) { |
| 9265 | | | return; |
| 9266 | | | } |
| 9267 | | | |
| 9268 | | | |
| 9269 | | | if (request_value) { |
| 9270 | | | req_cond_results = request_value->req_cond_results; |
| 9271 | | | } |
| 9272 | | | else { |
| 9273 | | | req_cond_results = NULL; |
| 9274 | | | } |
| 9275 | | | clear_repeat_vars(); |
| 9276 | | | ptvc = ptvcursor_new(ncp_tree, tvb, 8); |
| 9277 | | | process_ptvc_record(ptvc, ncp_rec->reply_ptvc, |
| 9278 | | | req_cond_results, TRUE, ncp_rec); |
| 9279 | | | ptvcursor_free(ptvc); |
| 9280 | | | |
| 9281 | | | |
| 9282 | | | if (!pinfo->fd->flags.visited && ncp_rec->func == 0x16 && ncp_rec->subfunc == 0x33) { |
| 9283 | | | |
| 9284 | | | char eid_string[10]; |
| 9285 | | | char global_object_name[256]; |
| 9286 | | | |
| 9287 | | | build_expert_data(ncp_tree, "ncp.directory_services_object_id", |
| 9288 | | | eid_string, sizeof eid_string, |
| 9289 | | | 0, TRUE); |
| 9290 | | | build_expert_data(ncp_tree, "ncp.volume_name_len", |
| 9291 | | | global_object_name, sizeof global_object_name, |
| 9292 | | | 0, FALSE); |
| 9293 | | | |
| 9294 | | | |
| 9295 | | | if (nds_echo_eid) { |
| 9296 | | | expert_add_info_format(pinfo, NULL, |
| 9297 | | | PI_RESPONSE_CODE, PI_CHAT, |
| 9298 | | | "EID (%s) = %s", eid_string, global_object_name); |
| 9299 | | | } |
| 9300 | | | } |
| 9301 | | | |
| 9302 | | | if (ncp_rec->func == 0x7b && ncp_rec->subfunc == 0x11) { |
| 9303 | | | dissect_ncp_123_17_reply(tvb, ncp_tree); |
| 9304 | | | } |
| 9305 | | | |
| 9306 | | | if (ncp_rec->func == 0x7b && ncp_rec->subfunc == 0x0b && request_value) { |
| 9307 | | | dissect_ncp_123_11_reply(tvb, ncp_tree, request_value); |
| 9308 | | | } |
| 9309 | | | |
| 9310 | | | if (ncp_rec->func == 0x7b && ncp_rec->subfunc == 0x3e) { |
| 9311 | | | dissect_ncp_123_62_reply(tvb, ncp_tree); |
| 9312 | | | } |
| 9313 | | | } |
| 9314 | | | |
| 9315 | | | trap_for_expert_event(ncp_tree, pinfo, ncp_rec, 1); |
| 9316 | | | } else { |
| 9317 | | | if (tvb_length(tvb) > 8) { |
| 9318 | | | expert_item = proto_tree_add_text(ncp_tree, tvb, 8, -1, |
| 9319 | | | "No request record found. Parsing is impossible."); |
| 9320 | | | if (ncp_echo_err) { |
| 9321 | | | expert_add_info_format(pinfo, expert_item, PI_SEQUENCE, PI_NOTE, "No request record found."); |
| 9322 | | | } |
| 9323 | | | } |
| 9324 | | | } |
| 9325 | | | } |
| |