(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/tcap-persistentdata.c) |
| |
| 1033 | | | static struct tcaphash_context_t * |
| 1034 | | | tcaphash_begin_matching(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, |
| 1035 | | | struct tcapsrt_info_t *p_tcapsrt_info) |
| 1036 | | | { |
| 1037 | | | struct tcaphash_context_t *p_tcaphash_context=NULL; |
| 1038 | | | struct tcaphash_context_key_t tcaphash_context_key; |
| 1039 | | | struct tcaphash_begincall_t *p_tcaphash_begincall, *p_new_tcaphash_begincall=NULL; |
| 1040 | | | struct tcaphash_begin_info_key_t tcaphash_begin_key; |
| 1041 | | | proto_item *pi; |
| 1042 | | | proto_item *stat_item=NULL; |
| 1043 | | | proto_tree *stat_tree=NULL; |
| 1044 | | | |
| 1045 | | | |
| 1046 | | | tcaphash_begin_key.tid = p_tcapsrt_info->src_tid; |
| 1047 | | | if (pinfo->src.type == AT_SS7PC && pinfo->dst.type == AT_SS7PC) |
Event 1:
Taking true branch. - pinfo->src.type == AT_SS7PC evaluates to true.
- pinfo->dst.type == AT_SS7PC evaluates to true.
hide
|
|
| 1048 | | | { |
| 1049 | | | |
| 1050 | | | tcaphash_begin_key.opc_hash = mtp3_pc_hash((const mtp3_addr_pc_t *)pinfo->src.data); |
| 1051 | | | tcaphash_begin_key.dpc_hash = mtp3_pc_hash((const mtp3_addr_pc_t *)pinfo->dst.data); |
| 1052 | | | } else { |
| 1053 | | | |
| 1054 | | | tcaphash_begin_key.opc_hash = g_str_hash(address_to_str(&pinfo->src)); |
| 1055 | | | tcaphash_begin_key.dpc_hash = g_str_hash(address_to_str(&pinfo->dst)); |
| 1056 | | | } |
| 1057 | | | tcaphash_begin_key.hashKey=tcaphash_begin_calchash(&tcaphash_begin_key); |
| 1058 | | | |
| 1059 | | | |
| 1060 | | | #ifdef DEBUG_TCAPSRT |
| 1061 | | | dbg(10,"\n Hbegin #%u ", pinfo->fd->num); |
| 1062 | | | dbg(11,"key %lx ",tcaphash_begin_key.hashKey); |
| 1063 | | | dbg(51,"PC %s %s ",address_to_str(&pinfo->src), address_to_str(&pinfo->dst)); |
| 1064 | | | dbg(51,"Tid %lx ",tcaphash_begin_key.tid); |
| 1065 | | | #endif |
| 1066 | | | |
| 1067 | | | p_tcaphash_begincall = (struct tcaphash_begincall_t *) |
| 1068 | | | g_hash_table_lookup(tcaphash_begin, &tcaphash_begin_key); |
| 1069 | | | |
| 1070 | | | if (p_tcaphash_begincall) { |
Event 4:
Taking true branch. p_tcaphash_begincall evaluates to true.
hide
|
|
| 1071 | | | |
| 1072 | | | do { |
| 1073 | | | |
| 1074 | | | if (pinfo->fd->num == p_tcaphash_begincall->context->first_frame) { |
Event 5:
Taking true branch. pinfo->fd->num == p_tcaphash_begincall->context->first_frame evaluates to true.
hide
Event 6:
p_tcaphash_begincall->context is dereferenced, where p_tcaphash_begincall is g_hash_table_lookup(...) from tcap-persistentdata.c:1068. See related event 3.
hide
|
|
| 1075 | | | |
| 1076 | | | #ifdef DEBUG_TCAPSRT |
| 1077 | | | dbg(22,"Already seen "); |
| 1078 | | | #endif |
| 1079 | | | p_tcaphash_context=p_tcaphash_begincall->context; |
| 1080 | | | break; |
| 1081 | | | } |
| 1082 | | | |
| 1083 | | | if (!p_tcaphash_begincall->next_begincall) { |
| 1084 | | | |
| 1085 | | | |
| 1086 | | | |
| 1087 | | | |
| 1088 | | | |
| 1089 | | | |
| 1090 | | | |
| 1091 | | | |
| 1092 | | | if ( ( p_tcaphash_begincall->context->last_frame != 0 |
| 1093 | | | && pinfo->fd->num > p_tcaphash_begincall->context->first_frame |
| 1094 | | | && (guint) pinfo->fd->abs_ts.secs > (guint)(p_tcaphash_begincall->context->begin_time.secs + gtcap_RepetitionTimeout) |
| 1095 | | | ) || |
| 1096 | | | ( p_tcaphash_begincall->context->last_frame == 0 |
| 1097 | | | && pinfo->fd->num > p_tcaphash_begincall->context->first_frame |
| 1098 | | | && (guint)pinfo->fd->abs_ts.secs > (guint)(p_tcaphash_begincall->context->begin_time.secs + gtcap_LostTimeout) |
| 1099 | | | ) |
| 1100 | | | ) |
| 1101 | | | { |
| 1102 | | | |
| 1103 | | | |
| 1104 | | | #ifdef DEBUG_TCAPSRT |
| 1105 | | | dbg(12,"(timeout) Append key %lx ",tcaphash_begin_key.hashKey); |
| 1106 | | | dbg(12,"Frame %u rsp %u ",pinfo->fd->num,p_tcaphash_begincall->context->last_frame ); |
| 1107 | | | #endif |
| 1108 | | | tcaphash_context_key.session_id = tcapsrt_global_SessionId++; |
| 1109 | | | p_tcaphash_context = new_tcaphash_context(&tcaphash_context_key, pinfo); |
| 1110 | | | |
| 1111 | | | p_new_tcaphash_begincall = append_tcaphash_begincall(p_tcaphash_begincall, |
| 1112 | | | p_tcaphash_context, |
| 1113 | | | pinfo); |
| 1114 | | | #ifdef DEBUG_TCAPSRT |
| 1115 | | | dbg(12,"Update key %lx ",tcaphash_begin_key.hashKey); |
| 1116 | | | #endif |
| 1117 | | | update_tcaphash_begincall(p_new_tcaphash_begincall, pinfo); |
| 1118 | | | p_tcaphash_begincall=p_new_tcaphash_begincall; |
| 1119 | | | } else { |
| 1120 | | | |
| 1121 | | | |
| 1122 | | | |
| 1123 | | | |
| 1124 | | | |
| 1125 | | | if ( p_tcaphash_begincall->context->closed) { |
| 1126 | | | #ifdef DEBUG_TCAPSRT |
| 1127 | | | dbg(12,"(closed) Append key %lu ",tcaphash_begin_key.hashKey); |
| 1128 | | | dbg(12,"Frame %u rsp %u ",pinfo->fd->num,p_tcaphash_begincall->context->last_frame ); |
| 1129 | | | #endif |
| 1130 | | | tcaphash_context_key.session_id = tcapsrt_global_SessionId++; |
| 1131 | | | p_tcaphash_context = new_tcaphash_context(&tcaphash_context_key, pinfo); |
| 1132 | | | p_new_tcaphash_begincall = append_tcaphash_begincall(p_tcaphash_begincall, |
| 1133 | | | p_tcaphash_context, |
| 1134 | | | pinfo); |
| 1135 | | | |
| 1136 | | | #ifdef DEBUG_TCAPSRT |
| 1137 | | | dbg(12,"Update key %lu ",tcaphash_begin_key.hashKey); |
| 1138 | | | #endif |
| 1139 | | | update_tcaphash_begincall(p_new_tcaphash_begincall, pinfo); |
| 1140 | | | p_tcaphash_begincall=p_new_tcaphash_begincall; |
| 1141 | | | |
| 1142 | | | } else { |
| 1143 | | | |
| 1144 | | | |
| 1145 | | | #ifdef DEBUG_TCAPSRT |
| 1146 | | | dbg(21,"Display_duplicate %d ",p_tcaphash_begincall->context->first_frame); |
| 1147 | | | #endif |
| 1148 | | | p_tcaphash_context=p_tcaphash_begincall->context; |
| 1149 | | | if (gtcap_DisplaySRT && tree) { |
| 1150 | | | stat_item = proto_tree_add_text(tree, tvb, 0, -1, "Stat"); |
| 1151 | | | PROTO_ITEM_SET_GENERATED(stat_item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 1152 | | | stat_tree = proto_item_add_subtree(stat_item, ett_tcap_stat); |
| 1153 | | | pi = proto_tree_add_uint_format(stat_tree, hf_tcapsrt_Duplicate, tvb, 0, 0, |
| 1154 | | | p_tcaphash_context->first_frame, |
| 1155 | | | "Duplicate with session %u in frame %u", |
| 1156 | | | p_tcaphash_context->session_id,p_tcaphash_context->first_frame); |
| 1157 | | | PROTO_ITEM_SET_GENERATED(pi);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 1158 | | | } |
| 1159 | | | return p_tcaphash_context; |
| 1160 | | | } |
| 1161 | | | } |
| 1162 | | | break; |
| 1163 | | | } |
| 1164 | | | |
| 1165 | | | p_tcaphash_begincall = p_tcaphash_begincall->next_begincall; |
| 1166 | | | } while (p_tcaphash_begincall != NULL ); |
| 1167 | | | |
| 1168 | | | |
| 1169 | | | |
| 1170 | | | } else { |
| 1171 | | | |
| 1172 | | | |
| 1173 | | | |
| 1174 | | | #ifdef DEBUG_TCAPSRT |
| 1175 | | | dbg(10,"New key %lx ",tcaphash_begin_key.hashKey); |
| 1176 | | | #endif |
| 1177 | | | |
| 1178 | | | tcaphash_context_key.session_id = tcapsrt_global_SessionId++; |
| 1179 | | | p_tcaphash_context = new_tcaphash_context(&tcaphash_context_key, pinfo); |
| 1180 | | | p_tcaphash_begincall = new_tcaphash_begin(&tcaphash_begin_key, p_tcaphash_context); |
| 1181 | | | |
| 1182 | | | #ifdef DEBUG_TCAPSRT |
| 1183 | | | dbg(11,"Update key %lx ",tcaphash_begin_key.hashKey); |
| 1184 | | | dbg(11,"Frame reqlink #%u ", pinfo->fd->num); |
| 1185 | | | #endif |
| 1186 | | | update_tcaphash_begincall(p_tcaphash_begincall, pinfo); |
| 1187 | | | } |
| 1188 | | | |
| 1189 | | | |
| 1190 | | | if ( gtcap_DisplaySRT && tree && |
Event 8:
- gtcap_DisplaySRT evaluates to true.
- tree evaluates to true.
hide
|
|
| 1191 | | | p_tcaphash_context && |
Null Test After Dereference
This code tests the nullness of p_tcaphash_context, which has already been dereferenced. - If p_tcaphash_context were null, there would have been a prior null pointer dereference at tcap-persistentdata.c:1074, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 7. Show: All events | Only primary events |
|
| 1192 | | | p_tcaphash_context->session_id) { |
| 1193 | | | stat_item = proto_tree_add_text(tree, tvb, 0, 0, "Stat"); |
| 1194 | | | PROTO_ITEM_SET_GENERATED(stat_item);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 1195 | | | stat_tree = proto_item_add_subtree(stat_item, ett_tcap_stat); |
| 1196 | | | pi = proto_tree_add_uint(stat_tree, hf_tcapsrt_SessionId, tvb, 0,0, p_tcaphash_context->session_id); |
| 1197 | | | PROTO_ITEM_SET_GENERATED(pi);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 1198 | | | |
| 1199 | | | |
| 1200 | | | |
| 1201 | | | if( p_tcaphash_context->last_frame != 0 ){ |
| 1202 | | | #ifdef DEBUG_TCAPSRT |
| 1203 | | | dbg(20,"Display_frameRsplink %d ",p_tcaphash_context->last_frame); |
| 1204 | | | #endif |
| 1205 | | | pi = proto_tree_add_uint_format(stat_tree, hf_tcapsrt_BeginSession, tvb, 0, 0, |
| 1206 | | | p_tcaphash_context->last_frame, |
| 1207 | | | "End of session in frame %u", |
| 1208 | | | p_tcaphash_context->last_frame); |
| 1209 | | | PROTO_ITEM_SET_GENERATED(pi);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 1210 | | | } |
| 1211 | | | } |
| 1212 | | | return p_tcaphash_context; |
| 1213 | | | } |
| |