(/home/sate/Testcases/c/cve/wireshark-1.2.0/gtk/wlan_stat_dlg.c) |
| |
| 360 | | | wlanstat_packet (void *phs, packet_info *pinfo, epan_dissect_t *edt _U_, const void *phi) |
| 361 | | | { |
| 362 | | | |
| 363 | | | wlanstat_t *hs = (wlanstat_t *)phs; |
| 364 | | | wlan_ep_t *tmp = NULL, *te = NULL; |
| 365 | | | struct _wlan_hdr *si = (struct _wlan_hdr *) phi; |
| 366 | | | |
| 367 | | | if (!hs) |
Event 1:
Skipping " if". hs evaluates to true.
hide
|
|
| 368 | | | return (0); |
| 369 | | | |
| 370 | | | hs->number_of_packets++; |
| 371 | | | if (!hs->ep_list) { |
Event 2:
Taking false branch. hs->ep_list evaluates to true.
hide
|
|
| 372 | | | hs->ep_list = alloc_wlan_ep (si, pinfo); |
| 373 | | | te = hs->ep_list; |
| 374 | | | } else { |
| 375 | | | for (tmp = hs->ep_list; tmp; tmp = tmp->next) { |
Event 3:
Entering loop body. tmp evaluates to true.
hide
Event 5:
Continuing from loop body. Leaving loop. tmp evaluates to false.
hide
|
|
| 376 | | | if (((si->type == 0x04) && |
Event 4:
Skipping " if". - si->type == 4 evaluates to false.
- si->type != 4 evaluates to true.
- (&tmp->bssid)->type > (&si->bssid)->type evaluates to false.
- (&tmp->bssid)->type < (&si->bssid)->type evaluates to true.
- (&tmp->bssid)->type > (&si->bssid)->type ? 1 : (&tmp->bssid)->type < (&si->bssid)->type ? -1 : (&tmp->bssid)->len > (&si->bssid)->len ? 1 : (&tmp->bssid)->len < (&si->bssid)->len ? -1 : memcmp(...) evaluates to true.
hide
|
|
| 377 | | | (((tmp->stats.ssid_len == 0) && (si->stats.ssid_len == 0) && |
| 378 | | | (strcmp (get_addr_name(&tmp->bssid), "Broadcast") == 0)) || |
| 379 | | | (si->stats.ssid_len != 0 && |
| 380 | | | (tmp->stats.ssid_len == si->stats.ssid_len) && |
| 381 | | | (memcmp (tmp->stats.ssid, si->stats.ssid, si->stats.ssid_len) == 0)))) || |
| 382 | | | ((si->type != 0x04) && |
| 383 | | | (!CMP_ADDRESS (&tmp->bssid, &si->bssid)))) {
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/address.h |
| |
78 | #define CMP_ADDRESS(addr1, addr2) \ |
79 | ( ((addr1)->type > (addr2)->type)?1: \ |
80 | ((addr1)->type < (addr2)->type)?-1: \ |
81 | ((addr1)->len > (addr2)->len) ?1: \ |
82 | ((addr1)->len < (addr2)->len) ?-1: \ |
83 | memcmp((addr1)->data, (addr2)->data, (addr1)->len)\ |
84 | ) |
| |
|
| 384 | | | te = tmp; |
| 385 | | | break; |
| 386 | | | } |
| 387 | | | } |
| 388 | | | |
| 389 | | | if (!te) { |
Event 6:
Taking true branch. te evaluates to false.
hide
|
|
| 390 | | | if ((te = alloc_wlan_ep (si, pinfo))) { |
Event 7:
Taking true branch. te = alloc_wlan_ep(si, pinfo) evaluates to true.
hide
|
|
| 391 | | | te->next = hs->ep_list; |
| 392 | | | hs->ep_list = te; |
| 393 | | | } |
| 394 | | | } |
| 395 | | | |
| 396 | | | if (!te->probe_req_searched && (si->type != 0x04) && (te->type[0x04] == 0) && |
| 397 | | | (si->stats.ssid_len > 1 || si->stats.ssid[0] != 0)) { |
| 398 | | | |
| 399 | | | |
| 400 | | | |
| 401 | | | |
| 402 | | | |
| 403 | | | |
| 404 | | | |
| 405 | | | |
| 406 | | | wlan_ep_t *prev = NULL; |
| 407 | | | GtkListStore *store = GTK_LIST_STORE(gtk_tree_view_get_model(hs->table));
x /usr/include/gtk-2.0/gtk/gtkliststore.h |
| |
36 | #define GTK_LIST_STORE(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), GTK_TYPE_LIST_STORE, GtkListStore)) |
| |
x /usr/include/glib-2.0/gobject/gtype.h |
| |
482 | #define G_TYPE_CHECK_INSTANCE_CAST(instance, g_type, c_type) (_G_TYPE_CIC ((instance), (g_type), c_type)) |
| |
x /usr/include/glib-2.0/gobject/gtype.h |
| |
1678 | # define _G_TYPE_CIC(ip, gt, ct) \ |
1679 | ((ct*) g_type_check_instance_cast ((GTypeInstance*) ip, gt)) |
| |
x /usr/include/gtk-2.0/gtk/gtkliststore.h |
| |
35 | #define GTK_TYPE_LIST_STORE (gtk_list_store_get_type ()) |
| |
|
| 408 | | | te->probe_req_searched = TRUE; |
Event 12:
!0 evaluates to true.
hide
|
|
| 409 | | | for (tmp = hs->ep_list; tmp; tmp = tmp->next) { |
Event 14:
During loop iterations, prev is dereferenced.
hide
|
|
| 410 | | | if ((si->stats.ssid_len == tmp->stats.ssid_len) && |
| 411 | | | (memcmp (si->stats.ssid, tmp->stats.ssid, tmp->stats.ssid_len) == 0) && |
| 412 | | | (strcmp (get_addr_name(&tmp->bssid), "Broadcast") == 0)) { |
| 413 | | | |
| 414 | | | |
| 415 | | | |
| 416 | | | |
| 417 | | | te->type[0x04] += tmp->type[0x04]; |
| 418 | | | te->number_of_packets += tmp->number_of_packets; |
| 419 | | | |
| 420 | | | if (tmp->details && tmp->details->next) { |
Event 15:
Skipping " if". tmp->details evaluates to false.
hide
|
|
| 421 | | | |
| 422 | | | wlan_details_ep_t *d_te; |
| 423 | | | d_te = get_details_ep (te, &tmp->details->address); |
| 424 | | | d_te->probe_req += tmp->type[0x04]; |
| 425 | | | d_te->number_of_packets += tmp->type[0x04]; |
| 426 | | | d_te = get_details_ep (te, &tmp->details->next->address); |
| 427 | | | d_te->probe_req += tmp->type[0x04]; |
| 428 | | | d_te->number_of_packets += tmp->type[0x04]; |
| 429 | | | } |
| 430 | | | if (prev) { |
Null Test After Dereference
This code tests the nullness of prev, which has already been dereferenced. - If prev were null, there would have been a prior null pointer dereference at wlan_stat_dlg.c:409, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 14. Show: All events | Only primary events |
|
| 431 | | | prev->next = tmp->next; |
| 432 | | | } else { |
| 433 | | | hs->ep_list = tmp->next; |
| 434 | | | } |
| 435 | | | dealloc_wlan_details_ep (tmp->details); |
| 436 | | | if (tmp->iter_valid) { |
| 437 | | | gtk_list_store_remove(store, &tmp->iter); |
| 438 | | | } |
| 439 | | | g_free (tmp); |
| 440 | | | break; |
| 441 | | | } |
| 442 | | | prev = tmp; |
| 443 | | | } |
| 444 | | | } |
| 445 | | | } |
| 446 | | | |
| 447 | | | if(!te) |
| 448 | | | return (0); |
| 449 | | | |
| 450 | | | if (te->stats.channel == 0 && si->stats.channel != 0) { |
| 451 | | | te->stats.channel = si->stats.channel; |
| 452 | | | } |
| 453 | | | if (te->stats.ssid[0] == 0 && si->stats.ssid_len != 0) { |
| 454 | | | memcpy (te->stats.ssid, si->stats.ssid, MAX_SSID_LEN); |
| 455 | | | te->stats.ssid_len = si->stats.ssid_len; |
| 456 | | | } |
| 457 | | | if (te->stats.protection[0] == 0 && si->stats.protection[0] != 0) { |
| 458 | | | g_strlcpy (te->stats.protection, si->stats.protection, MAX_PROTECT_LEN); |
| 459 | | | } |
| 460 | | | te->type[si->type]++; |
| 461 | | | te->number_of_packets++; |
| 462 | | | |
| 463 | | | wlanstat_packet_details (te, si->type, &si->src, TRUE); |
| 464 | | | wlanstat_packet_details (te, si->type, &si->dst, FALSE); |
| 465 | | | |
| 466 | | | return (1); |
| 467 | | | } |
| |