(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-scsi-osd.c) |
| |
| 2574 | | | dissect_osd_opcode(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, |
| 2575 | | | guint offset, gboolean isreq, gboolean iscdb, |
| 2576 | | | guint payload_len, scsi_task_data_t *cdata) |
| 2577 | | | { |
| 2578 | | | guint16 svcaction=0; |
| 2579 | | | scsi_osd_dissector_t dissector; |
| 2580 | | | scsi_osd_conv_info_t *conv_info=NULL; |
| 2581 | | | scsi_osd_lun_info_t *lun_info=NULL; |
| 2582 | | | |
| 2583 | | | if(!tree) { |
Event 1:
Skipping " if". tree evaluates to true.
hide
|
|
| 2584 | | | return; |
| 2585 | | | } |
| 2586 | | | |
| 2587 | | | |
| 2588 | | | if(!cdata || !cdata->itl || !cdata->itl->conversation || !cdata->itlq){ |
Event 2:
Skipping " if". - cdata evaluates to true.
- cdata->itl evaluates to true.
- cdata->itl->conversation evaluates to true.
- cdata->itlq evaluates to true.
hide
|
|
| 2589 | | | return; |
| 2590 | | | } |
| 2591 | | | |
| 2592 | | | conv_info=conversation_get_proto_data(cdata->itl->conversation, proto_scsi_osd); |
| 2593 | | | if(!conv_info){ |
Event 3:
Skipping " if". conv_info evaluates to true.
hide
|
|
| 2594 | | | conv_info=se_alloc(sizeof(scsi_osd_conv_info_t)); |
| 2595 | | | conv_info->luns=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "SCSI OSD luns tree"); |
| 2596 | | | conversation_add_proto_data(cdata->itl->conversation, proto_scsi_osd, conv_info); |
| 2597 | | | } |
| 2598 | | | |
| 2599 | | | lun_info=se_tree_lookup32(conv_info->luns, cdata->itlq->lun); |
| 2600 | | | if(!lun_info){ |
Event 5:
Skipping " if". lun_info evaluates to true.
hide
|
|
| 2601 | | | lun_info=se_alloc(sizeof(scsi_osd_lun_info_t)); |
| 2602 | | | lun_info->partitions=se_tree_create_non_persistent(EMEM_TREE_TYPE_RED_BLACK, "SCSI OSD partitions tree"); |
| 2603 | | | se_tree_insert32(conv_info->luns, cdata->itlq->lun, (void *)lun_info); |
| 2604 | | | } |
| 2605 | | | |
| 2606 | | | |
| 2607 | | | if (isreq && iscdb) { |
Event 6:
Skipping " if". isreq evaluates to false.
hide
|
|
| 2608 | | | proto_tree_add_item (tree, hf_scsi_control, tvb, offset, 1, 0); |
| 2609 | | | offset++; |
| 2610 | | | |
| 2611 | | | |
| 2612 | | | offset+=5; |
| 2613 | | | |
| 2614 | | | proto_tree_add_item (tree, hf_scsi_osd_add_cdblen, tvb, offset, 1, 0); |
| 2615 | | | offset++; |
| 2616 | | | |
| 2617 | | | svcaction=tvb_get_ntohs(tvb, offset); |
| 2618 | | | if(cdata && cdata->itlq){ |
| 2619 | | | |
| 2620 | | | |
| 2621 | | | |
| 2622 | | | if((!pinfo->fd->flags.visited) && (!cdata->itlq->)){ |
| 2623 | | | *; |
| 2624 | | | |
| 2625 | | | =se_alloc(sizeof()); |
| 2626 | | | ->svcaction=svcaction; |
| 2627 | | | ->gsatype=0; |
| 2628 | | | cdata->itlq->=; |
| 2629 | | | } |
| 2630 | | | } |
| 2631 | | | proto_tree_add_item (tree, hf_scsi_osd_svcaction, tvb, offset, 2, 0); |
| 2632 | | | offset+=2; |
| 2633 | | | |
| 2634 | | | |
| 2635 | | | if(check_col(pinfo->cinfo, COL_INFO)){ |
| 2636 | | | col_append_str(pinfo->cinfo, COL_INFO, |
| 2637 | | | val_to_str(svcaction, scsi_osd_svcaction_vals, "Unknown OSD Serviceaction")); |
| 2638 | | | } |
| 2639 | | | dissector=find_svcaction_dissector(svcaction); |
| 2640 | | | if(dissector){ |
| 2641 | | | (*dissector)(tvb, pinfo, tree, offset, isreq, iscdb, payload_len, cdata, conv_info, lun_info); |
| 2642 | | | } |
| 2643 | | | return; |
| 2644 | | | } |
| 2645 | | | |
| 2646 | | | |
| 2647 | | | |
| 2648 | | | |
| 2649 | | | if(cdata && cdata->itlq && cdata->itlq->){ |
Null Test After Dereference
This code tests the nullness of cdata, which has already been dereferenced. - If cdata were null, there would have been a prior null pointer dereference at packet-scsi-osd.c:2599, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 4. Show: All events | Only primary events |
|
| 2650 | | | *=cdata->itlq->; |
| 2651 | | | svcaction=->svcaction; |
| 2652 | | | } |
| 2653 | | | if(check_col(pinfo->cinfo, COL_INFO)){ |
| 2654 | | | col_append_str(pinfo->cinfo, COL_INFO, |
| 2655 | | | val_to_str(svcaction, scsi_osd_svcaction_vals, "Unknown OSD Serviceaction")); |
| 2656 | | | } |
| 2657 | | | if(svcaction){ |
| 2658 | | | proto_item *it; |
| 2659 | | | it=proto_tree_add_uint_format(tree, hf_scsi_osd_svcaction, tvb, 0, 0, svcaction, "Service Action: 0x%04x", svcaction); |
| 2660 | | | PROTO_ITEM_SET_GENERATED(it);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
325 | #define PROTO_ITEM_SET_GENERATED(proto_item) \ |
326 | ((proto_item) ? FI_SET_FLAG((proto_item)->finfo, FI_GENERATED) : 0) |
| |
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/proto.h |
| |
246 | #define FI_SET_FLAG(fi, flag) (fi->flags = fi->flags | flag) |
| |
|
| 2661 | | | } |
| 2662 | | | dissector=find_svcaction_dissector(svcaction); |
| 2663 | | | if(dissector){ |
| 2664 | | | (*dissector)(tvb, pinfo, tree, offset, isreq, iscdb, payload_len, cdata, conv_info, lun_info); |
| 2665 | | | } |
| 2666 | | | |
| 2667 | | | } |
| |