(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-ncp2222.inc) |
| |
| 7563 | | | dissect_ncp_request(tvbuff_t *tvb, packet_info *pinfo, |
| 7564 | | | guint32 nw_connection, guint8 sequence, |
| 7565 | | | guint16 type, proto_tree *volatile ncp_tree) |
| 7566 | | | { |
| 7567 | | | volatile guint8 func=0; |
| 7568 | | | volatile guint8 subfunc = 0; |
| 7569 | | | gboolean requires_subfunc = FALSE; |
| 7570 | | | gboolean has_length = FALSE; |
| 7571 | | | ncp_req_hash_value *volatile request_value = NULL; |
| 7572 | | | const ncp_record *volatile ncp_rec = NULL; |
| 7573 | | | conversation_t *conversation; |
| 7574 | | | ptvcursor_t *volatile ptvc = NULL; |
| 7575 | | | proto_tree *temp_tree = NULL; |
| 7576 | | | volatile gboolean run_req_cond = FALSE; |
| 7577 | | | volatile gboolean run_info_str = FALSE; |
| 7578 | | | guint32 length_remaining; |
| 7579 | | | guint32 testvar; |
| 7580 | | | volatile unsigned long except_code; |
| 7581 | | | const char *volatile message; |
| 7582 | | | |
| 7583 | | | |
| 7584 | | | |
| 7585 | | | switch (type) { |
Event 1:
Executing default case.
hide
|
|
| 7586 | | | case NCP_ALLOCATE_SLOT: |
| 7587 | | | length_remaining = tvb_length_remaining(tvb, 4); |
| 7588 | | | if (length_remaining > 4) |
| 7589 | | | { |
| 7590 | | | testvar = tvb_get_ntohl(tvb, 4); |
| 7591 | | | if( testvar == 0x4c495020) |
| 7592 | | | { |
| 7593 | | | ncp_rec = &ncplip_echo; |
| 7594 | | | } |
| 7595 | | | else |
| 7596 7626 |  | | [ Lines 7596 to 7626 omitted. ] |
| 7627 | | | if (ncp_echo_conn) { |
| 7628 | | | expert_add_info_format(pinfo, NULL, PI_RESPONSE_CODE, PI_CHAT, "Destroy Connection %u Request", nw_connection); |
| 7629 | | | } |
| 7630 | | | break; |
| 7631 | | | case NCP_BROADCAST_SLOT: |
| 7632 | | | ncp_rec = &ncpbbbb_request; |
| 7633 | | | break; |
| 7634 | | | case NCP_LIP_ECHO: |
| 7635 | | | ncp_rec = &ncplip_echo; |
| 7636 | | | break; |
| 7637 | | | default: |
| 7638 | | | ncp_rec = NULL; |
Event 2:
ncp_rec is set to NULL. - Dereferenced later, causing the null pointer dereference.
hide
|
|
| 7639 | | | break; |
| 7640 | | | } |
| 7641 | | | |
| 7642 | | | |
| 7643 | [+] | | if (check_col(pinfo->cinfo, COL_INFO)) { |
 |
| 7644 | | | if (ncp_rec) { |
Event 7:
Taking true branch. ncp_rec evaluates to true.
hide
|
|
| 7645 | | | col_add_fstr(pinfo->cinfo, COL_INFO, "C %s", ncp_rec->name); |
Null Pointer Dereference
ncp_rec is dereferenced here, but it is NULL. The issue can occur if the highlighted code executes. See related event 2. Show: All events | Only primary events |
|
| |