(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/dissectors/packet-dcm.c) |
| |
| 4926 | | | (tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, |
| 4927 | | | dcm_state_assoc_t *assoc, guint32 offset, dcm_state_pdv_t **pdv) |
| 4928 | | | { |
| 4929 | | | |
| 4930 | | | |
| 4931 | | | proto_item *pdv_ctx_pitem = NULL; |
| 4932 | | | proto_item *pdv_flags_pitem = NULL; |
| 4933 | | | |
| 4934 | | | dcm_state_pctx_t *pctx = NULL; |
| 4935 | | | dcm_state_pdv_t *pdv_first_data = NULL; |
| 4936 | | | |
| 4937 | | | const gchar *desc_flag = NULL; |
| 4938 | | | gchar * = NULL; |
| 4939 | | | |
| 4940 | | | guint8 flags = 0; |
| 4941 | | | guint8 pctx_id = 0; |
| 4942 | | | |
| 4943 | | | |
| 4944 | | | pctx_id = tvb_get_guint8(tvb, offset); |
| 4945 | | | pctx = dcm_state_pctx_get(assoc, pctx_id, FALSE); |
| 4946 | | | |
| 4947 | | | if (pctx && pctx->xfer_uid) { |
Event 1:
Taking false branch. pctx evaluates to false.
hide
|
|
| 4948 | | | proto_tree_add_uint_format(tree, hf_dcm_pdv_ctx, tvb, offset, 1, |
| 4949 | | | pctx_id, "Context: 0x%02x (%s, %s)", pctx_id, |
| 4950 | | | dcm_uid_or_desc(pctx->xfer_uid, pctx->xfer_desc), |
| 4951 | | | dcm_uid_or_desc(pctx->abss_uid, pctx->abss_desc)); |
| 4952 | | | } |
| 4953 | | | else { |
| 4954 | | | pdv_ctx_pitem=proto_tree_add_uint_format(tree, hf_dcm_pdv_ctx, tvb, offset, 1, |
| 4955 | | | pctx_id, "Context: 0x%02x not found. A-ASSOCIATE request not found in capture.", pctx_id); |
| 4956 | | | |
| 4957 | | | expert_add_info_format(pinfo, pdv_ctx_pitem, PI_MALFORMED, PI_ERROR, "Invalid Presentation Context ID"); |
| 4958 | | | |
| 4959 | | | |
| 4960 | | | pctx = dcm_state_pctx_new(assoc, pctx_id); |
| 4961 | | | |
| 4962 | | | |
| 4963 | | | pctx->syntax = DCM_UNK; |
| 4964 | | | } |
| 4965 | | | offset +=1; |
| 4966 | | | |
| 4967 | | | |
| 4968 | | | |
| 4969 | | | |
| 4970 | | | |
| 4971 | | | |
| 4972 | | | |
| 4973 | | | |
| 4974 | | | *pdv = dcm_state_pdv_get(pctx, pinfo->fd->num, tvb->raw_offset+offset, TRUE); |
Event 2:
!0 evaluates to true.
hide
|
|
| 4975 | | | if (*pdv == NULL) { |
Event 3:
Skipping " if". *pdv == (void *)0 evaluates to false.
hide
|
|
| 4976 | | | return 0; |
| 4977 | | | } |
| 4978 | | | |
| 4979 | | | |
| 4980 | | | flags = tvb_get_guint8(tvb, offset); |
| 4981 | | | |
| 4982 | | | (*pdv)->pctx_id = pctx_id; |
| 4983 | | | |
| 4984 | | | =se_alloc0(MAX_BUF_LEN); |
| 4985 | | | |
| 4986 | | | switch (flags) { |
Event 4:
flags evaluates to 0.
hide
|
|
| 4987 | | | case 0: |
| 4988 | | | desc_flag = "Data, More Fragments"; |
| 4989 | | | |
| 4990 | | | (*pdv)->is_flagvalid = TRUE; |
Event 5:
!0 evaluates to true.
hide
|
|
| 4991 | | | (*pdv)->is_command = FALSE; |
| 4992 | | | (*pdv)->is_last_fragment = FALSE; |
| 4993 | | | (*pdv)->syntax = pctx->syntax; |
| 4994 | | | break; |
| 4995 | | | |
| 4996 | | | case 2: |
| 4997 | | | desc_flag = "Data, Last Fragment"; |
| 4998 | | | |
| 4999 | | | (*pdv)->is_flagvalid = TRUE; |
| 5000 | | | (*pdv)->is_command = FALSE; |
| 5001 | | | (*pdv)->is_last_fragment = TRUE; |
| 5002 | | | (*pdv)->syntax = pctx->syntax; |
| 5003 | | | break; |
| 5004 | | | |
| 5005 | | | case 1: |
| 5006 | | | desc_flag = "Command, More Fragments"; |
| 5007 | | | g_snprintf(, MAX_BUF_LEN, "Command"); |
| 5008 | | | |
| 5009 | | | (*pdv)->is_flagvalid = TRUE; |
| 5010 | | | (*pdv)->is_command = TRUE; |
| 5011 | | | (*pdv)->is_last_fragment = FALSE; |
| 5012 | | | (*pdv)->syntax = DCM_ILE; |
| 5013 | | | break; |
| 5014 | | | |
| 5015 | | | case 3: |
| 5016 | | | desc_flag = "Command, Last Fragment"; |
| 5017 | | | g_snprintf(, MAX_BUF_LEN, "Command"); |
| 5018 | | | |
| 5019 | | | (*pdv)->is_flagvalid = TRUE; |
| 5020 | | | (*pdv)->is_command = TRUE; |
| 5021 | | | (*pdv)->is_last_fragment = TRUE; |
| 5022 | | | (*pdv)->syntax = DCM_ILE; |
| 5023 | | | break; |
| 5024 | | | |
| 5025 | | | default: |
| 5026 | | | desc_flag = "Invalid Flags"; |
| 5027 | | | g_snprintf(, MAX_BUF_LEN, "Invalid Flags"); |
| 5028 | | | |
| 5029 | | | (*pdv)->is_flagvalid = FALSE; |
| 5030 | | | (*pdv)->is_command = FALSE; |
| 5031 | | | (*pdv)->is_last_fragment = FALSE; |
| 5032 | | | (*pdv)->syntax = DCM_UNK; |
| 5033 | | | } |
| 5034 | | | |
| 5035 | | | if (flags == 0 || flags == 2) { |
Event 7:
Taking true branch. flags == 0 evaluates to true.
hide
|
|
| 5036 | | | |
| 5037 | | | pdv_first_data = dcm_state_pdv_get_obj_start(*pdv); |
| 5038 | | | |
| 5039 | | | if (pdv_first_data->prev && pdv_first_data->prev->is_command) { |
| 5040 | | | |
| 5041 | | | |
| 5042 | | | |
| 5043 | | | |
| 5044 | | | if (pctx && pctx->abss_desc && g_str_has_suffix(pctx->abss_desc, "Storage")) { |
Null Test After Dereference
This code tests the nullness of pctx, which has already been dereferenced. - If pctx were null, there would have been a prior null pointer dereference at packet-dcm.c:4993, and potentially at other locations as well.
- Either this test is redundant, or the earlier dereference(s) should be guarded by a similar test.
The issue can occur if the highlighted code executes. See related event 6. Show: All events | Only primary events |
|
| 5045 | | | |
| 5046 | | | if (flags == 0) { |
| 5047 | | | g_snprintf(, MAX_BUF_LEN, "%s (more fragments)", pctx->abss_desc); |
| 5048 | | | } |
| 5049 | | | else { |
| 5050 | | | g_snprintf(, MAX_BUF_LEN, "%s", pctx->abss_desc); |
| 5051 | | | } |
| 5052 | | | (*pdv)->is_storage = TRUE; |
| 5053 | | | } |
| 5054 | | | else { |
| 5055 | | | |
| 5056 | | | g_snprintf(, MAX_BUF_LEN, "%s-DATA", pdv_first_data->prev->desc); |
| 5057 | | | } |
| 5058 | | | } |
| 5059 | | | else { |
| 5060 | | | g_snprintf(, MAX_BUF_LEN, "DATA"); |
| 5061 | | | } |
| 5062 | | | } |
| 5063 | | | |
| 5064 | | | (*pdv)->desc = ; |
| 5065 | | | |
| 5066 | | | pdv_flags_pitem = proto_tree_add_uint_format(tree, hf_dcm_pdv_flags, tvb, offset, 1, |
| 5067 | | | flags, "Flags: 0x%02x (%s)", flags, desc_flag); |
| 5068 | | | |
| 5069 | | | if (flags>3) { |
| 5070 | | | expert_add_info_format(pinfo, pdv_flags_pitem, PI_MALFORMED, PI_ERROR, "Invalid Flags"); |
| 5071 | | | } |
| 5072 | | | offset +=1; |
| 5073 | | | |
| 5074 | | | return offset; |
| 5075 | | | } |
| |