(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 3040 | | | PRIVATE char *pathsearch(char *argv0, char *name, int modemask) |
| 3041 | | | { |
| 3042 | | | char *pathlist; |
| 3043 | | | char *path,*cp; |
| 3044 | | | char c; |
| 3045 | | | |
| 3046 | | | #ifdef __WIN32__ |
| 3047 | | | cp = strrchr(argv0,'\\'); |
| 3048 | | | #else |
| 3049 | | | cp = strrchr(argv0,'/'); |
| 3050 | | | #endif |
| 3051 | | | if( cp ){ |
Event 1:
Taking false branch. cp evaluates to false.
hide
|
|
| 3052 | | | c = *cp; |
| 3053 | | | *cp = 0; |
| 3054 | | | path = (char *)malloc( strlen(argv0) + strlen(name) + 2 ); |
| 3055 | | | if( path ) sprintf(path,"%s/%s",argv0,name); |
| 3056 | | | *cp = c; |
| 3057 | | | }else{ |
| 3058 | | | pathlist = getenv("PATH"); |
| 3059 | | | if( pathlist==0 ) pathlist = ".:/bin:/usr/bin"; |
Event 2:
Skipping " if". pathlist == 0 evaluates to false.
hide
|
|
| 3060 | | | path = (char *)malloc( strlen(pathlist)+strlen(name)+2 ); |
Event 4:
path is set to malloc(...). See related event 3.
hide
|
|
| 3061 | | | if( path!=0 ){ |
Event 5:
Taking true branch. path != 0 evaluates to true.
hide
|
|
| 3062 | | | while( *pathlist ){ |
Event 7:
During loop iterations, the file named path is accessed, where path is malloc(...) from lemon.c:3060. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 4.
hide
Event 8:
Continuing from loop body. Entering loop body. *pathlist evaluates to true.
hide
|
|
| 3063 | | | cp = strchr(pathlist,':'); |
| 3064 | | | if( cp==0 ) cp = &pathlist[strlen(pathlist)]; |
Event 9:
Skipping " if". cp == 0 evaluates to false.
hide
|
|
| 3065 | | | c = *cp; |
| 3066 | | | *cp = 0; |
| 3067 | | | sprintf(path,"%s/%s",pathlist,name); |
| 3068 | | | *cp = c; |
| 3069 | | | if( c==0 ) pathlist = ""; |
Event 10:
Taking false branch. c == 0 evaluates to false.
hide
|
|
| 3070 | | | else pathlist = &cp[1]; |
| 3071 | | | if( access(path,modemask)==0 ) break; |
Event 11:
path, which evaluates to malloc(...) from lemon.c:3060, is passed to access() as the first argument. See related event 4.
hide
File System Race Condition
The file named path is accessed again. Another process may have changed the file since the access at lemon.c:3062. For example, an attacker could replace the original file with a link to a file containing important or confidential data. The issue can occur if the highlighted code executes. See related events 7 and 11. Show: All events | Only primary events |
|
| |