(/home/sate/Testcases/c/cve/wireshark-1.2.0/tools/lemon/lemon.c) |
| |
| 3130 | | | PRIVATE FILE *tplt_open(struct lemon *lemp) |
| 3131 | | | { |
| 3132 | | | static char templatename[] = "lempar.c"; |
| 3133 | | | char* buf; |
| 3134 | | | FILE *in; |
| 3135 | | | char *tpltname = NULL; |
| 3136 | | | char *cp; |
| 3137 | | | |
| 3138 | | | if (lemp->templatename) { |
Event 1:
Taking false branch. lemp->templatename evaluates to false.
hide
|
|
| 3139 | | | tpltname = strdup(lemp->templatename); |
| 3140 | | | } |
| 3141 | | | else { |
| 3142 | | | cp = strrchr(lemp->filename,'.'); |
| 3143 | | | buf = malloc(1000); |
Event 3:
buf is set to malloc(1000). See related event 2.
hide
|
|
| 3144 | | | if( cp ){ |
Event 4:
Taking false branch. cp evaluates to false.
hide
|
|
| 3145 | | | sprintf(buf,"%.*s.lt",(int)(cp - lemp->filename),lemp->filename); |
| 3146 | | | }else{ |
| 3147 | | | sprintf(buf,"%s.lt",lemp->filename); |
| 3148 | | | } |
| 3149 | | | if( access(buf,004)==0 ){ |
Event 5:
buf, which evaluates to malloc(1000) from lemon.c:3143, is passed to access() as the first argument. See related event 3.
hide
Event 6:
access() accesses the file named buf, where buf is malloc(1000) from lemon.c:3143. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 5.
hide
Event 7:
Taking true branch. access(buf, 4) == 0 evaluates to true.
hide
|
|
| 3150 | | | tpltname = buf; |
Event 8:
tpltname is set to buf, which evaluates to malloc(1000) from lemon.c:3143. See related event 3.
hide
|
|
| 3151 | | | }else if( access(templatename,004)==0 ){ |
| 3152 | | | tpltname = templatename; |
| 3153 | | | }else{ |
| 3154 | | | tpltname = pathsearch(lemp->argv0,templatename,0); |
| 3155 | | | free(buf); |
| 3156 | | | } |
| 3157 | | | } |
| 3158 | | | if( tpltname==0 ){ |
Event 9:
Skipping " if". tpltname == 0 evaluates to false.
hide
|
|
| 3159 | | | fprintf(stderr,"Can't find the parser driver template file \"%s\".\n", |
| 3160 | | | templatename); |
| 3161 | | | lemp->errorcnt++; |
| 3162 | | | free(tpltname); |
| 3163 | | | return 0; |
| 3164 | | | } |
| 3165 | | | in = fopen(tpltname,"rb"); |
Event 10:
tpltname, which evaluates to malloc(1000) from lemon.c:3143, is passed to fopen() as the first argument. See related event 8.
hide
File System Race Condition
The file named tpltname is accessed again. Another process may have changed the file since the access at lemon.c:3149. For example, an attacker could replace the original file with a link to a file containing important or confidential data. The issue can occur if the highlighted code executes. See related events 6 and 10. Show: All events | Only primary events |
|
| |