(/home/sate/Testcases/c/cve/wireshark-1.2.0/filters.c) |
| |
| 115 | | | read_filter_list(filter_list_type_t list_type, char **pref_path_return, |
| 116 | | | int *errno_return) |
| 117 | | | { |
| 118 | | | const char *ff_name; |
| 119 | | | char *ff_path; |
| 120 | | | FILE *ff; |
| 121 | | | GList **flpp; |
| 122 | | | int c; |
| 123 | | | char *filt_name, *filt_expr; |
| 124 | | | int filt_name_len, filt_expr_len; |
| 125 | | | int filt_name_index, filt_expr_index; |
| 126 | | | int line = 1; |
| 127 | | | |
| 128 | | | *pref_path_return = NULL; |
| 129 | | | |
| 130 | | | switch (list_type) { |
Event 1:
list_type evaluates to 0.
hide
|
|
| 131 | | | |
| 132 | | | case CFILTER_LIST: |
| 133 | | | ff_name = CFILTER_FILE_NAME; |
| 134 | | | flpp = &capture_filters; |
| 135 | | | break; |
| 136 | | | |
| 137 | | | case DFILTER_LIST: |
| 138 | | | ff_name = DFILTER_FILE_NAME; |
| 139 | | | flpp = &display_filters; |
| 140 | | | break; |
| 141 | | | |
| 142 | | | default: |
| 143 | | | g_assert_not_reached();
x /usr/include/glib-2.0/glib/gtestutils.h |
| |
73 | #define g_assert_not_reached() do { g_assertion_message (G_LOG_DOMAIN, __FILE__, __LINE__, G_STRFUNC, NULL); } while (0) |
| |
x /usr/include/glib-2.0/glib/gmacros.h |
| |
160 | # define G_STRFUNC ((const char*) (__PRETTY_FUNCTION__)) |
| |
|
| 144 | | | return; |
| 145 | | | } |
| 146 | | | |
| 147 | | | |
| 148 | | | ff_path = get_persconffile_path(ff_name, TRUE, FALSE); |
Event 2:
!0 evaluates to true.
hide
|
|
| 149 | | | if ((ff = ws_fopen(ff_path, "r")) == NULL) { |
Event 3:
Taking true branch. (ff = fopen(...)) == (void *)0 evaluates to true.
hide
|
|
| 150 | | | |
| 151 | | | |
| 152 | | | |
| 153 | | | if (errno != ENOENT) {
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
|
Event 4:
Skipping " if". errno != 2 evaluates to false.
hide
|
|
| 154 | | | |
| 155 | | | |
| 156 | | | |
| 157 | | | *pref_path_return = ff_path; |
| 158 | | | *errno_return = errno; |
| 159 | | | return; |
| 160 | | | } |
| 161 | | | |
| 162 | | | |
| 163 | | | |
| 164 | | | |
| 165 | | | |
| 166 | | | |
| 167 | | | |
| 168 | | | |
| 169 | | | |
| 170 | | | g_free(ff_path); |
| 171 | | | ff_path = get_persconffile_path(FILTER_FILE_NAME, FALSE, FALSE); |
| 172 | | | if ((ff = ws_fopen(ff_path, "r")) == NULL) { |
Event 6:
Taking true branch. (ff = fopen(...)) == (void *)0 evaluates to true.
hide
|
|
| 173 | | | |
| 174 | | | |
| 175 | | | |
| 176 | | | if (errno != ENOENT) {
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
|
Event 7:
Skipping " if". errno != 2 evaluates to false.
hide
|
|
| 177 | | | |
| 178 | | | |
| 179 | | | |
| 180 | | | *pref_path_return = ff_path; |
| 181 | | | *errno_return = errno; |
| 182 | | | return; |
| 183 | | | } |
| 184 | | | |
| 185 | | | |
| 186 | | | |
| 187 | | | g_free(ff_path); |
| 188 | | | ff_path = get_datafile_path(ff_name); |
| 189 | | | if ((ff = ws_fopen(ff_path, "r")) == NULL) { |
Event 9:
Skipping " if". (ff = fopen(...)) == (void *)0 evaluates to false.
hide
|
|
| 190 | | | |
| 191 | | | |
| 192 | | | |
| 193 | | | |
| 194 | | | |
| 195 | | | if (errno != ENOENT) {
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
|
| 196 | | | *pref_path_return = ff_path; |
| 197 | | | *errno_return = errno; |
| 198 | | | } else { |
| 199 | | | g_free(ff_path); |
| 200 | | | } |
| 201 | | | return; |
| 202 | | | } |
| 203 | | | } |
| 204 | | | } |
| 205 | | | |
| 206 | | | |
| 207 | | | |
| 208 | | | while(*flpp) { |
| 209 | | | *flpp = remove_filter_entry(*flpp, g_list_first(*flpp)); |
| 210 | | | } |
| 211 | | | |
| 212 | | | |
| 213 | | | filt_name_len = INIT_BUF_SIZE; |
| 214 | | | filt_name = g_malloc(filt_name_len + 1); |
| 215 | | | filt_expr_len = INIT_BUF_SIZE; |
| 216 | | | filt_expr = g_malloc(filt_expr_len + 1); |
| 217 | | | |
| 218 | | | for (line = 1; ; line++) { |
| 219 | | | |
| 220 | | | |
| 221 | | | |
| 222 | | | |
| 223 | | | |
| 224 | | | |
| 225 | | | |
| 226 | | | |
| 227 | | | |
| 228 | | | |
| 229 | | | while ((c = getc(ff)) != EOF && isspace(c)) { |
| 230 | | | if (c == '\n') { |
| 231 | | | |
| 232 | | | continue; |
| 233 | | | } |
| 234 | | | } |
| 235 | | | |
| 236 | | | if (c == EOF) |
Event 15:
Skipping " if". c == -1 evaluates to false.
hide
|
|
| 237 | | | break; |
| 238 | | | |
| 239 | | | |
| 240 | | | |
| 241 | | | if (c != '"') { |
Event 16:
Skipping " if". c != 34 evaluates to false.
hide
|
|
| 242 | | | g_warning("'%s' line %d doesn't have a quoted filter name.", ff_path,
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 243 | | | line); |
| 244 | | | while (c != '\n') |
| 245 | | | c = getc(ff); |
| 246 | | | continue; |
| 247 | | | } |
| 248 | | | |
| 249 | | | |
| 250 | | | filt_name_index = 0; |
| 251 | | | for (;;) { |
| 252 | | | c = getc(ff); |
| 253 | | | if (c == EOF || c == '\n') |
| 254 | | | break; |
| 255 | | | if (c == '"') { |
| 256 | | | |
| 257 | | | if (filt_name_index >= filt_name_len) { |
Event 18:
Skipping " if". filt_name_index >= filt_name_len evaluates to false.
hide
|
|
| 258 | | | |
| 259 | | | filt_name_len *= 2; |
| 260 | | | filt_name = g_realloc(filt_name, filt_name_len + 1); |
| 261 | | | } |
| 262 | | | filt_name[filt_name_index] = '\0'; |
| 263 | | | break; |
| 264 | | | } |
| 265 | | | if (c == '\\') { |
| 266 | | | |
| 267 | | | c = getc(ff); |
| 268 | | | if (c == EOF || c == '\n') |
| 269 | | | break; |
| 270 | | | } |
| 271 | | | |
| 272 | | | if (filt_name_index >= filt_name_len) { |
| 273 | | | |
| 274 | | | filt_name_len *= 2; |
| 275 | | | filt_name = g_realloc(filt_name, filt_name_len + 1); |
| 276 | | | } |
| 277 | | | filt_name[filt_name_index] = c; |
| 278 | | | filt_name_index++; |
| 279 | | | } |
| 280 | | | |
| 281 | | | if (c == EOF) { |
Event 19:
Skipping " if". c == -1 evaluates to false.
hide
|
|
| 282 | | | if (!ferror(ff)) { |
| 283 | | | |
| 284 | | | g_warning("'%s' line %d doesn't have a newline.", ff_path,
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 285 | | | line); |
| 286 | | | } |
| 287 | | | break; |
| 288 | | | } |
| 289 | | | |
| 290 | | | if (c != '"') { |
Event 20:
Skipping " if". c != 34 evaluates to false.
hide
|
|
| 291 | | | |
| 292 | | | g_warning("'%s' line %d doesn't have a closing quote.", ff_path,
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 293 | | | line); |
| 294 | | | continue; |
| 295 | | | } |
| 296 | | | |
| 297 | | | |
| 298 | | | while ((c = getc(ff)) != EOF && isspace(c)) { |
| 299 | | | if (c == '\n') |
| 300 | | | break; |
| 301 | | | } |
| 302 | | | |
| 303 | | | if (c == EOF) { |
Event 22:
Skipping " if". c == -1 evaluates to false.
hide
|
|
| 304 | | | if (!ferror(ff)) { |
| 305 | | | |
| 306 | | | g_warning("'%s' line %d doesn't have a newline.", ff_path,
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 307 | | | line); |
| 308 | | | } |
| 309 | | | break; |
| 310 | | | } |
| 311 | | | |
| 312 | | | if (c == '\n') { |
Event 23:
Skipping " if". c == 10 evaluates to false.
hide
|
|
| 313 | | | |
| 314 | | | g_warning("'%s' line %d doesn't have a filter expression.", ff_path,
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 315 | | | line); |
| 316 | | | continue; |
| 317 | | | } |
| 318 | | | |
| 319 | | | |
| 320 | | | |
| 321 | | | filt_expr_index = 0; |
| 322 | | | for (;;) { |
Event 24:
During loop iterations, filt_expr_index is set to filt_expr_index + 1, which evaluates to a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - This determines the position accessed in the buffer during the buffer overrun later.
hide
|
|
| 323 | | | |
| 324 | | | if (filt_expr_index >= filt_expr_len) { |
Event 25:
Taking true branch. filt_expr_index >= filt_expr_len evaluates to true.
hide
|
|
| 325 | | | |
| 326 | | | filt_expr_len *= 2; |
| 327 | | | filt_expr = g_realloc(filt_expr, filt_expr_len + 1); |
| 328 | | | } |
| 329 | | | filt_expr[filt_expr_index] = c; |
| 330 | | | filt_expr_index++; |
Event 27:
filt_expr_index is set to filt_expr_index + 1, which evaluates to the value assigned to filt_expr_index at filters.c:322, plus 2. See related event 24.
hide
|
|
| 331 | | | |
| 332 | | | |
| 333 | | | c = getc(ff); |
| 334 | | | if (c == EOF || c == '\n') |
| 335 | | | break; |
| 336 | | | } |
| 337 | | | |
| 338 | | | if (c == EOF) { |
Event 29:
Skipping " if". c == -1 evaluates to false.
hide
|
|
| 339 | | | if (!ferror(ff)) { |
| 340 | | | |
| 341 | | | g_warning("'%s' line %d doesn't have a newline.", ff_path,
x /usr/include/glib-2.0/glib/gmessages.h |
| |
153 | #define g_warning(...) g_log (G_LOG_DOMAIN, \ |
154 | G_LOG_LEVEL_WARNING, \ |
155 | __VA_ARGS__) |
| |
|
| 342 | | | line); |
| 343 | | | } |
| 344 | | | break; |
| 345 | | | } |
| 346 | | | |
| 347 | | | |
| 348 | | | if (filt_expr_index >= filt_expr_len) { |
Event 30:
Taking true branch. filt_expr_index >= filt_expr_len evaluates to true.
hide
|
|
| 349 | | | |
| 350 | | | filt_expr_len *= 2; |
| 351 | | | filt_expr = g_realloc(filt_expr, filt_expr_len + 1); |
Event 31:
g_realloc is an Undefined Function.
hide
Event 32:
filt_expr is set to g_realloc(...). - This points to the buffer that will be overrun later.
hide
|
|
| 352 | | | } |
| 353 | | | filt_expr[filt_expr_index] = '\0'; |
Buffer Overrun
This code could write past the end of the buffer pointed to by filt_expr. - filt_expr evaluates to g_realloc(...) from filters.c:351.
- The code writes 1 byte starting at offset filt_expr_index from the beginning of the buffer pointed to by filt_expr.
- The number of bytes written could exceed the number of allocated bytes beyond that offset.
- filt_expr_index evaluates to the value assigned to filt_expr_index at filters.c:322, plus 2, which is bounded below by 2. See related event 27.
- The capacity of the buffer pointed to by filt_expr, in bytes, is the capacity of the buffer pointed to by g_realloc(...) at filters.c:351. See related event 32.
- If filt_expr_index plus 1 is higher than the capacity of the buffer pointed to by g_realloc(...) at filters.c:351, an overrun will occur. The analysis cannot rule out this possibility, so has issued this warning.
The issue can occur if the highlighted code executes. See related events 27 and 32. Show: All events | Only primary events |
|
| 354 | | | |
| 355 | | | |
| 356 | | | *flpp = add_filter_entry(*flpp, filt_name, filt_expr); |
| |