(/home/sate/Testcases/c/cve/wireshark-1.2.0/rawshark.c) |
| |
| 244 | | | raw_pipe_open(const char *pipe_name) |
| 245 | | | { |
| 246 | | | #ifndef _WIN32 |
| 247 | | | struct stat pipe_stat; |
| 248 | | | #else |
| 249 | | | char *pncopy, *pos; |
| 250 | | | DWORD err; |
| 251 | | | wchar_t *err_str; |
| 252 | | | HANDLE hPipe = NULL; |
| 253 | | | #endif |
| 254 | | | int rfd; |
| 255 | | | |
| 256 | | | g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "open_raw_pipe: %s", pipe_name);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/log.h |
| |
32 | #define LOG_DOMAIN_CAPTURE_CHILD "CaptureChild" |
| |
|
| 257 | | | |
| 258 | | | |
| 259 | | | |
| 260 | | | |
| 261 | | | if (strcmp(pipe_name, "-") == 0) { |
Event 2:
Taking false branch. strcmp(pipe_name, "-") == 0 evaluates to false.
hide
|
|
| 262 | | | rfd = 0; |
| 263 | | | #ifdef _WIN32 |
| 264 | | | |
| 265 | | | |
| 266 | | | |
| 267 | | | |
| 268 | | | _setmode(0, _O_BINARY); |
| 269 | | | #endif |
| 270 | | | } else { |
| 271 | | | #ifndef _WIN32 |
| 272 | | | if (ws_stat(pipe_name, &pipe_stat) < 0) { |
Event 3:
pipe_name is passed to stat() as the first argument.
hide
Event 4:
stat() accesses the file named pipe_name. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 3.
hide
Event 5:
Skipping " if". stat(...) < 0 evaluates to false.
hide
|
|
| 273 | | | fprintf(stderr, "rawshark: The pipe %s could not be checked: %s\n", |
| 274 | | | pipe_name, strerror(errno)); |
| 275 | | | return -1; |
| 276 | | | } |
| 277 | | | if (! S_ISFIFO(pipe_stat.st_mode)) {
x /usr/include/sys/stat.h |
| |
136 | # define S_ISFIFO(mode) __S_ISTYPE((mode), __S_IFIFO) |
| |
x /usr/include/sys/stat.h |
| |
129 | #define __S_ISTYPE(mode, mask) (((mode) & __S_IFMT) == (mask)) |
| |
x /usr/include/bits/stat.h |
| |
182 | #define __S_IFMT 0170000 /* These bits determine file type. */ |
| |
x /usr/include/bits/stat.h |
| |
189 | #define __S_IFIFO 0010000 /* FIFO. */ |
| |
|
Event 6:
Skipping " if". (pipe_stat.st_mode & 61440) == 4096 evaluates to true.
hide
|
|
| 278 | | | if (S_ISCHR(pipe_stat.st_mode)) {
x /usr/include/sys/stat.h |
| |
132 | #define S_ISCHR(mode) __S_ISTYPE((mode), __S_IFCHR) |
| |
x /usr/include/sys/stat.h |
| |
129 | #define __S_ISTYPE(mode, mask) (((mode) & __S_IFMT) == (mask)) |
| |
x /usr/include/bits/stat.h |
| |
182 | #define __S_IFMT 0170000 /* These bits determine file type. */ |
| |
x /usr/include/bits/stat.h |
| |
186 | #define __S_IFCHR 0020000 /* Character device. */ |
| |
|
| 279 | | | |
| 280 | | | |
| 281 | | | |
| 282 | | | |
| 283 | | | } else |
| 284 | | | { |
| 285 | | | fprintf(stderr, "rawshark: \"%s\" is neither an interface nor a pipe\n", |
| 286 | | | pipe_name); |
| 287 | | | } |
| 288 | | | return -1; |
| 289 | | | } |
| 290 | | | rfd = ws_open(pipe_name, O_RDONLY | O_NONBLOCK, 0000 );
x /usr/include/bits/fcntl.h |
| |
43 | #define O_NONBLOCK 04000 |
| |
|
Event 7:
pipe_name is passed to open() as the first argument.
hide
File System Race Condition
The file named pipe_name is accessed again. Another process may have changed the file since the access at rawshark.c:272. For example, an attacker could replace the original file with a link to a file containing important or confidential data. The issue can occur if the highlighted code executes. See related events 4 and 7. Show: All events | Only primary events |
|
| |