(/home/sate/Testcases/c/cve/wireshark-1.2.0/filters.c) |
| |
| 463 | | | save_filter_list(filter_list_type_t list_type, char **pref_path_return, |
| 464 | | | int *errno_return) |
| 465 | | | { |
| 466 | | | const gchar *ff_name; |
| 467 | | | gchar *ff_path, *ff_path_new; |
| 468 | | | GList *fl; |
| 469 | | | GList *flpp; |
| 470 | | | filter_def *filt; |
| 471 | | | FILE *ff; |
| 472 | | | guchar *p, c; |
| 473 | | | |
| 474 | | | *pref_path_return = NULL; |
| 475 | | | |
| 476 | | | switch (list_type) { |
Event 1:
list_type evaluates to 1.
hide
|
|
| 477 | | | |
| 478 | | | case CFILTER_LIST: |
| 479 | | | ff_name = CFILTER_FILE_NAME; |
| 480 | | | fl = capture_filters; |
| 481 | | | break; |
| 482 | | | |
| 483 | | | case DFILTER_LIST: |
| 484 | | | ff_name = DFILTER_FILE_NAME; |
| 485 | | | fl = display_filters; |
| 486 | | | break; |
| 487 | | | |
| 488 | | | default: |
| 489 | | | g_assert_not_reached();
x /usr/include/glib-2.0/glib/gtestutils.h |
| |
73 | #define g_assert_not_reached() do { g_assertion_message (G_LOG_DOMAIN, __FILE__, __LINE__, G_STRFUNC, NULL); } while (0) |
| |
x /usr/include/glib-2.0/glib/gmacros.h |
| |
160 | # define G_STRFUNC ((const char*) (__PRETTY_FUNCTION__)) |
| |
|
| 490 | | | return; |
| 491 | | | } |
| 492 | | | |
| 493 | | | ff_path = get_persconffile_path(ff_name, TRUE, TRUE); |
Event 2:
!0 evaluates to true.
hide
Event 3:
!0 evaluates to true.
hide
|
|
| 494 | | | |
| 495 | | | |
| 496 | | | |
| 497 | | | |
| 498 | | | ff_path_new = g_strdup_printf("%s.new", ff_path); |
| 499 | | | |
| 500 | | | if ((ff = ws_fopen(ff_path_new, "w")) == NULL) { |
Event 6:
ff_path_new, which evaluates to g_strdup_printf(...) from filters.c:498, is passed to fopen() as the first argument. See related event 5.
hide
Event 7:
fopen() accesses the file named ff_path_new, where ff_path_new is g_strdup_printf(...) from filters.c:498. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 6.
hide
Event 8:
Skipping " if". (ff = fopen(...)) == (void *)0 evaluates to false.
hide
|
|
| 501 | | | *pref_path_return = ff_path; |
| 502 | | | *errno_return = errno; |
| 503 | | | g_free(ff_path_new); |
| 504 | | | return; |
| 505 | | | } |
| 506 | | | flpp = g_list_first(fl); |
| 507 | | | while (flpp) { |
Event 10:
Leaving loop. flpp evaluates to false.
hide
|
|
| 508 | | | filt = (filter_def *) flpp->data; |
| 509 | | | |
| 510 | | | |
| 511 | | | |
| 512 | | | putc('"', ff); |
| 513 | | | for (p = (guchar *)filt->name; (c = *p) != '\0'; p++) { |
| 514 | | | if (c == '"' || c == '\\') |
| 515 | | | putc('\\', ff); |
| 516 | | | putc(c, ff); |
| 517 | | | } |
| 518 | | | putc('"', ff); |
| 519 | | | |
| 520 | | | |
| 521 | | | putc(' ', ff); |
| 522 | | | |
| 523 | | | |
| 524 | | | fprintf(ff, "%s\n", filt->strval); |
| 525 | | | if (ferror(ff)) { |
| 526 | | | *pref_path_return = ff_path; |
| 527 | | | *errno_return = errno; |
| 528 | | | fclose(ff); |
| 529 | | | ws_unlink(ff_path_new); |
| 530 | | | g_free(ff_path_new); |
| 531 | | | return; |
| 532 | | | } |
| 533 | | | flpp = flpp->next; |
| 534 | | | } |
| 535 | | | if (fclose(ff) == EOF) { |
Event 11:
Skipping " if". fclose(ff) == -1 evaluates to false.
hide
|
|
| 536 | | | *pref_path_return = ff_path; |
| 537 | | | *errno_return = errno; |
| 538 | | | ws_unlink(ff_path_new); |
| 539 | | | g_free(ff_path_new); |
| 540 | | | return; |
| 541 | | | } |
| 542 | | | |
| 543 | | | #ifdef _WIN32 |
| 544 | | | |
| 545 | | | |
| 546 | | | |
| 547 | | | |
| 548 | | | if (ws_remove(ff_path) < 0 && errno != ENOENT) { |
| 549 | | | |
| 550 | | | |
| 551 | | | |
| 552 | | | *pref_path_return = ff_path; |
| 553 | | | *errno_return = errno; |
| 554 | | | ws_unlink(ff_path_new); |
| 555 | | | g_free(ff_path_new); |
| 556 | | | return; |
| 557 | | | } |
| 558 | | | #endif |
| 559 | | | |
| 560 | | | if (ws_rename(ff_path_new, ff_path) < 0) { |
Event 12:
ff_path_new, which evaluates to g_strdup_printf(...) from filters.c:498, is passed to rename() as the first argument. See related events 5 and 6.
hide
File System Race Condition
The file named ff_path_new is accessed again. Another process may have changed the file since the access at filters.c:500. For example, an attacker could replace the original file with a link to a file containing important or confidential data. - ff_path_new evaluates to g_strdup_printf(...) from filters.c:498.
The issue can occur if the highlighted code executes. See related events 7 and 12. Show: All events | Only primary events |
|
| |