(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/index/mbox/mbox-storage.c) |
| |
| 919 | | | static int mbox_list_delete_mailbox(struct mailbox_list *list, |
| 920 | | | const char *name) |
| 921 | | | { |
| 922 | | | struct mbox_storage *storage = MBOX_LIST_CONTEXT(list);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/module-context.h |
| |
46 | #define MODULE_CONTEXT(obj, id_ctx) \ |
47 | (*((void **)array_idx_modifiable(&(obj)->module_contexts, \ |
48 | (id_ctx).id.module_id) + \ |
49 | OBJ_REGISTER_COMPATIBLE(obj, id_ctx))) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
179 | #define array_idx_modifiable(array, idx) \ |
180 | ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
181 | array_idx_modifiable_i(&(array)->arr, idx) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
45 | # define ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
46 | (typeof(*(array)->v_modifiable)) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/module-context.h |
| |
43 | #define OBJ_REGISTER_COMPATIBLE(obj, id_ctx) \ |
44 | COMPILE_ERROR_IF_TYPES_NOT_COMPATIBLE(OBJ_REGISTER(obj), (id_ctx).reg) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
158 | # define COMPILE_ERROR_IF_TYPES_NOT_COMPATIBLE(_a, _b) \ |
159 | COMPILE_ERROR_IF_TRUE( \ |
160 | !__builtin_types_compatible_p(typeof(_a), typeof(_b))) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
156 | # define COMPILE_ERROR_IF_TRUE(condition) \ |
157 | (sizeof(char[1 - 2 * !!(condition)]) - 1) |
| |
|
| 923 | | | struct stat st; |
| 924 | | | const char *path, *index_dir; |
| 925 | | | |
| 926 | | | path = mailbox_list_get_path(list, name, |
Event 2:
path is set to mailbox_list_get_path(...), which evaluates to list->v.get_path(...) from mailbox-list.c:446. See related event 1.
hide
|
|
| 927 | [+] | | MAILBOX_LIST_PATH_TYPE_MAILBOX); |
 |
| 928 | | | if (lstat(path, &st) < 0) { |
Event 3:
path, which evaluates to list->v.get_path(...) from mailbox-list.c:446, is passed to lstat64() as the first argument. See related event 2.
hide
Event 4:
lstat64() accesses the file named path, where path is list->v.get_path(...) from mailbox-list.c:446. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 3.
hide
Event 5:
Skipping " if". lstat(path, &st) < 0 evaluates to false.
hide
|
|
| 929 | | | if (ENOTFOUND(errno)) {
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/compat.h |
| |
246 | #define ENOTFOUND(errno) \ |
247 | ((errno) == ENOENT || (errno) == ENOTDIR || (errno) == ELOOP) |
| |
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
x /usr/include/asm-generic/errno-base.h |
| |
23 | #define ENOTDIR 20 /* Not a directory */ |
| |
x /usr/include/asm-generic/errno.h |
| |
11 | #define ELOOP 40 /* Too many symbolic links encountered */ |
| |
|
| 930 | | | mailbox_list_set_error(list, MAIL_ERROR_NOTFOUND, |
| 931 | | | T_MAIL_ERR_MAILBOX_NOT_FOUND(name));
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/mail-error.h |
| |
19 | #define T_MAIL_ERR_MAILBOX_NOT_FOUND(name) \ |
20 | t_strdup_printf(MAIL_ERRSTR_MAILBOX_NOT_FOUND, name) |
| |
|
| 932 | | | } else if (!mailbox_list_set_error_from_errno(list)) { |
| 933 | | | mailbox_list_set_critical(list, |
| 934 | | | "lstat() failed for %s: %m", path); |
| 935 | | | } |
| 936 | | | return -1; |
| 937 | | | } |
| 938 | | | |
| 939 | | | if (S_ISDIR(st.st_mode)) {
x /usr/include/sys/stat.h |
| |
131 | #define S_ISDIR(mode) __S_ISTYPE((mode), __S_IFDIR) |
| |
x /usr/include/sys/stat.h |
| |
129 | #define __S_ISTYPE(mode, mask) (((mode) & __S_IFMT) == (mask)) |
| |
x /usr/include/bits/stat.h |
| |
182 | #define __S_IFMT 0170000 /* These bits determine file type. */ |
| |
x /usr/include/bits/stat.h |
| |
185 | #define __S_IFDIR 0040000 /* Directory. */ |
| |
|
Event 6:
Taking true branch. (st.st_mode & 61440) == 16384 evaluates to true.
hide
|
|
| 940 | | | |
| 941 | | | |
| 942 | | | |
| 943 | | | index_dir = mailbox_list_get_path(list, name, |
| 944 | | | MAILBOX_LIST_PATH_TYPE_MAILBOX); |
| 945 | | | index_dir = *index_dir == '\0' ? "" : |
Event 7:
*index_dir == 0 evaluates to true.
hide
|
|
| 946 | | | t_strconcat(index_dir, "/"MBOX_INDEX_DIR_NAME, NULL); |
| 947 | | | |
| 948 | | | if (*index_dir != '\0' && rmdir(index_dir) < 0 && |
Event 8:
Skipping " if". *index_dir != 0 evaluates to false.
hide
|
|
| 949 | | | !ENOTFOUND(errno) && errno != ENOTEMPTY) {
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/compat.h |
| |
246 | #define ENOTFOUND(errno) \ |
247 | ((errno) == ENOENT || (errno) == ENOTDIR || (errno) == ELOOP) |
| |
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
x /usr/include/asm-generic/errno-base.h |
| |
23 | #define ENOTDIR 20 /* Not a directory */ |
| |
x /usr/include/asm-generic/errno.h |
| |
11 | #define ELOOP 40 /* Too many symbolic links encountered */ |
| |
x /usr/include/asm-generic/errno.h |
| |
10 | #define ENOTEMPTY 39 /* Directory not empty */ |
| |
|
| 950 | | | if (!mailbox_list_set_error_from_errno(list)) { |
| 951 | | | mailbox_list_set_critical(list, |
| 952 | | | "rmdir() failed for %s: %m", index_dir); |
| 953 | | | } |
| 954 | | | return -1; |
| 955 | | | } |
| 956 | | | |
| 957 | | | if (rmdir(path) == 0) |
Event 9:
path, which evaluates to list->v.get_path(...) from mailbox-list.c:446, is passed to rmdir(). See related events 2 and 3.
hide
File System Race Condition
The file named path is accessed again. Another process may have changed the file since the access at mbox-storage.c:928. For example, an attacker could replace the original file with a link to a file containing important or confidential data. The issue can occur if the highlighted code executes. See related events 4 and 9. Show: All events | Only primary events |
|
| |