(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/list/mailbox-list-fs.c) |
| |
| 302 | | | static int fs_list_rename_mailbox(struct mailbox_list *list, |
| 303 | | | const char *oldname, const char *newname) |
| 304 | | | { |
| 305 | | | const char *oldpath, *newpath, *p, *origin; |
| 306 | | | struct stat st; |
| 307 | | | mode_t mode; |
| 308 | | | gid_t gid; |
| 309 | | | |
| 310 | | | oldpath = mailbox_list_get_path(list, oldname, |
| 311 | | | MAILBOX_LIST_PATH_TYPE_DIR); |
| 312 | | | newpath = mailbox_list_get_path(list, newname, |
Event 2:
newpath is set to mailbox_list_get_path(...), which evaluates to list->v.get_path(...) from mailbox-list.c:446. See related event 1.
hide
|
|
| 313 | [+] | | MAILBOX_LIST_PATH_TYPE_DIR); |
 |
| 314 | | | |
| 315 | | | |
| 316 | | | p = strrchr(newpath, '/'); |
| 317 | | | if (p != NULL) { |
Event 3:
Skipping " if". p != (void *)0 evaluates to false.
hide
|
|
| 318 | | | mailbox_list_get_dir_permissions(list, NULL, &mode, |
| 319 | | | &gid, &origin); |
| 320 | | | p = t_strdup_until(newpath, p); |
| 321 | | | if (mkdir_parents_chgrp(p, mode, gid, origin) < 0 && |
| 322 | | | errno != EEXIST) { |
| 323 | | | if (mailbox_list_set_error_from_errno(list)) |
| 324 | | | return -1; |
| 325 | | | |
| 326 | | | mailbox_list_set_critical(list, |
| 327 | | | "mkdir_parents(%s) failed: %m", p); |
| 328 | | | return -1; |
| 329 | | | } |
| 330 | | | } |
| 331 | | | |
| 332 | | | |
| 333 | | | |
| 334 | | | |
| 335 | | | |
| 336 | | | if (lstat(newpath, &st) == 0) { |
Event 4:
newpath, which evaluates to list->v.get_path(...) from mailbox-list.c:446, is passed to lstat64() as the first argument. See related event 2.
hide
Event 5:
lstat64() accesses the file named newpath, where newpath is list->v.get_path(...) from mailbox-list.c:446. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 4.
hide
Event 6:
Taking false branch. lstat(newpath, &st) == 0 evaluates to false.
hide
|
|
| 337 | | | mailbox_list_set_error(list, MAIL_ERROR_EXISTS, |
| 338 | | | "Target mailbox already exists"); |
| 339 | | | return -1; |
| 340 | | | } else if (errno == ENOTDIR) {
x /usr/include/asm-generic/errno-base.h |
| |
23 | #define ENOTDIR 20 /* Not a directory */ |
| |
|
Event 7:
Taking false branch. errno == 20 evaluates to false.
hide
|
|
| 341 | | | mailbox_list_set_error(list, MAIL_ERROR_NOTPOSSIBLE, |
| 342 | | | "Target mailbox doesn't allow inferior mailboxes"); |
| 343 | | | return -1; |
| 344 | | | } else if (errno != ENOENT && errno != EACCES) {
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
x /usr/include/asm-generic/errno-base.h |
| |
16 | #define EACCES 13 /* Permission denied */ |
| |
|
Event 8:
Skipping " if". errno != 2 evaluates to false.
hide
|
|
| 345 | | | mailbox_list_set_critical(list, "lstat(%s) failed: %m", |
| 346 | | | newpath); |
| 347 | | | return -1; |
| 348 | | | } |
| 349 | | | |
| 350 | | | if (list->v.rename_mailbox_pre != NULL) { |
Event 9:
Skipping " if". list->v.rename_mailbox_pre != (void *)0 evaluates to false.
hide
|
|
| 351 | | | if (list->v.rename_mailbox_pre(list, oldname, newname) < 0) |
| 352 | | | return -1; |
| 353 | | | } |
| 354 | | | |
| 355 | | | |
| 356 | | | |
| 357 | | | if (rename(oldpath, newpath) < 0) { |
Event 10:
newpath, which evaluates to list->v.get_path(...) from mailbox-list.c:446, is passed to rename() as the second argument. See related events 2 and 4.
hide
File System Race Condition
The file named newpath is accessed again. Another process may have changed the file since the access at mailbox-list-fs.c:336. For example, an attacker could replace the original file with a link to a file containing important or confidential data. The issue can occur if the highlighted code executes. See related events 5 and 10. Show: All events | Only primary events |
|
| |