(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/index/maildir/maildir-storage.c) |
| |
| 769 | | | maildir_list_delete_mailbox(struct mailbox_list *list, const char *name) |
| 770 | | | { |
| 771 | | | struct maildir_storage *storage = MAILDIR_LIST_CONTEXT(list);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/module-context.h |
| |
46 | #define MODULE_CONTEXT(obj, id_ctx) \ |
47 | (*((void **)array_idx_modifiable(&(obj)->module_contexts, \ |
48 | (id_ctx).id.module_id) + \ |
49 | OBJ_REGISTER_COMPATIBLE(obj, id_ctx))) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
179 | #define array_idx_modifiable(array, idx) \ |
180 | ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
181 | array_idx_modifiable_i(&(array)->arr, idx) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
45 | # define ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
46 | (typeof(*(array)->v_modifiable)) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/module-context.h |
| |
43 | #define OBJ_REGISTER_COMPATIBLE(obj, id_ctx) \ |
44 | COMPILE_ERROR_IF_TYPES_NOT_COMPATIBLE(OBJ_REGISTER(obj), (id_ctx).reg) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
158 | # define COMPILE_ERROR_IF_TYPES_NOT_COMPATIBLE(_a, _b) \ |
159 | COMPILE_ERROR_IF_TRUE( \ |
160 | !__builtin_types_compatible_p(typeof(_a), typeof(_b))) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
156 | # define COMPILE_ERROR_IF_TRUE(condition) \ |
157 | (sizeof(char[1 - 2 * !!(condition)]) - 1) |
| |
|
| 772 | | | struct stat st; |
| 773 | | | const char *src, *dest, *base; |
| 774 | | | int count; |
| 775 | | | |
| 776 | | | |
| 777 | | | |
| 778 | | | |
| 779 | | | |
| 780 | | | index_storage_destroy_unrefed(); |
| 781 | | | |
| 782 | | | |
| 783 | | | if (storage->list_module_ctx.super.delete_mailbox(list, name) < 0) |
Event 1:
Skipping " if". storage->list_module_ctx.super.delete_mailbox(...) < 0 evaluates to false.
hide
|
|
| 784 | | | return -1; |
| 785 | | | |
| 786 | | | |
| 787 | [+] | | src = mailbox_list_get_path(list, name, MAILBOX_LIST_PATH_TYPE_MAILBOX); |
 |
| 788 | | | if (lstat(src, &st) != 0 && errno == ENOENT) {
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
|
Event 4:
src, which evaluates to list->v.get_path(...) from mailbox-list.c:446, is passed to lstat64() as the first argument. See related event 3.
hide
Event 5:
lstat64() accesses the file named src, where src is list->v.get_path(...) from mailbox-list.c:446. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 4.
hide
Event 6:
Skipping " if". lstat(src, &st) != 0 evaluates to false.
hide
|
|
| 789 | | | mailbox_list_set_error(list, MAIL_ERROR_NOTFOUND, |
| 790 | | | T_MAIL_ERR_MAILBOX_NOT_FOUND(name));
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/mail-error.h |
| |
19 | #define T_MAIL_ERR_MAILBOX_NOT_FOUND(name) \ |
20 | t_strdup_printf(MAIL_ERRSTR_MAILBOX_NOT_FOUND, name) |
| |
|
| 791 | | | return -1; |
| 792 | | | } |
| 793 | | | |
| 794 | | | if (!S_ISDIR(st.st_mode)) {
x /usr/include/sys/stat.h |
| |
131 | #define S_ISDIR(mode) __S_ISTYPE((mode), __S_IFDIR) |
| |
x /usr/include/sys/stat.h |
| |
129 | #define __S_ISTYPE(mode, mask) (((mode) & __S_IFMT) == (mask)) |
| |
x /usr/include/bits/stat.h |
| |
182 | #define __S_IFMT 0170000 /* These bits determine file type. */ |
| |
x /usr/include/bits/stat.h |
| |
185 | #define __S_IFDIR 0040000 /* Directory. */ |
| |
|
Event 7:
Taking true branch. (st.st_mode & 61440) == 16384 evaluates to false.
hide
|
|
| 795 | | | |
| 796 | | | if (unlink(src) < 0 && errno != ENOENT) {
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
|
Event 8:
src, which evaluates to list->v.get_path(...) from mailbox-list.c:446, is passed to unlink(). See related events 3 and 4.
hide
File System Race Condition
The file named src is accessed again. Another process may have changed the file since the access at maildir-storage.c:788. For example, an attacker could replace the original file with a link to a file containing important or confidential data. The issue can occur if the highlighted code executes. See related events 5 and 8. Show: All events | Only primary events |
|
| |