(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/index/dbox/dbox-file.c) |
| |
| 1218 | | | int dbox_file_move(struct dbox_file *file, bool alt_path) |
| 1219 | | | { |
| 1220 | | | struct ostream *output; |
| 1221 | | | const char *dest_dir, *temp_path, *dest_path; |
| 1222 | | | struct stat st; |
| 1223 | | | bool deleted; |
| 1224 | | | int out_fd, ret = 0; |
| 1225 | | | |
| 1226 | | | i_assert(file->input != NULL);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
Event 1:
Skipping " if". file->input != (void *)0 evaluates to true.
hide
Event 2:
Skipping " if". !(file->input != (void *)0) evaluates to false.
hide
Event 3:
Skipping " if". !!(file->input != (void *)0) evaluates to true.
hide
Event 4:
Skipping " if". !!!(file->input != (void *)0) evaluates to false.
hide
Event 5:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 1227 | | | |
| 1228 | | | if (file->alt_path == alt_path) |
Event 6:
Skipping " if". file->alt_path == alt_path evaluates to false.
hide
|
|
| 1229 | | | return 0; |
| 1230 | | | |
| 1231 | | | if (stat(file->current_path, &st) < 0 && errno == ENOENT) {
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
|
Event 7:
Skipping " if". stat(...) < 0 evaluates to false.
hide
|
|
| 1232 | | | |
| 1233 | | | return 0; |
| 1234 | | | } |
| 1235 | | | |
| 1236 | | | dest_dir = alt_path ? file->mbox->alt_path : file->mbox->path; |
Event 8:
alt_path evaluates to false.
hide
|
|
| 1237 | | | temp_path = t_strdup_printf("%s/%s", dest_dir, |
| 1238 | | | dbox_generate_tmp_filename()); |
| 1239 | | | |
| 1240 | | | |
| 1241 | | | |
| 1242 | | | out_fd = open(temp_path, O_WRONLY | O_CREAT | O_TRUNC, 0600);
x /usr/include/bits/fcntl.h |
| |
38 | #define O_CREAT 0100 /* not fcntl */ |
| |
x /usr/include/bits/fcntl.h |
| |
41 | #define O_TRUNC 01000 /* not fcntl */ |
| |
|
| 1243 | | | if (out_fd == -1 && errno == ENOENT) {
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
|
Event 10:
Skipping " if". out_fd == -1 evaluates to false.
hide
|
|
| 1244 | | | if (mkdir_parents(dest_dir, 0700) < 0 && errno != EEXIST) { |
| 1245 | | | i_error("mkdir_parents(%s) failed: %m", dest_dir); |
| 1246 | | | return -1; |
| 1247 | | | } |
| 1248 | | | out_fd = open(temp_path, O_WRONLY | O_CREAT | O_TRUNC, 0600);
x /usr/include/bits/fcntl.h |
| |
38 | #define O_CREAT 0100 /* not fcntl */ |
| |
x /usr/include/bits/fcntl.h |
| |
41 | #define O_TRUNC 01000 /* not fcntl */ |
| |
|
| 1249 | | | } |
| 1250 | | | if (out_fd == -1) { |
Event 11:
Skipping " if". out_fd == -1 evaluates to false.
hide
|
|
| 1251 | | | i_error("open(%s, O_CREAT) failed: %m", temp_path); |
| 1252 | | | return -1; |
| 1253 | | | } |
| 1254 | | | output = o_stream_create_fd_file(out_fd, 0, FALSE); |
| 1255 | | | i_stream_seek(file->input, 0); |
| 1256 | | | while ((ret = o_stream_send_istream(output, file->input)) > 0) ; |
| 1257 | | | if (ret == 0) |
Event 13:
Taking true branch. ret == 0 evaluates to true.
hide
|
|
| 1258 | [+] | | ret = o_stream_flush(output); |
 |
| 1259 | | | if (output->stream_errno != 0) { |
Event 21:
Taking false branch. output->stream_errno != 0 evaluates to false.
hide
|
|
| 1260 | | | errno = output->stream_errno; |
| 1261 | | | i_error("write(%s) failed: %m", temp_path); |
| 1262 | | | ret = -1; |
| 1263 | | | } else if (file->input->stream_errno != 0) { |
Event 22:
Taking false branch. file->input->stream_errno != 0 evaluates to false.
hide
|
|
| 1264 | | | errno = file->input->stream_errno; |
| 1265 | | | i_error("read(%s) failed: %m", file->current_path); |
| 1266 | | | ret = -1; |
| 1267 | | | } else if (ret < 0) { |
Event 23:
Skipping " if". ret < 0 evaluates to false.
hide
|
|
| 1268 | | | i_error("o_stream_send_istream(%s, %s) " |
| 1269 | | | "failed with unknown error", |
| 1270 | | | temp_path, file->current_path); |
| 1271 | | | } |
| 1272 | | | o_stream_unref(&output); |
| 1273 | | | |
| 1274 | | | if (!file->mbox->ibox.fsync_disable && ret == 0) { |
Event 24:
Skipping " if". - file->mbox->ibox.fsync_disable evaluates to false.
- ret == 0 evaluates to false.
hide
|
|
| 1275 | | | if (fsync(out_fd) < 0) { |
| 1276 | | | i_error("fsync(%s) failed: %m", temp_path); |
| 1277 | | | ret = -1; |
| 1278 | | | } |
| 1279 | | | } |
| 1280 | | | if (close(out_fd) < 0) { |
Event 25:
Skipping " if". close(out_fd) < 0 evaluates to false.
hide
|
|
| 1281 | | | i_error("close(%s) failed: %m", temp_path); |
| 1282 | | | ret = -1; |
| 1283 | | | } |
| 1284 | | | if (ret < 0) { |
Event 26:
Skipping " if". ret < 0 evaluates to false.
hide
|
|
| 1285 | | | (void)unlink(temp_path); |
| 1286 | | | return -1; |
| 1287 | | | } |
| 1288 | | | |
| 1289 | | | |
| 1290 | | | |
| 1291 | | | |
| 1292 | [+] | | dest_path = t_strdup_printf("%s/%s", dest_dir, file->fname); |
 |
| 1293 | | | if (rename(temp_path, dest_path) < 0) { |
Event 58:
dest_path, which evaluates to the value assigned to ret at data-stack.c:335, is passed to rename() as the second argument. See related event 57.
hide
Event 59:
rename() accesses the file named dest_path, where dest_path is the value assigned to ret at data-stack.c:335. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 58.
hide
Event 60:
Skipping " if". rename(...) < 0 evaluates to false.
hide
|
|
| 1294 | | | i_error("rename(%s, %s) failed: %m", temp_path, dest_path); |
| 1295 | | | (void)unlink(temp_path); |
| 1296 | | | return -1; |
| 1297 | | | } |
| 1298 | | | if (!file->mbox->ibox.fsync_disable) { |
Event 61:
Taking true branch. file->mbox->ibox.fsync_disable evaluates to false.
hide
|
|
| 1299 | [+] | | if (fdatasync_path(dest_dir) < 0) { |
 |
| 1300 | | | i_error("fdatasync(%s) failed: %m", dest_dir); |
| 1301 | | | (void)unlink(dest_path); |
Event 65:
dest_path, which evaluates to the value assigned to ret at data-stack.c:335, is passed to unlink(). See related event 57.
hide
File System Race Condition
The file named dest_path is accessed again. Another process may have changed the file since the access at dbox-file.c:1293. For example, an attacker could replace the original file with a link to a file containing important or confidential data. The issue can occur if the highlighted code executes. See related events 59 and 65. Show: All events | Only primary events |
|
| |