(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/plugins/virtual/virtual-storage.c) |
| |
| 387 | | | virtual_delete_nonrecursive(struct mailbox_list *list, const char *path, |
| 388 | | | const char *name) |
| 389 | | | { |
| 390 | | | DIR *dir; |
| 391 | | | struct dirent *d; |
| 392 | | | string_t *full_path; |
| 393 | | | unsigned int dir_len; |
| 394 | | | bool unlinked_something = FALSE; |
| 395 | | | |
| 396 | | | dir = opendir(path); |
Event 1:
path is passed to opendir().
hide
Event 2:
opendir() accesses the file named path. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 1.
hide
|
|
| 397 | | | if (dir == NULL) { |
Event 3:
Skipping " if". dir == (void *)0 evaluates to false.
hide
|
|
| 398 | | | if (!mailbox_list_set_error_from_errno(list)) { |
| 399 | | | mailbox_list_set_critical(list, |
| 400 | | | "opendir(%s) failed: %m", path); |
| 401 | | | } |
| 402 | | | return -1; |
| 403 | | | } |
| 404 | | | |
| 405 | | | full_path = t_str_new(256); |
| 406 | | | str_append(full_path, path); |
| 407 | | | str_append_c(full_path, '/'); |
| 408 | | | dir_len = str_len(full_path); |
| 409 | | | |
| 410 | | | errno = 0; |
| 411 | | | while ((d = readdir(dir)) != NULL) { |
| 412 | | | if (d->d_name[0] == '.') { |
| 413 | | | |
| 414 | | | if (d->d_name[1] == '\0') |
| 415 | | | continue; |
| 416 | | | if (d->d_name[1] == '.' && d->d_name[2] == '\0') |
| 417 | | | continue; |
| 418 | | | } |
| 419 | | | |
| 420 | | | str_truncate(full_path, dir_len); |
| 421 | | | str_append(full_path, d->d_name); |
| 422 | | | |
| 423 | | | |
| 424 | | | |
| 425 | | | |
| 426 | | | if (unlink(str_c(full_path)) == 0) |
| 427 | | | unlinked_something = TRUE; |
| 428 | | | else if (errno != ENOENT && errno != EISDIR && errno != EPERM) {
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
x /usr/include/asm-generic/errno-base.h |
| |
24 | #define EISDIR 21 /* Is a directory */ |
| |
x /usr/include/asm-generic/errno-base.h |
| |
4 | #define EPERM 1 /* Operation not permitted */ |
| |
|
| 429 | | | mailbox_list_set_critical(list, |
| 430 | | | "unlink(%s) failed: %m", |
| 431 | | | str_c(full_path)); |
| 432 | | | } |
| 433 | | | } |
| 434 | | | |
| 435 | | | if (closedir(dir) < 0) { |
Event 6:
Skipping " if". closedir(dir) < 0 evaluates to false.
hide
|
|
| 436 | | | mailbox_list_set_critical(list, "closedir(%s) failed: %m", |
| 437 | | | path); |
| 438 | | | } |
| 439 | | | |
| 440 | | | if (rmdir(path) == 0) |
Event 7:
path is passed to rmdir().
hide
File System Race Condition
The file named path is accessed again. Another process may have changed the file since the access at virtual-storage.c:396. For example, an attacker could replace the original file with a link to a file containing important or confidential data. The issue can occur if the highlighted code executes. See related events 2 and 7. Show: All events | Only primary events |
|
| |