(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/index/index-storage.c) |
| |
| 113 | | | static const char * |
| 114 | | | get_index_dir(struct mail_storage *storage, const char *name, |
| 115 | | | enum mailbox_open_flags flags, struct stat *st_r) |
| 116 | | | { |
| 117 | | | const char *index_dir; |
| 118 | | | |
| 119 | | | index_dir = (flags & MAILBOX_OPEN_NO_INDEX_FILES) != 0 ? "" : |
Event 1:
(flags & MAILBOX_OPEN_NO_INDEX_FILES) != 0 evaluates to false.
hide
Event 3:
index_dir is set to (flags & MAILBOX_OPEN_NO_INDEX_FILES) != 0 ? "" : mailbox_list_get_path(...), which evaluates to list->v.get_path(...) from mailbox-list.c:446. See related event 2.
hide
|
|
| 120 | | | mailbox_list_get_path(storage->list, name, |
| 121 | [+] | | MAILBOX_LIST_PATH_TYPE_INDEX); |
 |
| 122 | | | if (*index_dir == '\0') { |
Event 4:
Skipping " if". *index_dir == 0 evaluates to false.
hide
|
|
| 123 | | | |
| 124 | | | return NULL; |
| 125 | | | } |
| 126 | | | |
| 127 | | | if (stat(index_dir, st_r) < 0) { |
Event 5:
index_dir, which evaluates to list->v.get_path(...) from mailbox-list.c:446, is passed to stat64() as the first argument. See related event 3.
hide
Event 6:
stat64() accesses the file named index_dir, where index_dir is list->v.get_path(...) from mailbox-list.c:446. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 5.
hide
Event 7:
Taking true branch. stat(index_dir, st_r) < 0 evaluates to true.
hide
|
|
| 128 | | | if (errno == ENOENT) {
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
|
Event 8:
Taking true branch. errno == 2 evaluates to true.
hide
|
|
| 129 | | | |
| 130 | [+] | | if (create_index_dir(storage, name) < 0) |
 |
| 131 | | | return NULL; |
| 132 | | | if (stat(index_dir, st_r) == 0) |
Event 11:
index_dir, which evaluates to list->v.get_path(...) from mailbox-list.c:446, is passed to stat64() as the first argument. See related event 3.
hide
File System Race Condition
The file named index_dir is accessed again. Another process may have changed the file since the access at index-storage.c:127. For example, an attacker could replace the original file with a link to a file containing important or confidential data. The issue can occur if the highlighted code executes. See related events 6 and 11. Show: All events | Only primary events |
|
| |