(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/index/dbox/dbox-storage.c) |
| |
| 448 | | | dbox_list_delete_mailbox(struct mailbox_list *list, const char *name) |
| 449 | | | { |
| 450 | | | struct dbox_storage *storage = DBOX_LIST_CONTEXT(list);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/module-context.h |
| |
46 | #define MODULE_CONTEXT(obj, id_ctx) \ |
47 | (*((void **)array_idx_modifiable(&(obj)->module_contexts, \ |
48 | (id_ctx).id.module_id) + \ |
49 | OBJ_REGISTER_COMPATIBLE(obj, id_ctx))) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
179 | #define array_idx_modifiable(array, idx) \ |
180 | ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
181 | array_idx_modifiable_i(&(array)->arr, idx) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
45 | # define ARRAY_TYPE_CAST_MODIFIABLE(array) \ |
46 | (typeof(*(array)->v_modifiable)) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/module-context.h |
| |
43 | #define OBJ_REGISTER_COMPATIBLE(obj, id_ctx) \ |
44 | COMPILE_ERROR_IF_TYPES_NOT_COMPATIBLE(OBJ_REGISTER(obj), (id_ctx).reg) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
158 | # define COMPILE_ERROR_IF_TYPES_NOT_COMPATIBLE(_a, _b) \ |
159 | COMPILE_ERROR_IF_TRUE( \ |
160 | !__builtin_types_compatible_p(typeof(_a), typeof(_b))) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
156 | # define COMPILE_ERROR_IF_TRUE(condition) \ |
157 | (sizeof(char[1 - 2 * !!(condition)]) - 1) |
| |
|
| 451 | | | struct stat st; |
| 452 | | | const char *path, *alt_path; |
| 453 | | | bool deleted = FALSE; |
| 454 | | | int ret; |
| 455 | | | |
| 456 | | | |
| 457 | | | |
| 458 | | | |
| 459 | | | |
| 460 | | | index_storage_destroy_unrefed(); |
| 461 | | | |
| 462 | | | |
| 463 | | | if (storage->list_module_ctx.super.delete_mailbox(list, name) < 0) |
Event 1:
Skipping " if". storage->list_module_ctx.super.delete_mailbox(...) < 0 evaluates to false.
hide
|
|
| 464 | | | return -1; |
| 465 | | | |
| 466 | | | |
| 467 | | | path = mailbox_list_get_path(list, name, |
| 468 | | | MAILBOX_LIST_PATH_TYPE_MAILBOX); |
| 469 | | | if ((ret = dbox_delete_nonrecursive(list, path, name)) > 0) { |
Event 2:
Taking false branch. (ret = dbox_delete_nonrecursive(...)) > 0 evaluates to false.
hide
|
|
| 470 | | | |
| 471 | | | alt_path = dbox_get_alt_path(storage, path); |
| 472 | | | if (alt_path != NULL) { |
| 473 | | | if (dbox_delete_nonrecursive(list, alt_path, name) < 0) |
| 474 | | | return -1; |
| 475 | | | } |
| 476 | | | if (*list->set.maildir_name == '\0') { |
| 477 | | | |
| 478 | | | |
| 479 | | | return 0; |
| 480 | | | } |
| 481 | | | |
| 482 | | | deleted = TRUE; |
| 483 | | | path = mailbox_list_get_path(list, name, |
| 484 | | | MAILBOX_LIST_PATH_TYPE_DIR); |
| 485 | | | } else if (errno != ENOENT) {
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
|
Event 3:
Taking false branch. errno != 2 evaluates to false.
hide
|
|
| 486 | | | mailbox_list_set_critical(list, "stat(%s) failed: %m", path); |
| 487 | | | return -1; |
| 488 | | | } else { |
| 489 | | | |
| 490 | | | path = mailbox_list_get_path(list, name, |
Event 5:
path is set to mailbox_list_get_path(...), which evaluates to list->v.get_path(...) from mailbox-list.c:446. See related event 4.
hide
|
|
| 491 | [+] | | MAILBOX_LIST_PATH_TYPE_DIR); |
 |
| 492 | | | if (stat(path, &st) == 0) { |
Event 6:
path, which evaluates to list->v.get_path(...) from mailbox-list.c:446, is passed to stat64() as the first argument. See related event 5.
hide
Event 7:
stat64() accesses the file named path, where path is list->v.get_path(...) from mailbox-list.c:446. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 6.
hide
Event 8:
Skipping " if". stat(path, &st) == 0 evaluates to true.
hide
|
|
| 493 | | | |
| 494 | | | } else if (errno == ENOENT) {
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
|
| 495 | | | mailbox_list_set_error(list, MAIL_ERROR_NOTFOUND, |
| 496 | | | T_MAIL_ERR_MAILBOX_NOT_FOUND(name));
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/mail-error.h |
| |
19 | #define T_MAIL_ERR_MAILBOX_NOT_FOUND(name) \ |
20 | t_strdup_printf(MAIL_ERRSTR_MAILBOX_NOT_FOUND, name) |
| |
|
| 497 | | | return -1; |
| 498 | | | } else if (!mailbox_list_set_error_from_errno(list)) { |
| 499 | | | mailbox_list_set_critical(list, "stat(%s) failed: %m", |
| 500 | | | path); |
| 501 | | | return -1; |
| 502 | | | } |
| 503 | | | } |
| 504 | | | |
| 505 | | | alt_path = dbox_get_alt_path(storage, path); |
| 506 | | | if (alt_path != NULL) |
Event 9:
Skipping " if". alt_path != (void *)0 evaluates to false.
hide
|
|
| 507 | | | (void)rmdir(alt_path); |
| 508 | | | |
| 509 | | | if (rmdir(path) == 0) |
Event 10:
path, which evaluates to list->v.get_path(...) from mailbox-list.c:446, is passed to rmdir(). See related events 5 and 6.
hide
File System Race Condition
The file named path is accessed again. Another process may have changed the file since the access at dbox-storage.c:492. For example, an attacker could replace the original file with a link to a file containing important or confidential data. The issue can occur if the highlighted code executes. See related events 7 and 10. Show: All events | Only primary events |
|
| |