(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/index/maildir/maildir-save.c) |
| |
| 435 | | | static int maildir_save_finish_real(struct mail_save_context *_ctx) |
| 436 | | | { |
| 437 | | | struct maildir_save_context *ctx = (struct maildir_save_context *)_ctx; |
| 438 | | | struct mail_storage *storage = &ctx->mbox->storage->storage; |
| 439 | | | struct utimbuf buf; |
| 440 | | | struct stat st; |
| 441 | | | const char *path; |
| 442 | | | int output_errno; |
| 443 | | | |
| 444 | | | ctx->finished = TRUE; |
Event 1:
!0 evaluates to true.
hide
|
|
| 445 | | | if (ctx->failed && ctx->fd == -1) { |
Event 2:
Skipping " if". - ctx->failed evaluates to true.
- ctx->fd == -1 evaluates to false.
hide
|
|
| 446 | | | |
| 447 | | | return -1; |
| 448 | | | } |
| 449 | | | |
| 450 | [+] | | path = t_strconcat(ctx->tmpdir, "/", ctx->file_last->basename, NULL); |
 |
| 451 | [+] | | if (o_stream_flush(_ctx->output) < 0) { |
 |
| 452 | | | if (!mail_storage_set_error_from_errno(storage)) { |
| 453 | | | mail_storage_set_critical(storage, |
| 454 | | | "o_stream_flush(%s) failed: %m", path); |
| 455 | | | } |
| 456 | | | ctx->failed = TRUE; |
| 457 | | | } |
| 458 | | | |
| 459 | | | if (ctx->ctx.received_date != (time_t)-1) { |
Event 43:
Taking true branch. ctx->ctx.received_date != (time_t)-1 evaluates to true.
hide
|
|
| 460 | | | |
| 461 | | | buf.actime = ioloop_time; |
| 462 | | | buf.modtime = ctx->ctx.received_date; |
| 463 | | | |
| 464 | | | if (utime(path, &buf) < 0) { |
Event 44:
path, which evaluates to the value assigned to ret at data-stack.c:335, is passed to utime() as the first argument. See related event 34.
hide
Event 45:
utime() accesses the file named path, where path is the value assigned to ret at data-stack.c:335. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 44.
hide
Event 46:
Skipping " if". utime(path, &buf) < 0 evaluates to false.
hide
|
|
| 465 | | | ctx->failed = TRUE; |
| 466 | | | mail_storage_set_critical(storage, |
| 467 | | | "utime(%s) failed: %m", path); |
| 468 | | | } |
| 469 | | | } else if (ctx->fd != -1) { |
| 470 | | | if (fstat(ctx->fd, &st) == 0) |
| 471 | | | ctx->ctx.received_date = st.st_mtime;
x /usr/include/bits/stat.h |
| |
95 | # define st_mtime st_mtim.tv_sec |
| |
|
| 472 | | | else { |
| 473 | | | ctx->failed = TRUE; |
| 474 | | | mail_storage_set_critical(storage, |
| 475 | | | "fstat(%s) failed: %m", path); |
| 476 | | | } |
| 477 | | | } else { |
| 478 | | | |
| 479 | | | if (stat(path, &st) == 0) |
| 480 | | | ctx->ctx.received_date = st.st_mtime;
x /usr/include/bits/stat.h |
| |
95 | # define st_mtime st_mtim.tv_sec |
| |
|
| 481 | | | else { |
| 482 | | | ctx->failed = TRUE; |
| 483 | | | mail_storage_set_critical(storage, |
| 484 | | | "stat(%s) failed: %m", path); |
| 485 | | | } |
| 486 | | | } |
| 487 | | | |
| 488 | | | if (ctx->cur_dest_mail != NULL) { |
Event 47:
Skipping " if". ctx->cur_dest_mail != (void *)0 evaluates to false.
hide
|
|
| 489 | | | index_mail_cache_parse_deinit(ctx->cur_dest_mail, |
| 490 | | | ctx->ctx.received_date, |
| 491 | | | !ctx->failed); |
| 492 | | | } |
| 493 | | | i_stream_unref(&ctx->input); |
| 494 | | | |
| 495 | | | |
| 496 | | | ctx->file_last->size = _ctx->output->offset; |
| 497 | | | if (ctx->cur_dest_mail == NULL || |
Event 48:
Taking true branch. ctx->cur_dest_mail == (void *)0 evaluates to true.
hide
|
|
| 498 | | | mail_get_virtual_size(ctx->cur_dest_mail, |
| 499 | | | &ctx->file_last->vsize) < 0) |
| 500 | | | ctx->file_last->vsize = (uoff_t)-1; |
| 501 | | | |
| 502 | | | output_errno = _ctx->output->stream_errno; |
| 503 | | | o_stream_destroy(&_ctx->output); |
| 504 | | | |
| 505 | | | if (!ctx->mbox->ibox.fsync_disable && !ctx->failed) { |
Event 49:
Skipping " if". - ctx->mbox->ibox.fsync_disable evaluates to false.
- ctx->failed evaluates to true.
hide
|
|
| 506 | | | if (fsync(ctx->fd) < 0) { |
| 507 | | | if (!mail_storage_set_error_from_errno(storage)) { |
| 508 | | | mail_storage_set_critical(storage, |
| 509 | | | "fsync(%s) failed: %m", path); |
| 510 | | | } |
| 511 | | | ctx->failed = TRUE; |
| 512 | | | } |
| 513 | | | } |
| 514 | | | if (close(ctx->fd) < 0) { |
Event 50:
Skipping " if". close(ctx->fd) < 0 evaluates to false.
hide
|
|
| 515 | | | if (!mail_storage_set_error_from_errno(storage)) { |
| 516 | | | mail_storage_set_critical(storage, |
| 517 | | | "close(%s) failed: %m", path); |
| 518 | | | } |
| 519 | | | ctx->failed = TRUE; |
| 520 | | | } |
| 521 | | | ctx->fd = -1; |
| 522 | | | |
| 523 | | | if (ctx->failed) { |
Event 51:
Taking true branch. ctx->failed evaluates to true.
hide
|
|
| 524 | | | struct maildir_filename **fm; |
| 525 | | | |
| 526 | | | |
| 527 | | | if (unlink(path) < 0 && errno != ENOENT) {
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
|
Event 52:
path, which evaluates to the value assigned to ret at data-stack.c:335, is passed to unlink(). See related event 34.
hide
File System Race Condition
The file named path is accessed again. Another process may have changed the file since the access at maildir-save.c:464. For example, an attacker could replace the original file with a link to a file containing important or confidential data. The issue can occur if the highlighted code executes. See related events 45 and 52. Show: All events | Only primary events |
|
| |