(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/file-copy.c) |
| |
| 94 | | | int file_copy(const char *srcpath, const char *destpath, bool try_hardlink) |
| 95 | | | { |
| 96 | | | int ret; |
| 97 | | | |
| 98 | | | T_BEGIN {
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/data-stack.h |
| |
49 | #define T_BEGIN \ |
50 | STMT_START { unsigned int _data_stack_cur_id = t_push(); |
| |
|
| 99 | | | const char *tmppath; |
| 100 | | | |
| 101 | [+] | | tmppath = t_strconcat(destpath, ".tmp", NULL); |
 |
| 102 | | | |
| 103 | [+] | | ret = file_copy_to_tmp(srcpath, tmppath, try_hardlink); |
Event 33:
tmppath, which evaluates to the value assigned to ret at data-stack.c:335, is passed to file_copy_to_tmp() as the second argument. See related event 32.
hide
|
|
 |
| 104 | | | if (ret > 0) { |
Event 41:
Skipping " if". ret > 0 evaluates to false.
hide
|
|
| 105 | | | if (rename(tmppath, destpath) < 0) { |
| 106 | | | i_error("rename(%s, %s) failed: %m", |
| 107 | | | tmppath, destpath); |
| 108 | | | ret = -1; |
| 109 | | | } |
| 110 | | | } |
| 111 | | | if (ret < 0) |
Event 42:
Taking true branch. ret < 0 evaluates to true.
hide
|
|
| 112 | | | (void)unlink(tmppath); |
Event 43:
tmppath, which evaluates to the value assigned to ret at data-stack.c:335, is passed to unlink(). See related event 32.
hide
File System Race Condition
The file named tmppath is accessed again. Another process may have changed the file since the access at file-copy.c:28. For example, an attacker could replace the original file with a link to a file containing important or confidential data. The issue can occur if the highlighted code executes. See related events 39 and 43. Show: All events | Only primary events |
|
| |