(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-index/mail-index-strmap.c) |
| |
| 983 | | | static int mail_index_strmap_recreate(struct mail_index_strmap_view *view) |
| 984 | | | { |
| 985 | | | struct mail_index_strmap *strmap = view->strmap; |
| 986 | | | string_t *str; |
| 987 | | | struct ostream *output; |
| 988 | | | const char *temp_path; |
| 989 | | | int fd, ret = 0; |
| 990 | | | |
| 991 | [+] | | if (array_count(&view->recs) == 0) { |
 |
| 992 | | | |
| 993 | | | if (unlink(strmap->path) < 0 && errno != ENOENT)
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
|
| 994 | | | mail_index_strmap_set_syscall_error(strmap, "unlink()"); |
| 995 | | | return 0; |
| 996 | | | } |
| 997 | | | |
| 998 | [+] | | str = t_str_new(256); |
 |
| 999 | | | str_append(str, strmap->path); |
| 1000 | | | fd = safe_mkstemp_hostpid_group(str, view->view->index->mode, |
| 1001 | | | view->view->index->gid, |
| 1002 | [+] | | view->view->index->gid_origin); |
 |
| 1003 | [+] | | temp_path = str_c(str); |
Event 14:
str, which evaluates to the value assigned to buf at buffer.c:116, is passed to str_c(). See related event 7.
hide
|
|
 |
| 1004 | | | |
| 1005 | | | if (fd == -1) { |
Event 22:
Skipping " if". fd == -1 evaluates to false.
hide
|
|
| 1006 | | | mail_index_set_error(strmap->index, |
| 1007 | | | "safe_mkstemp_hostpid(%s) failed: %m", |
| 1008 | | | temp_path); |
| 1009 | | | return -1; |
| 1010 | | | } |
| 1011 | | | output = o_stream_create_fd(fd, 0, FALSE); |
| 1012 | | | o_stream_cork(output); |
| 1013 | | | mail_index_strmap_recreate_write(view, output); |
| 1014 | | | if (output->last_failed_errno != 0) { |
Event 23:
Skipping " if". output->last_failed_errno != 0 evaluates to false.
hide
|
|
| 1015 | | | errno = output->last_failed_errno; |
| 1016 | | | mail_index_set_error(strmap->index, |
| 1017 | | | "write(%s) failed: %m", temp_path); |
| 1018 | | | ret = -1; |
| 1019 | | | } |
| 1020 | | | o_stream_destroy(&output); |
| 1021 | | | if (close(fd) < 0) { |
Event 24:
Taking false branch. close(fd) < 0 evaluates to false.
hide
|
|
| 1022 | | | mail_index_set_error(strmap->index, |
| 1023 | | | "close(%s) failed: %m", temp_path); |
| 1024 | | | ret = -1; |
| 1025 | | | } else if (ret == 0 && rename(temp_path, strmap->path) < 0) { |
Event 26:
temp_path, which evaluates to the value assigned to buf->r_buffer at buffer.c:116, is passed to rename() as the first argument. See related event 21.
hide
Event 27:
rename() accesses the file named temp_path, where temp_path is the value assigned to buf->r_buffer at buffer.c:116. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 26.
hide
|
|
| 1026 | | | mail_index_set_error(strmap->index, |
| 1027 | | | "rename(%s, %s) failed: %m", |
| 1028 | | | temp_path, strmap->path); |
| 1029 | | | ret = -1; |
| 1030 | | | } |
| 1031 | | | if (ret < 0) |
Event 28:
Taking true branch. ret < 0 evaluates to true.
hide
|
|
| 1032 | | | (void)unlink(temp_path); |
Event 29:
temp_path, which evaluates to the value assigned to buf->r_buffer at buffer.c:116, is passed to unlink(). See related event 21.
hide
File System Race Condition
The file named temp_path is accessed again. Another process may have changed the file since the access at mail-index-strmap.c:1025. For example, an attacker could replace the original file with a link to a file containing important or confidential data. - temp_path evaluates to the value assigned to buf->r_buffer at buffer.c:116.
The issue can occur if the highlighted code executes. See related events 27 and 29. Show: All events | Only primary events |
|
| |