(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/index/cydir/cydir-storage.c) |
| |
| 239 | | | cydir_delete_nonrecursive(struct mailbox_list *list, const char *path, |
| 240 | | | const char *name) |
| 241 | | | { |
| 242 | | | DIR *dir; |
| 243 | | | struct dirent *d; |
| 244 | | | string_t *full_path; |
| 245 | | | unsigned int dir_len; |
| 246 | | | bool unlinked_something = FALSE; |
| 247 | | | |
| 248 | | | dir = opendir(path); |
Event 1:
path is passed to opendir().
hide
Event 2:
opendir() accesses the file named path. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 1.
hide
|
|
| 249 | | | if (dir == NULL) { |
Event 3:
Skipping " if". dir == (void *)0 evaluates to false.
hide
|
|
| 250 | | | if (!mailbox_list_set_error_from_errno(list)) { |
| 251 | | | mailbox_list_set_critical(list, |
| 252 | | | "opendir(%s) failed: %m", path); |
| 253 | | | } |
| 254 | | | return -1; |
| 255 | | | } |
| 256 | | | |
| 257 | | | full_path = t_str_new(256); |
| 258 | | | str_append(full_path, path); |
| 259 | | | str_append_c(full_path, '/'); |
| 260 | | | dir_len = str_len(full_path); |
| 261 | | | |
| 262 | | | errno = 0; |
| 263 | | | while ((d = readdir(dir)) != NULL) { |
| 264 | | | if (d->d_name[0] == '.') { |
| 265 | | | |
| 266 | | | if (d->d_name[1] == '\0') |
| 267 | | | continue; |
| 268 | | | if (d->d_name[1] == '.' && d->d_name[2] == '\0') |
| 269 | | | continue; |
| 270 | | | } |
| 271 | | | |
| 272 | | | str_truncate(full_path, dir_len); |
| 273 | | | str_append(full_path, d->d_name); |
| 274 | | | |
| 275 | | | |
| 276 | | | |
| 277 | | | |
| 278 | | | if (unlink(str_c(full_path)) == 0) |
| 279 | | | unlinked_something = TRUE; |
| 280 | | | else if (errno != ENOENT && errno != EISDIR && errno != EPERM) {
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
x /usr/include/asm-generic/errno-base.h |
| |
24 | #define EISDIR 21 /* Is a directory */ |
| |
x /usr/include/asm-generic/errno-base.h |
| |
4 | #define EPERM 1 /* Operation not permitted */ |
| |
|
| 281 | | | mailbox_list_set_critical(list, "unlink(%s) failed: %m", |
| 282 | | | str_c(full_path)); |
| 283 | | | } |
| 284 | | | } |
| 285 | | | |
| 286 | | | if (closedir(dir) < 0) { |
Event 6:
Skipping " if". closedir(dir) < 0 evaluates to false.
hide
|
|
| 287 | | | mailbox_list_set_critical(list, "closedir(%s) failed: %m", |
| 288 | | | path); |
| 289 | | | } |
| 290 | | | |
| 291 | | | if (rmdir(path) == 0) |
Event 7:
path is passed to rmdir().
hide
File System Race Condition
The file named path is accessed again. Another process may have changed the file since the access at cydir-storage.c:248. For example, an attacker could replace the original file with a link to a file containing important or confidential data. The issue can occur if the highlighted code executes. See related events 2 and 7. Show: All events | Only primary events |
|
| |