(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/index/mbox/mbox-storage.c) |
| |
| 279 | | | mbox_get_list_settings(struct mailbox_list_settings *list_set, |
| 280 | | | const char *data, struct mail_storage *storage, |
| 281 | | | const char **layout_r, const char **error_r) |
| 282 | | | { |
| 283 | | | enum mail_storage_flags flags = storage->flags; |
| 284 | | | bool debug = (flags & MAIL_STORAGE_FLAG_DEBUG) != 0; |
Event 1:
(flags & MAIL_STORAGE_FLAG_DEBUG) != 0 evaluates to true.
hide
|
|
| 285 | | | const char *p; |
| 286 | | | struct stat st; |
| 287 | | | bool autodetect; |
| 288 | | | |
| 289 | | | *layout_r = "fs"; |
| 290 | | | |
| 291 | | | memset(list_set, 0, sizeof(*list_set)); |
| 292 | | | list_set->subscription_fname = MBOX_SUBSCRIPTION_FILE_NAME; |
| 293 | | | list_set->maildir_name = ""; |
| 294 | | | |
| 295 | | | autodetect = data == NULL || *data == '\0'; |
Event 2:
data == (void *)0 evaluates to false.
hide
Event 3:
*data == 0 evaluates to false.
hide
|
|
| 296 | | | if (autodetect) { |
Event 4:
Taking false branch. autodetect evaluates to false.
hide
|
|
| 297 | | | if ((flags & MAIL_STORAGE_FLAG_NO_AUTODETECTION) != 0) { |
| 298 | | | *error_r = "Root mail directory not given"; |
| 299 | | | return -1; |
| 300 | | | } |
| 301 | | | |
| 302 | | | |
| 303 | | | |
| 304 | | | |
| 305 | | | list_set->root_dir = get_root_dir(storage); |
| 306 | | | if (list_set->root_dir == NULL) { |
| 307 | | | *error_r = "Autodetection failed"; |
| 308 | | | return -1; |
| 309 | | | } |
| 310 | | | } else { |
| 311 | | | if (debug) |
Event 5:
Taking true branch. debug evaluates to true.
hide
|
|
| 312 | | | i_info("mbox: data=%s", data); |
| 313 | | | p = strchr(data, ':'); |
| 314 | | | if ((flags & MAIL_STORAGE_FLAG_NO_AUTODETECTION) == 0 && |
| 315 | | | p == NULL && data[strlen(data)-1] != '/') { |
| 316 | | | |
| 317 | [+] | | data = mail_user_home_expand(storage->ns->user, data); |
Event 7:
data is passed to mail_user_home_expand() as the second argument.
hide
|
|
 |
| 318 | | | if (stat(data, &st) < 0 || S_ISDIR(st.st_mode))
x /usr/include/sys/stat.h |
| |
131 | #define S_ISDIR(mode) __S_ISTYPE((mode), __S_IFDIR) |
| |
x /usr/include/sys/stat.h |
| |
129 | #define __S_ISTYPE(mode, mask) (((mode) & __S_IFMT) == (mask)) |
| |
x /usr/include/bits/stat.h |
| |
182 | #define __S_IFMT 0170000 /* These bits determine file type. */ |
| |
x /usr/include/bits/stat.h |
| |
185 | #define __S_IFDIR 0040000 /* Directory. */ |
| |
|
Event 11:
data is passed to stat64() as the first argument. See related event 10.
hide
Event 12:
stat64() accesses the file named data. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 11.
hide
|
|
| 319 | | | list_set->root_dir = data; |
Event 14:
list_set->root_dir is set to data. See related event 10.
hide
|
|
| 320 | | | else { |
| 321 | | | list_set->root_dir = get_root_dir(storage); |
| 322 | | | list_set->inbox_path = data; |
| 323 | | | } |
| 324 | | | } else if (strncmp(data, "INBOX=", 6) == 0) { |
| 325 | | | |
| 326 | | | *error_r = "Root mail directory not given"; |
| 327 | | | return -1; |
| 328 | | | } else { |
| 329 | | | if (mailbox_list_settings_parse(data, list_set, |
| 330 | | | storage->ns, |
| 331 | | | layout_r, NULL, |
| 332 | | | error_r) < 0) |
| 333 | | | return -1; |
| 334 | | | } |
| 335 | | | } |
| 336 | | | |
| 337 | | | if (list_set->root_dir == NULL || *list_set->root_dir == '\0') { |
| 338 | | | if ((flags & MAIL_STORAGE_FLAG_NO_AUTOCREATE) != 0) { |
| 339 | | | *error_r = "Root mail directory not given"; |
| 340 | | | return -1; |
| 341 | | | } |
| 342 | | | |
| 343 | | | list_set->root_dir = create_root_dir(storage, error_r); |
| 344 | | | if (list_set->root_dir == NULL) |
| 345 | | | return -1; |
| 346 | | | } else { |
| 347 | | | |
| 348 | | | if (lstat(list_set->root_dir, &st) == 0) { |
Event 16:
list_set->root_dir, which evaluates to data, is passed to lstat64() as the first argument. See related event 14.
hide
File System Race Condition
The file named list_set->root_dir is accessed again. Another process may have changed the file since the access at mbox-storage.c:318. For example, an attacker could replace the original file with a link to a file containing important or confidential data. - list_set->root_dir evaluates to data.
The issue can occur if the highlighted code executes. See related events 12 and 16. Show: All events | Only primary events |
|
| |