(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/index/maildir/maildir-sync.c) |
| |
| 276 | | | static int maildir_fix_duplicate(struct maildir_sync_context *ctx, |
| 277 | | | const char *dir, const char *fname2) |
| 278 | | | { |
| 279 | | | const char *fname1, *path1, *path2; |
| 280 | | | const char *new_fname, *new_path; |
| 281 | | | struct stat st1, st2; |
| 282 | | | |
| 283 | | | fname1 = maildir_uidlist_sync_get_full_filename(ctx->uidlist_sync_ctx, |
| 284 | | | fname2); |
| 285 | | | i_assert(fname1 != NULL);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
Event 1:
Skipping " if". fname1 != (void *)0 evaluates to true.
hide
Event 2:
Skipping " if". !(fname1 != (void *)0) evaluates to false.
hide
Event 3:
Skipping " if". !!(fname1 != (void *)0) evaluates to true.
hide
Event 4:
Skipping " if". !!!(fname1 != (void *)0) evaluates to false.
hide
Event 5:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 286 | | | |
| 287 | | | path1 = t_strconcat(dir, "/", fname1, NULL); |
| 288 | [+] | | path2 = t_strconcat(dir, "/", fname2, NULL); |
 |
| 289 | | | |
| 290 | | | if (stat(path1, &st1) < 0 || stat(path2, &st2) < 0) { |
Event 38:
Skipping " if". - stat(path1, &st1) < 0 evaluates to false.
- stat(path2, &st2) < 0 evaluates to false.
hide
Event 39:
path2, which evaluates to the value assigned to ret at data-stack.c:335, is passed to stat64() as the first argument. See related event 37.
hide
Event 40:
stat64() accesses the file named path2, where path2 is the value assigned to ret at data-stack.c:335. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 39.
hide
|
|
| 291 | | | |
| 292 | | | |
| 293 | | | return 0; |
| 294 | | | } |
| 295 | | | if (st1.st_ino == st2.st_ino && |
Event 41:
Skipping " if". st1.st_ino == st2.st_ino evaluates to false.
hide
|
|
| 296 | | | CMP_DEV_T(st1.st_dev, st2.st_dev)) {
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/compat.h |
| |
59 | # define CMP_DEV_T(a, b) (major(a) == major(b) && minor(a) == minor(b)) |
| |
x /usr/include/sys/sysmacros.h |
| |
65 | # define major(dev) gnu_dev_major (dev) |
| |
x /usr/include/sys/sysmacros.h |
| |
65 | # define major(dev) gnu_dev_major (dev) |
| |
x /usr/include/sys/sysmacros.h |
| |
66 | # define minor(dev) gnu_dev_minor (dev) |
| |
x /usr/include/sys/sysmacros.h |
| |
66 | # define minor(dev) gnu_dev_minor (dev) |
| |
|
| 297 | | | |
| 298 | | | |
| 299 | | | if (st1.st_nlink > 1 && st2.st_nlink == st1.st_nlink && |
| 300 | | | st1.st_ctime == st2.st_ctime &&
x /usr/include/bits/stat.h |
| |
96 | # define st_ctime st_ctim.tv_sec |
| |
x /usr/include/bits/stat.h |
| |
96 | # define st_ctime st_ctim.tv_sec |
| |
|
| 301 | | | st1.st_ctime < ioloop_time - DUPE_LINKS_DELETE_SECS) {
x /usr/include/bits/stat.h |
| |
96 | # define st_ctime st_ctim.tv_sec |
| |
|
| 302 | | | |
| 303 | | | |
| 304 | | | |
| 305 | | | |
| 306 | | | |
| 307 | | | |
| 308 | | | |
| 309 | | | |
| 310 | | | |
| 311 | | | |
| 312 | | | if (unlink(path2) == 0) |
| 313 | | | i_warning("Unlinked a duplicate: %s", path2); |
| 314 | | | else { |
| 315 | | | mail_storage_set_critical( |
| 316 | | | &ctx->mbox->storage->storage, |
| 317 | | | "unlink(%s) failed: %m", path2); |
| 318 | | | } |
| 319 | | | } |
| 320 | | | return 0; |
| 321 | | | } |
| 322 | | | |
| 323 | | | new_fname = maildir_filename_generate(); |
| 324 | | | new_path = t_strconcat(ctx->mbox->path, "/new/", new_fname, NULL); |
| 325 | | | |
| 326 | | | if (rename(path2, new_path) == 0) |
Event 42:
path2, which evaluates to the value assigned to ret at data-stack.c:335, is passed to rename() as the first argument. See related event 37.
hide
File System Race Condition
The file named path2 is accessed again. Another process may have changed the file since the access at maildir-sync.c:290. For example, an attacker could replace the original file with a link to a file containing important or confidential data. The issue can occur if the highlighted code executes. See related events 40 and 42. Show: All events | Only primary events |
|
| |