(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/file-dotlock.c) |
| |
| 318 | | | static int try_create_lock_hardlink(struct lock_info *lock_info, bool write_pid, |
| 319 | | | string_t *tmp_path) |
| 320 | | | { |
| 321 | | | const char *temp_prefix = lock_info->set->temp_prefix; |
| 322 | | | const char *p; |
| 323 | | | mode_t old_mask; |
| 324 | | | |
| 325 | | | if (lock_info->temp_path == NULL) { |
Event 1:
Skipping " if". lock_info->temp_path == (void *)0 evaluates to false.
hide
|
|
| 326 | | | |
| 327 | | | i_assert(lock_info->fd == -1);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
| 328 | | | |
| 329 | | | p = strrchr(lock_info->lock_path, '/'); |
| 330 | | | |
| 331 | | | str_truncate(tmp_path, 0); |
| 332 | | | if (temp_prefix != NULL) { |
| 333 | | | if (*temp_prefix != '/' && p != NULL) { |
| 334 | | | |
| 335 | | | str_append_n(tmp_path, lock_info->lock_path, |
| 336 359 |  | | [ Lines 336 to 359 omitted. ] |
| 360 | | | str_c(tmp_path)) < 0) { |
| 361 | | | (void)close(lock_info->fd); |
| 362 | | | lock_info->fd = -1; |
| 363 | | | return -1; |
| 364 | | | } |
| 365 | | | } |
| 366 | | | |
| 367 | | | lock_info->temp_path = str_c(tmp_path); |
| 368 | | | } |
| 369 | | | |
| 370 | | | if (nfs_safe_link(lock_info->temp_path, |
Event 3:
lock_info->temp_path is passed to nfs_safe_link() as the first argument.
hide
|
|
| 371 | [+] | | lock_info->lock_path, TRUE) < 0) { |
Event 2:
Skipping " if". !0 evaluates to true.
hide
|
|
 |
| 372 | | | if (errno == EEXIST) |
| 373 | | | return 0; |
| 374 | | | |
| 375 | | | if (errno != EACCES) {
x /usr/include/asm-generic/errno-base.h |
| |
16 | #define EACCES 13 /* Permission denied */ |
| |
|
| 376 | | | i_error("link(%s, %s) failed: %m", |
| 377 | | | lock_info->temp_path, lock_info->lock_path); |
| 378 | | | } |
| 379 | | | return -1; |
| 380 | | | } |
| 381 | | | |
| 382 | | | if (unlink(lock_info->temp_path) < 0) { |
Event 10:
lock_info->temp_path is passed to unlink().
hide
File System Race Condition
The file named lock_info->temp_path is accessed again. Another process may have changed the file since the access at nfs-workarounds.c:127. For example, an attacker could replace the original file with a link to a file containing important or confidential data. The issue can occur if the highlighted code executes. See related events 7 and 10. Show: All events | Only primary events |
|
| |