(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/index/maildir/maildir-sync.c) |
| |
| 358 | | | static int maildir_scan_dir(struct maildir_sync_context *ctx, bool new_dir) |
| 359 | | | { |
| 360 | | | struct mail_storage *storage = &ctx->mbox->storage->storage; |
| 361 | | | const char *path; |
| 362 | | | DIR *dirp; |
| 363 | | | string_t *src, *dest; |
| 364 | | | struct dirent *dp; |
| 365 | | | struct stat st; |
| 366 | | | enum maildir_uidlist_rec_flag flags; |
| 367 | | | unsigned int i = 0, move_count = 0; |
| 368 | | | time_t now; |
| 369 | | | int ret = 1; |
| 370 | | | bool move_new, check_touch, dir_changed = FALSE; |
| 371 | | | |
| 372 | | | path = new_dir ? ctx->new_dir : ctx->cur_dir; |
Event 1:
new_dir evaluates to true.
hide
Event 2:
path is set to new_dir ? ctx->new_dir : ctx->cur_dir, which evaluates to ctx->new_dir.
hide
|
|
| 373 | | | for (i = 0;; i++) { |
Event 3:
During loop iterations, the file named path is accessed, where path is ctx->new_dir. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
See related event 2.
hide
|
|
| 374 | | | dirp = opendir(path); |
Event 4:
path, which evaluates to ctx->new_dir, is passed to opendir(). See related event 2.
hide
File System Race Condition
The file named path is accessed again. Another process may have changed the file since the access at maildir-sync.c:373. For example, an attacker could replace the original file with a link to a file containing important or confidential data. - path evaluates to ctx->new_dir.
The issue can occur if the highlighted code executes. See related events 3 and 4. Show: All events | Only primary events |
|
| 375 | | | if (dirp != NULL) |
| 376 | | | break; |
| 377 | | | |
| 378 | | | if (errno != ENOENT || i == MAILDIR_DELETE_RETRY_COUNT) {
x /usr/include/asm-generic/errno-base.h |
| |
5 | #define ENOENT 2 /* No such file or directory */ |
| |
|
| 379 | | | if (errno == EACCES) {
x /usr/include/asm-generic/errno-base.h |
| |
16 | #define EACCES 13 /* Permission denied */ |
| |
|
| 380 | | | mail_storage_set_critical(storage, "%s", |
| 381 | | | eacces_error_get("opendir", path)); |
| 382 | | | } else { |
| 383 | | | mail_storage_set_critical(storage, |
| 384 | | | "opendir(%s) failed: %m", path); |
| 385 | | | } |
| 386 | | | return -1; |
| 387 | | | } |
| 388 | | | |
| 389 | | | if (!maildir_set_deleted(ctx->mbox)) |
| |