(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib-storage/index/mbox/mbox-sync.c) |
| |
| 1355 | | | static int (struct mbox_sync_context *sync_ctx) |
| 1356 | | | { |
| 1357 | | | struct mail_index_view *view; |
| 1358 | | | const struct stat *st; |
| 1359 | | | uint32_t first_recent_uid, seq, seq2; |
| 1360 | | | |
| 1361 | [+] | | st = i_stream_stat(sync_ctx->file_input, FALSE); |
 |
| 1362 | | | if (st == NULL) { |
Event 4:
Skipping " if". st == (void *)0 evaluates to false.
hide
|
|
| 1363 | | | mbox_set_syscall_error(sync_ctx->mbox, "i_stream_stat()"); |
| 1364 | | | return -1; |
| 1365 | | | } |
| 1366 | | | |
| 1367 | | | if (sync_ctx->moved_offsets && |
| 1368 | | | ((uint64_t)st->st_size == sync_ctx->mbox->mbox_hdr.sync_size || |
| 1369 | | | (uint64_t)st->st_size == sync_ctx->orig_size)) { |
| 1370 | | | |
| 1371 | | | |
| 1372 | | | |
| 1373 | | | |
| 1374 | | | |
| 1375 | | | |
| 1376 | | | |
| 1377 | | | |
| 1378 | | | |
| 1379 | | | |
| 1380 | | | |
| 1381 | | | |
| 1382 | | | while (sync_ctx->orig_mtime == st->st_mtime) {
x /usr/include/bits/stat.h |
| |
95 | # define st_mtime st_mtim.tv_sec |
| |
|
Event 7:
During loop iterations, the file named sync_ctx->mbox->path is accessed. - The same name is used to access a file later, but it is not safe to assume that it will be the same underlying file.
hide
Event 8:
Continuing from loop body. Entering loop body. sync_ctx->orig_mtime == st->st_mtim.tv_sec evaluates to true.
hide
|
|
| 1383 | | | usleep(500000); |
| 1384 | | | if (utime(sync_ctx->mbox->path, NULL) < 0) { |
Event 10:
sync_ctx->mbox->path is passed to utime() as the first argument.
hide
File System Race Condition
The file named sync_ctx->mbox->path is accessed again. Another process may have changed the file since the access at mbox-sync.c:1382. For example, an attacker could replace the original file with a link to a file containing important or confidential data. The issue can occur if the highlighted code executes. See related events 7 and 10. Show: All events | Only primary events |
|
| 1385 | | | mbox_set_syscall_error(sync_ctx->mbox, |
| 1386 | | | "utime()"); |
| 1387 | | | return -1; |
| 1388 | | | } |
| 1389 | | | |
| 1390 | | | st = i_stream_stat(sync_ctx->file_input, FALSE); |
| 1391 | | | if (st == NULL) { |
| |