(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/auth/userdb-static.c) |
| |
| 100 | | | void userdb_static_template_export(struct userdb_static_template *tmpl, |
| 101 | | | struct auth_request *auth_request) |
| 102 | | | { |
| 103 | | | const struct var_expand_table *table; |
| 104 | | | string_t *str; |
| 105 | | | const char *const *args, *value; |
| 106 | | | unsigned int i, count; |
| 107 | | | |
| 108 | | | str = t_str_new(256); |
| 109 | [+] | | table = auth_request_get_var_expand_table(auth_request, NULL); |
 |
| 110 | | | |
| 111 | [+] | | args = array_get(&tmpl->args, &count);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
156 | #define array_get(array, count) \ |
157 | ARRAY_TYPE_CAST_CONST(array)array_get_i(&(array)->arr, count) |
| |
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/array.h |
| |
43 | # define ARRAY_TYPE_CAST_CONST(array) \ |
44 | (typeof(*(array)->v)) |
| |
|
 |
| 112 | | | i_assert((count % 2) == 0);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
Event 11:
Skipping " if". count % 2 == 0 evaluates to true.
hide
Event 12:
Skipping " if". !(count % 2 == 0) evaluates to false.
hide
Event 13:
Skipping " if". !!(count % 2 == 0) evaluates to true.
hide
Event 14:
Skipping " if". !!!(count % 2 == 0) evaluates to false.
hide
Event 15:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 113 | | | for (i = 0; i < count; i += 2) { |
Event 16:
Entering loop body. i < count evaluates to true.
hide
|
|
| 114 | | | if (args[i+1] == NULL) |
Event 17:
Taking true branch. args[i + 1] == (void *)0 evaluates to true.
hide
|
|
| 115 | | | value = NULL; |
Event 18:
value is set to NULL. - Dereferenced later, causing the null pointer dereference.
hide
|
|
| 116 | | | else { |
| 117 | | | str_truncate(str, 0); |
| 118 | | | var_expand(str, args[i+1], table); |
| 119 | | | value = str_c(str); |
| 120 | | | } |
| 121 | [+] | | auth_request_set_userdb_field(auth_request, args[i], value); |
Event 19:
value, which evaluates to NULL, is passed to auth_request_set_userdb_field() as the third argument. See related event 18.
hide
|
|
 |
| |