(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/printf-format-fix.c) |
| |
| 6 | | | static const char * |
| 7 | | | fix_format_real(const char *fmt, const char *p, unsigned int *len_r) |
| 8 | | | { |
| 9 | | | const char *errstr; |
| 10 | | | char *buf; |
| 11 | | | unsigned int len1, len2, len3; |
| 12 | | | |
| 13 | | | i_assert((size_t)(p - fmt) < INT_MAX);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
Event 1:
Skipping " if". (size_t)(p - fmt) < 2147483647 evaluates to true.
hide
Event 2:
Skipping " if". !((size_t)(p - fmt) < 2147483647) evaluates to false.
hide
Event 3:
Skipping " if". !!((size_t)(p - fmt) < 2147483647) evaluates to true.
hide
Event 4:
Skipping " if". !!!((size_t)(p - fmt) < 2147483647) evaluates to false.
hide
Event 5:
Skipping " if". __builtin_expect(...) evaluates to false.
hide
|
|
| 14 | | | |
| 15 | | | errstr = strerror(errno); |
Event 7:
Inside strerror(), the length of the string pointed to by strerror(errno) is set to a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - This determines the position accessed in the buffer during the buffer overrun later.
hide
Event 8:
errstr is set to strerror(errno). See related event 6.
hide
|
|
| 16 | | | |
| 17 | | | |
| 18 | | | |
| 19 | | | |
| 20 | | | len1 = p - fmt; |
Event 9:
len1 is set to an unknown [ ?unknown: the analysis lost precision when tracking this value, so this warning may be a false positive] value .
hide
|
|
| 21 | | | len2 = strlen(errstr); |
Event 10:
errstr, which evaluates to strerror(errno) from printf-format-fix.c:15, is passed to __builtin_strlen(). See related event 8.
hide
Event 11:
__builtin_strlen() returns the length of the string pointed to by errstr, which evaluates to the length of the string pointed to by strerror(errno) at printf-format-fix.c:15. See related events 7 and 10.
hide
Event 12:
len2 is set to strlen(errstr), which evaluates to the length of the string pointed to by strerror(errno) at printf-format-fix.c:15. See related event 11.
hide
|
|
| 22 | | | len3 = strlen(p + 2); |
| 23 | | | |
| 24 | | | |
| 25 | [+] | | buf = t_buffer_get(len1 + len2 + len3 + 1); |
 |
| 26 | | | memcpy(buf, fmt, len1); |
Event 30:
len1, which evaluates to the value assigned to len1 at printf-format-fix.c:20, is passed to memcpy() as the third argument. See related event 9.
hide
Event 31:
buf, which evaluates to the value assigned to ret at data-stack.c:335, is passed to memcpy() as the first argument. See related event 29.
hide
Event 32:
Considering the case where len1 is equal to 0. See related events 9 and 30.
hide
|
|
| 27 | | | memcpy(buf + len1, errstr, len2); |
Event 33:
len2, which evaluates to the length of the string pointed to by strerror(errno) at printf-format-fix.c:15, is passed to memcpy() as the third argument. See related event 12.
hide
Event 34:
buf, which evaluates to the value assigned to ret at data-stack.c:335, is passed to memcpy() as the first argument. See related events 29, 31, and 32.
hide
Buffer Overrun
This code could write past the end of the buffer pointed to by buf + len1. - buf + len1 evaluates to the value assigned to ret at data-stack.c:335.
- memcpy() writes to the byte at offset len2 - 1 from the beginning of the buffer pointed to by buf + len1.
- The offset could exceed the capacity.
- len2 - 1 evaluates to the length of the string pointed to by strerror(errno) at printf-format-fix.c:15, minus 1, which is bounded below by 0. See related event 33.
- The capacity of the buffer pointed to by buf + len1, in bytes, is the value assigned to the capacity of the buffer pointed to by ret at data-stack.c:335. See related event 34.
- If len2 - 1 is the value assigned to the capacity of the buffer pointed to by ret at data-stack.c:335 or higher, an overrun will occur. The analysis cannot rule out this possibility, so has issued this warning.
The issue can occur if the highlighted code executes. See related events 33 and 34. Show: All events | Only primary events |
|
| |