(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/deliver/auth-client.c) |
| |
| 58 | | | static int set_env(struct auth_user_reply *reply, |
| 59 | | | const char *user, uid_t euid) |
| 60 | | | { |
| 61 | | | const char *; |
| 62 | | | unsigned int len; |
| 63 | | | |
| 64 | | | if (reply->uid == 0) { |
Event 1:
Taking false branch. reply->uid == 0 evaluates to false.
hide
|
|
| 65 | | | i_error("userdb(%s) returned 0 as uid", user); |
| 66 | | | return -1; |
| 67 | | | } else if (reply->uid == (uid_t)-1) { |
Event 2:
Skipping " if". reply->uid == (uid_t)-1 evaluates to false.
hide
|
|
| 68 | | | if (getenv("MAIL_UID") != NULL) { |
| 69 | | | if (!parse_uid(getenv("MAIL_UID"), &reply->uid) || |
| 70 | | | reply->uid == 0) { |
| 71 | | | i_error("mail_uid setting is invalid"); |
| 72 | | | return -1; |
| 73 | | | } |
| 74 | | | } else { |
| 75 | | | i_error("User %s is missing UID (set mail_uid)", user); |
| 76 | | | return -1; |
| 77 | | | } |
| 78 | | | } |
| 79 | | | if (reply->gid == 0) { |
Event 3:
Taking false branch. reply->gid == 0 evaluates to false.
hide
|
|
| 80 | | | i_error("userdb(%s) returned 0 as gid", user); |
| 81 | | | return -1; |
| 82 | | | } else if (reply->gid == (gid_t)-1) { |
Event 4:
Taking true branch. reply->gid == (gid_t)-1 evaluates to true.
hide
|
|
| 83 | | | if (getenv("MAIL_GID") != NULL) { |
Event 5:
Taking true branch. getenv(...) != (void *)0 evaluates to true.
hide
|
|
| 84 | [+] | | if (!parse_gid(getenv("MAIL_GID"), &reply->gid) || |
Event 6:
getenv() returns NULL. - Dereferenced later, causing the null pointer dereference.
hide
Event 7:
getenv("MAIL_GID"), which evaluates to NULL, is passed to parse_gid() as the first argument. See related event 6.
hide
|
|
 |
| |