(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/auth/auth.c) |
| |
| 206 | | | void auth_init(struct auth *auth) |
| 207 | | | { |
| 208 | | | struct auth_passdb *passdb; |
| 209 | | | struct auth_userdb *userdb; |
| 210 | | | const struct mech_module *mech; |
| 211 | | | const char *const *mechanisms; |
| 212 | | | const char *env; |
| 213 | | | |
| 214 | | | for (passdb = auth->masterdbs; passdb != NULL; passdb = passdb->next) |
Event 1:
Leaving loop. passdb != (void *)0 evaluates to false.
hide
|
|
| 215 | | | passdb_init(passdb); |
| 216 | | | for (passdb = auth->passdbs; passdb != NULL; passdb = passdb->next) |
Event 2:
Leaving loop. passdb != (void *)0 evaluates to false.
hide
|
|
| 217 | | | passdb_init(passdb); |
| 218 | | | for (userdb = auth->userdbs; userdb != NULL; userdb = userdb->next) |
| 219 | | | userdb_init(userdb); |
| 220 | | | |
| 221 | | | if (!worker) |
Event 4:
Taking true branch. worker evaluates to false.
hide
|
|
| 222 | | | passdb_cache_init(); |
| 223 | | | |
| 224 | | | auth->mech_handshake = str_new(auth->pool, 512); |
| 225 | | | |
| 226 | | | auth->anonymous_username = getenv("ANONYMOUS_USERNAME"); |
| 227 | | | if (auth->anonymous_username != NULL && |
| 228 | | | *auth->anonymous_username == '\0') |
| 229 | | | auth->anonymous_username = NULL; |
| 230 | | | |
| 231 | | | |
| 232 | | | env = getenv("MECHANISMS"); |
| 233 | | | if (env == NULL) |
Event 6:
Skipping " if". env == (void *)0 evaluates to false.
hide
|
|
| 234 | | | i_fatal("MECHANISMS environment is unset"); |
| 235 | | | |
| 236 | | | mechanisms = t_strsplit_spaces(env, " "); |
| 237 | | | while (*mechanisms != NULL) { |
Event 7:
Leaving loop. *mechanisms != (void *)0 evaluates to false.
hide
|
|
| 238 | | | if (strcasecmp(*mechanisms, "ANONYMOUS") == 0) { |
| 239 | | | if (auth->anonymous_username == NULL) { |
| 240 | | | i_fatal("ANONYMOUS listed in mechanisms, " |
| 241 | | | "but anonymous_username not given"); |
| 242 | | | } |
| 243 | | | } |
| 244 | | | mech = mech_module_find(*mechanisms); |
| 245 | | | if (mech == NULL) { |
| 246 | | | i_fatal("Unknown authentication mechanism '%s'", |
| 247 | | | *mechanisms); |
| 248 | | | } |
| 249 | | | auth_mech_register(auth, mech); |
| 250 | | | |
| 251 | | | mechanisms++; |
| 252 | | | } |
| 253 | | | |
| 254 | | | if (auth->mech_modules == NULL) |
Event 8:
Skipping " if". auth->mech_modules == (void *)0 evaluates to false.
hide
|
|
| 255 | | | i_fatal("No authentication mechanisms configured"); |
| 256 | | | auth_mech_list_verify_passdb(auth); |
| 257 | | | |
| 258 | | | env = getenv("REALMS"); |
| 259 | | | if (env == NULL) |
Event 9:
Taking true branch. env == (void *)0 evaluates to true.
hide
|
|
| 260 | | | env = ""; |
| 261 | | | auth->auth_realms = p_strsplit_spaces(auth->pool, env, " "); |
| 262 | | | |
| 263 | | | env = getenv("DEFAULT_REALM"); |
| 264 | | | if (env != NULL && *env != '\0') |
| 265 | | | auth->default_realm = env; |
| 266 | | | |
| 267 | | | env = getenv("USERNAME_CHARS"); |
Event 12:
Inside getenv(), *getenv("USERNAME_CHARS") is set to a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - This determines the position accessed in the buffer during the buffer overrun later.
hide
Event 13:
env is set to getenv("USERNAME_CHARS"). See related event 11.
hide
|
|
| 268 | | | if (env == NULL || *env == '\0') { |
| 269 | | | |
| 270 | | | memset(auth->username_chars, 1, sizeof(auth->username_chars)); |
| 271 | | | } else { |
| 272 | | | for (; *env != '\0'; env++) |
Event 15:
Entering loop body. *env != 0 evaluates to true.
hide
|
|
| 273 | | | auth->username_chars[(int)(uint8_t)*env] = 1; |
Buffer Overrun
This code could write past the end of the buffer pointed to by auth. - The code writes 1 byte starting at offset *env + 44 from the beginning of the buffer pointed to by auth.
- The number of bytes written could exceed the number of allocated bytes beyond that offset.
- *env + 44 evaluates to *getenv("USERNAME_CHARS") at auth.c:267, plus 44. See related events 12 and 13.
- The capacity of the buffer pointed to by auth, in bytes, is the capacity of the buffer pointed to by auth.
- If *env + 44 plus 1 is higher than the capacity of the buffer pointed to by auth, an overrun will occur. The analysis cannot rule out this possibility, so has issued this warning.
The issue can occur if the highlighted code executes. See related events 12 and 13. Show: All events | Only primary events |
|
| |