(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/auth/auth.c) |
| |
| 206 | | | void auth_init(struct auth *auth) |
| 207 | | | { |
| 208 | | | struct auth_passdb *passdb; |
| 209 | | | struct auth_userdb *userdb; |
| 210 | | | const struct mech_module *mech; |
| 211 | | | const char *const *mechanisms; |
| 212 | | | const char *env; |
| 213 | | | |
| 214 | | | for (passdb = auth->masterdbs; passdb != NULL; passdb = passdb->next) |
Event 1:
Entering loop body. passdb != (void *)0 evaluates to true.
hide
Event 2:
Continuing from loop body. Leaving loop. passdb != (void *)0 evaluates to false.
hide
|
|
| 215 | | | passdb_init(passdb); |
| 216 | | | for (passdb = auth->passdbs; passdb != NULL; passdb = passdb->next) |
Event 3:
Leaving loop. passdb != (void *)0 evaluates to false.
hide
|
|
| 217 | | | passdb_init(passdb); |
| 218 | | | for (userdb = auth->userdbs; userdb != NULL; userdb = userdb->next) |
Event 4:
Leaving loop. userdb != (void *)0 evaluates to false.
hide
|
|
| 219 | | | userdb_init(userdb); |
| 220 | | | |
| 221 | | | if (!worker) |
Event 5:
Taking true branch. worker evaluates to false.
hide
|
|
| 222 | | | passdb_cache_init(); |
| 223 | | | |
| 224 | | | auth->mech_handshake = str_new(auth->pool, 512); |
| 225 | | | |
| 226 | | | auth->anonymous_username = getenv("ANONYMOUS_USERNAME"); |
| 227 | | | if (auth->anonymous_username != NULL && |
Event 6:
Skipping " if". auth->anonymous_username != (void *)0 evaluates to false.
hide
|
|
| 228 | | | *auth->anonymous_username == '\0') |
| 229 | | | auth->anonymous_username = NULL; |
| 230 | | | |
| 231 | | | |
| 232 | | | env = getenv("MECHANISMS"); |
| 233 | | | if (env == NULL) |
Event 7:
Skipping " if". env == (void *)0 evaluates to false.
hide
|
|
| 234 | | | i_fatal("MECHANISMS environment is unset"); |
| 235 | | | |
| 236 | | | mechanisms = t_strsplit_spaces(env, " "); |
| 237 | | | while (*mechanisms != NULL) { |
Event 8:
Leaving loop. *mechanisms != (void *)0 evaluates to false.
hide
|
|
| 238 | | | if (strcasecmp(*mechanisms, "ANONYMOUS") == 0) { |
| 239 | | | if (auth->anonymous_username == NULL) { |
| 240 | | | i_fatal("ANONYMOUS listed in mechanisms, " |
| 241 | | | "but anonymous_username not given"); |
| 242 | | | } |
| 243 | | | } |
| 244 | | | mech = mech_module_find(*mechanisms); |
| 245 | | | if (mech == NULL) { |
| 246 | | | i_fatal("Unknown authentication mechanism '%s'", |
| 247 | | | *mechanisms); |
| 248 | | | } |
| 249 | | | auth_mech_register(auth, mech); |
| 250 | | | |
| 251 | | | mechanisms++; |
| 252 | | | } |
| 253 | | | |
| 254 | | | if (auth->mech_modules == NULL) |
Event 9:
Skipping " if". auth->mech_modules == (void *)0 evaluates to false.
hide
|
|
| 255 | | | i_fatal("No authentication mechanisms configured"); |
| 256 | | | auth_mech_list_verify_passdb(auth); |
| 257 | | | |
| 258 | | | env = getenv("REALMS"); |
| 259 | | | if (env == NULL) |
Event 10:
Skipping " if". env == (void *)0 evaluates to false.
hide
|
|
| 260 | | | env = ""; |
| 261 | | | auth->auth_realms = p_strsplit_spaces(auth->pool, env, " "); |
| 262 | | | |
| 263 | | | env = getenv("DEFAULT_REALM"); |
| 264 | | | if (env != NULL && *env != '\0') |
Event 11:
Skipping " if". env != (void *)0 evaluates to false.
hide
|
|
| 265 | | | auth->default_realm = env; |
| 266 | | | |
| 267 | | | env = getenv("USERNAME_CHARS"); |
| 268 | | | if (env == NULL || *env == '\0') { |
Event 12:
Taking true branch. env == (void *)0 evaluates to true.
hide
|
|
| 269 | | | |
| 270 | | | memset(auth->username_chars, 1, sizeof(auth->username_chars)); |
| 271 | | | } else { |
| 272 | | | for (; *env != '\0'; env++) |
| 273 | | | auth->username_chars[(int)(uint8_t)*env] = 1; |
| 274 | | | } |
| 275 | | | |
| 276 | | | env = getenv("USERNAME_TRANSLATION"); |
Event 14:
Inside getenv(), *getenv("USERNAME_TRANSLATION") is set to a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - This determines the position accessed in the buffer during the buffer overrun later.
hide
Event 15:
env is set to getenv("USERNAME_TRANSLATION"). See related event 13.
hide
|
|
| 277 | | | if (env != NULL) { |
Event 16:
Taking true branch. env != (void *)0 evaluates to true.
hide
|
|
| 278 | | | for (; *env != '\0' && env[1] != '\0'; env += 2) |
| 279 | | | auth->username_translation[(int)(uint8_t)*env] = env[1]; |
Buffer Overrun
This code could write past the end of the buffer pointed to by auth. - The code writes 1 byte starting at offset *env + 300 from the beginning of the buffer pointed to by auth.
- The number of bytes written could exceed the number of allocated bytes beyond that offset.
- *env + 300 evaluates to *getenv("USERNAME_TRANSLATION") at auth.c:276, plus 300. See related events 14 and 15.
- The capacity of the buffer pointed to by auth, in bytes, is the capacity of the buffer pointed to by auth.
- If *env + 300 plus 1 is higher than the capacity of the buffer pointed to by auth, an overrun will occur. The analysis cannot rule out this possibility, so has issued this warning.
The issue can occur if the highlighted code executes. See related events 14 and 15. Show: All events | Only primary events |
|
| |