(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/auth/auth.c) |
| |
| 206 | | | void auth_init(struct auth *auth) |
| 207 | | | { |
| 208 | | | struct auth_passdb *passdb; |
| 209 | | | struct auth_userdb *userdb; |
| 210 | | | const struct mech_module *mech; |
| 211 | | | const char *const *mechanisms; |
| 212 | | | const char *env; |
| 213 | | | |
| 214 | | | for (passdb = auth->masterdbs; passdb != NULL; passdb = passdb->next) |
Event 1:
Entering loop body. passdb != (void *)0 evaluates to true.
hide
Event 2:
Continuing from loop body. Leaving loop. passdb != (void *)0 evaluates to false.
hide
|
|
| 215 | | | passdb_init(passdb); |
| 216 | | | for (passdb = auth->passdbs; passdb != NULL; passdb = passdb->next) |
Event 3:
Leaving loop. passdb != (void *)0 evaluates to false.
hide
|
|
| 217 | | | passdb_init(passdb); |
| 218 | | | for (userdb = auth->userdbs; userdb != NULL; userdb = userdb->next) |
Event 4:
Leaving loop. userdb != (void *)0 evaluates to false.
hide
|
|
| 219 | | | userdb_init(userdb); |
| 220 | | | |
| 221 | | | if (!worker) |
Event 5:
Taking true branch. worker evaluates to false.
hide
|
|
| 222 | | | passdb_cache_init(); |
| 223 | | | |
| 224 | | | auth->mech_handshake = str_new(auth->pool, 512); |
| 225 | | | |
| 226 | | | auth->anonymous_username = getenv("ANONYMOUS_USERNAME"); |
| 227 | | | if (auth->anonymous_username != NULL && |
Event 6:
Skipping " if". auth->anonymous_username != (void *)0 evaluates to false.
hide
|
|
| 228 | | | *auth->anonymous_username == '\0') |
| 229 | | | auth->anonymous_username = NULL; |
| 230 | | | |
| 231 | | | |
| 232 | | | env = getenv("MECHANISMS"); |
| 233 | | | if (env == NULL) |
Event 7:
Skipping " if". env == (void *)0 evaluates to false.
hide
|
|
| 234 | | | i_fatal("MECHANISMS environment is unset"); |
| 235 | | | |
| 236 | | | mechanisms = t_strsplit_spaces(env, " "); |
| 237 | | | while (*mechanisms != NULL) { |
Event 8:
Leaving loop. *mechanisms != (void *)0 evaluates to false.
hide
|
|
| 238 | | | if (strcasecmp(*mechanisms, "ANONYMOUS") == 0) { |
| 239 | | | if (auth->anonymous_username == NULL) { |
| 240 | | | i_fatal("ANONYMOUS listed in mechanisms, " |
| 241 | | | "but anonymous_username not given"); |
| 242 | | | } |
| 243 | | | } |
| 244 | | | mech = mech_module_find(*mechanisms); |
| 245 | | | if (mech == NULL) { |
| 246 | | | i_fatal("Unknown authentication mechanism '%s'", |
| 247 | | | *mechanisms); |
| 248 | | | } |
| 249 | | | auth_mech_register(auth, mech); |
| 250 | | | |
| 251 | | | mechanisms++; |
| 252 | | | } |
| 253 | | | |
| 254 | | | if (auth->mech_modules == NULL) |
Event 9:
Skipping " if". auth->mech_modules == (void *)0 evaluates to false.
hide
|
|
| 255 | | | i_fatal("No authentication mechanisms configured"); |
| 256 | | | auth_mech_list_verify_passdb(auth); |
| 257 | | | |
| 258 | | | env = getenv("REALMS"); |
| 259 | | | if (env == NULL) |
Event 10:
Skipping " if". env == (void *)0 evaluates to false.
hide
|
|
| 260 | | | env = ""; |
| 261 | | | auth->auth_realms = p_strsplit_spaces(auth->pool, env, " "); |
| 262 | | | |
| 263 | | | env = getenv("DEFAULT_REALM"); |
| 264 | | | if (env != NULL && *env != '\0') |
Event 11:
Skipping " if". env != (void *)0 evaluates to false.
hide
|
|
| 265 | | | auth->default_realm = env; |
| 266 | | | |
| 267 | | | env = getenv("USERNAME_CHARS"); |
| 268 | | | if (env == NULL || *env == '\0') { |
Event 12:
Taking true branch. env == (void *)0 evaluates to true.
hide
|
|
| 269 | | | |
| 270 | | | memset(auth->username_chars, 1, sizeof(auth->username_chars)); |
| 271 | | | } else { |
| 272 | | | for (; *env != '\0'; env++) |
| 273 | | | auth->username_chars[(int)(uint8_t)*env] = 1; |
| 274 | | | } |
| 275 | | | |
| 276 | | | env = getenv("USERNAME_TRANSLATION"); |
Event 14:
Inside getenv(), *getenv("USERNAME_TRANSLATION") is set to a potentially dangerous value [ ?potentially dangerous: the value cannot be determined and may come from program input]. - Determines the array index accessed during the type overrun later.
hide
Event 15:
env is set to getenv("USERNAME_TRANSLATION"). See related event 13.
hide
|
|
| 277 | | | if (env != NULL) { |
Event 16:
Taking true branch. env != (void *)0 evaluates to true.
hide
|
|
| 278 | | | for (; *env != '\0' && env[1] != '\0'; env += 2) |
| 279 | | | auth->username_translation[(int)(uint8_t)*env] = env[1]; |
Type Overrun
The code could write outside auth->username_translation (but inside *auth). - The type of auth->username_translation is char[256].
- The index is *env. See related events 14 and 15.
- *env evaluates to *getenv("USERNAME_TRANSLATION") at auth.c:276.
- If *env is 256 or greater, an overrun will occur. The analysis cannot rule out the possibility of *env taking on one or more of these dangerous values, so has issued this warning.
The issue can occur if the highlighted code executes. See related events 14 and 15. Show: All events | Only primary events |
|
| |