(/home/sate/Testcases/c/cve/dovecot-1.2.0/src/deliver/duplicate.c) |
| |
| 92 | | | duplicate_read_records(struct duplicate_file *file, struct istream *input, |
| 93 | | | unsigned int record_size) |
| 94 | | | { |
| 95 | | | const unsigned char *data; |
| 96 | | | struct hdr; |
| 97 | | | size_t size; |
| 98 | | | unsigned int change_count; |
| 99 | | | |
| 100 | | | change_count = 0; |
| 101 | [+] | | while (i_stream_read_data(input, &data, &size, record_size) > 0) { |
 |
| 102 | | | if (record_size == sizeof(hdr)) |
Event 4:
Taking true branch. record_size == sizeof( hdr ) evaluates to true.
hide
|
|
| 103 | | | memcpy(&hdr, data, sizeof(hdr)); |
| 104 | | | else { |
| 105 | | | |
| 106 | | | time_t stamp; |
| 107 | | | |
| 108 | | | i_assert(record_size ==
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/macros.h |
| |
189 | #define i_assert(expr) STMT_START{ \ |
190 | if (unlikely(!(expr))) \ |
191 | i_panic("file %s: line %d (%s): assertion failed: (%s)", \ |
192 | __FILE__, \ |
193 | __LINE__, \ |
194 | __PRETTY_FUNCTION__, \ |
195 | #expr); }STMT_END |
| |
|
| 109 | | | sizeof(time_t) + sizeof(uint32_t)*2); |
| 110 | | | memcpy(&stamp, data, sizeof(stamp)); |
| 111 | | | hdr.stamp = stamp; |
| 112 | | | memcpy(&hdr.id_size, data + sizeof(time_t), |
| 113 | | | sizeof(hdr.id_size)); |
| 114 | | | memcpy(&hdr.user_size, |
| 115 | | | data + sizeof(time_t) + sizeof(uint32_t), |
| 116 | | | sizeof(hdr.user_size)); |
| 117 | | | } |
| 118 | | | i_stream_skip(input, record_size); |
| 119 | | | |
| 120 | | | if (hdr.id_size == 0 || hdr.user_size == 0 || |
Event 5:
Skipping " if". - hdr.id_size == 0 evaluates to false.
- hdr.user_size == 0 evaluates to false.
- hdr.id_size > 4096 evaluates to false.
- hdr.user_size > 4096 evaluates to false.
hide
|
|
| 121 | | | hdr.id_size > DUPLICATE_BUFSIZE || |
| 122 | | | hdr.user_size > DUPLICATE_BUFSIZE) { |
| 123 | | | i_error("broken duplicate file %s", file->path); |
| 124 | | | return -1; |
| 125 | | | } |
| 126 | | | |
| 127 | | | if (i_stream_read_data(input, &data, &size, |
Event 6:
&data is passed to i_stream_read_data() as the second argument.
hide
|
|
| 128 | [+] | | hdr.id_size + hdr.user_size - 1) <= 0) { |
 |
| 129 | | | i_error("unexpected end of file in %s", file->path); |
| 130 | | | return -1; |
| 131 | | | } |
| 132 | | | |
| 133 | | | if ((time_t)hdr.stamp >= ioloop_time) { |
Event 13:
Taking true branch. (time_t)hdr.stamp >= ioloop_time evaluates to true.
hide
|
|
| 134 | | | |
| 135 | | | struct duplicate *d; |
| 136 | | | void *new_id; |
| 137 | | | |
| 138 | | | new_id = p_malloc(file->pool, hdr.id_size);
x /home/sate/Testcases/c/cve/dovecot-1.2.0/src/lib/mempool.h |
| |
87 | #define p_malloc(pool, size) (pool)->v->malloc(pool, size) |
| |
|
| 139 | | | memcpy(new_id, data, hdr.id_size); |
Event 14:
data, which evaluates to NULL, is passed to memcpy() as the second argument. See related event 10.
hide
Null Pointer Dereference
The body of memcpy() dereferences data, but it is NULL. The issue can occur if the highlighted code executes. See related event 14. Show: All events | Only primary events |
|
| |